|Place of Origin||The Netherlands|
|File Type(s)||.exe (NE)|
|Infection Length||854 bytes|
When a Winvir-infected program is executed, it looks for any .exe files of the New Executable type in the current working directory. It cuts the middle of the infected file and moves it to the end and places its own code in the middle. Winvir removes itself from the file that it was executed from and attempts to restore it to its original condition.
Two texts can be found at different points in the infected file "Virus_for_Windows v1.4" and "MK92". If the virus has not properly removed itself, these may still be there.
Winvir will not work properly under many conditions. Particularly, it only works properly when executed from the Windows directory. From any other directory, it produces error messages.
Winvir was first reported in Sweden, but it did not originate there. A hacker from The Netherlands going by the name Masud Khafir claimed responsibility for it. His initials can be seen inside the virus code. Masud Khafir also claimed responsibility for the Pogue virus, which used the Dark Avenger Mutation Engine.
Patricia Hoffman. Online VSUM, WinVir Virus.
Trident. Interview with Masud Khafir.