|Place of Origin||Hamburg, Germany|
|File Type(s)||.com, .exe|
|Infection Length||9,216 bytes|
Whale was a DOS virus from 1990. For its time, Whale was the largest virus ever discovered, weighing in at 9,216 bytes. It was very advanced for its time, featuring polymporphism, stealth and armoring all in one virus.
When a file infected with Whale is executed, the virus is installed to memory. While the virus is 9,216 bytes in a file, it is 9,984 bytes in memory. The virus behaves differently at different times, sometimes infecting only infecting when that uninfected .com or .exe file is executed, or infecting when the file is even read. It appends its 9,216 bytes to the end of the file. There are even times when the virus may disinfect a file when it is copied.
It may sometimes appear to simulate rebooting the system. When it does this, the virus will disable the break key, so the user will not be able to stop the execution of the AUTOEXEC.BAT file. This ensures that any file executed by AUTOEXEC.BAT will be infected. Files infected in this way are usually, but not always, the 9,216 byte kind that show the original file length when the "DIR" command is given.
The virus may also sometimes create a file at the root of the C: drive named FISH-#9.TBL. It may sometimes randomly remove this file and even recreate it. This file contains an image of the hard disk's partition table as well as the following text:
"Fish Virus #9 A Whale is no Fish! Mind her Mutant Fish and the hidden Fish Eggs for they are damaging. The sixth Fish mutates only if the Whale is in her Cave."
There have been no successful tests of the claim contained in this file.
Whale may display the following message:
THE WHALE IN SEARCH OF THE 8 FISH I AM '~knzyvo}' IN HAMBURG addr error D9EB,02
There will also be the text "Z THE WHALE" in memory, but this will not be displayed on the screen.
The infection length is usually 9,216 bytes. If the file is infected with the virus and the infection is this length, the virus will hide the increase in length when the user runs the "DIR" command. Sometimes the virus will produce a mutation which may have a different infection length. In this case DIR will show the actual infected length or it may show the actual infected length minus 9,216 bytes.
Running the CHKDSK program will report file allocation errors. Running CHKDSK /F will cause damage to some files. Whale will also alter the date/time of the infected file. It may do this improperly, making the program inaccessible to some disk utility programs. If the user attempts to use a debugger, the virus blocks the keyboard and stops running.
While the virus is in memory, it causes many problems for the system. The system slows down and the screen may flicker. Writes to the screen may be noticeably delayed to the point where programs may appear to hang, then execute properly.
Whale gets its name from the text contained in the virus. Other names used for the virus are Fish, Mother Fish and Fish 9.
While its origin is not 100% certain, the text also suggests that it comes from Hamburg, Germany. Some sources report the name of this virus's creator as "R. Horner", but no sources can be found that can verify the name, except for a Wikipedia entry, whose only source does not mention R. Horner. "knzyvo" is the only name on the virus and the only other information it gives for the whereabouts of the creator is that he is likely from Hamburg.
Whale was originally posted to an American BBS with a description from the poster. The description did not completely accurately describe the virus, leading some antivirus researchers to suspect that the poster either did not really know the virus that well, or was deliberately trying to throw off researchers.
Whale is actually not so unique with regard to its size in some ways, as innovative and feature-packed viruses often turn out large. The network-capable Remote Explorer virus weighed in at over 120 kilobytes. Even as late as 1999 and 2000, the encrypted, polymorphic Blackbat virus, by Rohitab was close to 3 kilobytes, while most viruses are under 2 and Smash is over 10,000 bytes. Some viruses using the Dark Avenger Mutation Engine turn out pretty large. The encrypted, polymorphic Hare virus is around 7,500 bytes long. The email-capable Magistr is 24,876 bytes. MetaPHOR, which is metamorphic and cross-platform in some variants gets up to 32,828 bytes. Zmist which uses the Mistfall engine is around 35,000 bytes.
40Hex, Volume 1 Issue 2, The Whale Virus.
VIRUS-L Digest, Volume 3 : Issue 158. 1990.09.18
Jim Bates. Reports collected and collated by PC-Virus Index, The Virus Information Service, Whale Virus aka Mother Fish & Fish #9. 1990.10
Frederic Raynal. Symantec, Malicious cryptography, part one. 2006.05.08