|Place of Origin||Caracas, Venezuela|
|File Type(s)||.com, .exe|
|Infection Length||2,048 Bytes|
Byway is a cluster virus from 1995. It was thought to be related to the earlier cluster virus Dir-II, but uses some different techniques to spread itself. It was also remarkable for the speed with which it could infect new files, sometimes being described as a virus that "attacks everything in its path."
When a program infected with Byway is executed, it becomes memory resident, taking 3,216 bytes of RAM. The program the user intended to run will not run the first time it is executed on a clean computer. Once the virus is in memory however, it reroutes all disk operations to the original files, so infected files will rin correctly.
The virus creates a file named CHKLIST�.MS�. The "�" character will appear as a blank space in ASCII text, as it is character 255. It infects files when they are accessed in any way, including a simple directory listing. If the user types a command that does not exist, DOS will search in all directories listed in the path statement of AUTOEXEC.BAT, infecting all files in all the directories searched for. Byway changes their directory entries and crosslinks all executable files to point to the CHKLIST�.MS� file.
It is able to trick integrity checkers and virus scanners.Byway is even capable of defeating scanners that use their own file system to scan for viruses, and piggyback on them to infect new files.
Byway has a payload that displays text under certain conditions. After the year 1996, if the day of the month and a number based on the month number match ((Mo * 2) +2, therefore it displays on January 4, February 06, March 8, April 10…) it displays the text "TRABAJEMOS TODOS POR VENEZUELA !!!" (We all work for Venezuela) any hour of the day that is a multiple of 3. It also plays the Venezuelan national anthem.
It contains the encrypted text:
Ironically, Byway is very easy to remove from files by some very simple means. Simply renaming executable files to have a non-executable extension is enough to make the virus correct the FAT chain to properly point to the beginning of the file. Then reboot from a clean diskette and remove the hidden and read-only attributes, then delete CHKLIST�.MS�.
Byway is sometimes considered a variant of Dir-II, but some vendors consider it different enough to constitute a separate family. There is one variant of Byway, called Byway.B, which simply has a shorter encrypted text "-By:W.Chan-".
The virus likely originated in Venezuela, and made it to Mexico, the US, Britain and Bulgaria. The first samples collected by researchers came from Britain and the United States.
Name and Origin
Text displayed and tune played by the virus seems to indicate that it most likely comes from Venezuela. "UCV" in the encrypted text likely stands for "Universidad Central de Venezuela", in Caracas, Venezuela. China was also considered a possibility of Byway's origin because of the name Wai-Chan in the text, but all other signs point to Venezuela. It was first discovered in the wild in summer of 1995, but the encrypted text of what one can presume to be the creator's signature seems to indicate that it was coded almost a year before becoming known to virus researchers.
The name is likely a play on the encrypted text found in the virus, "by:Wai" becoming Byway. It also sometimes goes by the name the creator seems to have intended for it to have, The-HndV, or some variation thereof. Sometimes Dir-II comes before the viruses name, since some consider it a variant of that virus.
Luis Paris, F-Secure Antivirus, F-Secure Virus Descriptions : Byway.
Robert Vibert. Virus News, Issue 3. 1995 Summer/Fall