Winvir | |
---|---|
Type | File virus |
Creator | Masud Khafir |
Date Discovered | 1992.09 |
Place of Origin | The Netherlands |
Source Language | Assembly |
Platform | MS Windows |
File Type(s) | .exe (NE) |
Infection Length | 854 bytes |
Reported Costs |
Winvir is the first Windows virus. It was created by Masud Khafir, who also created the Pogue and Cruncher viruses.
Behavior
When a Winvir-infected program is executed, it looks for any .exe files of the New Executable type in the current working directory. It cuts the middle of the infected file and moves it to the end and places its own code in the middle. Winvir removes itself from the file that it was executed from and attempts to restore it to its original condition.
Two texts can be found at different points in the infected file "Virus_for_Windows v1.4" and "MK92". If the virus has not properly removed itself, these may still be there.
Winvir will not work properly under many conditions. Particularly, it only works properly when executed from the Windows directory. From any other directory, it produces error messages.
Origin
Winvir was first reported in Sweden, but it did not originate there. A hacker from The Netherlands going by the name Masud Khafir claimed responsibility for it. His initials can be seen inside the virus code. Masud Khafir also claimed responsibility for the Pogue virus, which used the Dark Avenger Mutation Engine.
Sources
Patricia Hoffman. Online VSUM, WinVir Virus.
Trident. Interview with Masud Khafir.