Wiedzmin | |
---|---|
Type | File virus |
Creator | Lord Yup - Deithwen Addan |
Date Discovered | 1999 |
Place of Origin | Poland |
Source Language | Assembly |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length | 8,225 bytes |
Wiedzmin also known as Wide or Wideman is a polymorphic and armored stealth virus by Lord Yup. It is capable of hiding from debuggers and blocking antivirus company websites. It takes its name from the popular "Witcher" series of novels (Wiedźmin in Polish).
Behavior
When a file infected with Wiedzmin is executed, it looks for 7 files in the current working directory and another 7 in the Windows directory. It avoids infecting files beginning with the characters 'a', 'A', 'E', 'e', 'v', and 'V'. Wiedzmin uses 3-layer encryption and encrypts itself using a random number, adding NOP garbage in the range of 0-255.
It detects SoftIce, td32, SoftSnoop, and a few others using the IsDebuggerPresent API to hide itself from debuggers. On the 22nd of June and December, it will print a color string in an infinite loop.
Wiedzmin patches wsock32.dll, replacing the send and connect function addresses. It will try to infect files it finds on FTP sites. After rebooting, the user will be unable to connect to certain antivirus sites. Blocked sites include:
- nai.com
- avp (.com, .ru, .ch)
- kaspersky.ru
- kasperskylab.ru
- avp2000.com
- metro.ch
- datafellows.com
- f-secure.com
- drsolomon.com
- mcafee.com
- sophos.com
- norman.com
- pandasoftware.com
- complex.is
- leprechaun.com.au
- cai.com
- antivirus.com
- trendmicro.com
- sarc.com
- virus.com
- invircible.com
- symantec.com
- grisoft.com
- drweb.ru
Origin
Wiedzmin was coded in Poland by Lord Yup. It appeared in issue 6 of 29A magazine. It takes its name from the Andrzej Sapkowski book series "Wiedźmin" that Lord Yup considered superior to Tolken's Lord of the Rings. It was made for windows 9x systems and had the potential to infect NT systems, though this was not guaranteed.
Variants
There are several variants of Wiedzmin, mostly just differences in file size. These include:
- 8225 (A, B, and C)
- 7910
- 8135 (A and B)
- 8238
Sources
Lord Yup. 29A, Issue 6, w9x.Wiedzmin.