|Place of Origin|
|Infection Length||1,416 bytes|
When Caw is executed, it allocates a block of Windows memory and becomes resident as a VxD driver. Caw intercepts the file opening function to infect new files. It increases the size of the last section and places its code there.
Due to a bug in the virus's code, it may damage the infected file. When one of these files is run, it will cause a standard Windows error message in the application to appear.
The virus has two dangerous payloads. On July 7, any time a file infected with the virus is run, it will erase 16 random sectors on drive C:.
The other is if the current minute is 0, the virus will delete files as they are opened if their extensions are BMP, JPG, DOC, WRI, BAS, SAV, PDF, RTF, TXT or if the file is Winword.exe. This second one can be customized: if there is a file named "AW" at the root of the C: drive, Caw will read it and delete any extensions listed in there.
There are 9 known variants of the Caw virus. The original was 1,416 bytes long and all known variants are similar in size and function. They range in size from 1,262 bytes to 1,557 bytes.
The virus was known to be wild shortly after antivirus companies began receiving samples in December of 1999. Though destructive, it was not very prevalent.
The virus takes its name from the file it uses to determine what files it will delete or its payload. The full path name looks like C:\AW and this string is visible in the body of the virus.
Kaspersky Lab. Securelist.com, Win95.Caw.
Eugene Kaspersky. F-Secure Antivirus, WIN95_CAW.
Trend Micro Australia, PE_CAW.
JustGranni@aol.com. HENSON Archives, Rootsweb, New Virus :CAW, WIN95.CAW 1999.12.23