Type File virus
Creator Masud Khafir
Date Discovered 1992.09
Place of Origin The Netherlands
Source Language Assembly
Platform MS Windows
File Type(s) .exe (NE)
Infection Length 854 bytes
Reported Costs

Winvir is the first Windows virus. It was created by Masud Khafir, who also created the Pogue and Cruncher viruses.

Table of Contents


When a Winvir-infected program is executed, it looks for any .exe files of the New Executable type in the current working directory. It cuts the middle of the infected file and moves it to the end and places its own code in the middle. Winvir removes itself from the file that it was executed from and attempts to restore it to its original condition.

Two texts can be found at different points in the infected file "Virus_for_Windows v1.4" and "MK92". If the virus has not properly removed itself, these may still be there.

Winvir will not work properly under many conditions. Particularly, it only works properly when executed from the Windows directory. From any other directory, it produces error messages.


Winvir was first reported in Sweden, but it did not originate there. A hacker from The Netherlands going by the name Masud Khafir claimed responsibility for it. His initials can be seen inside the virus code. Masud Khafir also claimed responsibility for the Pogue virus, which used the Dark Avenger Mutation Engine.


Patricia Hoffman. Online VSUM, WinVir Virus.

Trident. Interview with Masud Khafir.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License