Threat Description

WereWolf

Details

Aliases:WereWolf, Beast, Claws, Fangs, Scream
Category:Malware
Type:Virus
Platform:W32

Summary



This is a large family of related viruses. Many of them were reported to be in the wild in France in December 1995 - February 1996. Most of the WereWolf viruses are resident infectors of COM and EXE files.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



WereWolf is a stealth virus, but it will only stealth the change in file sizes. Virus is not encrypted and contains the following text:

BEAST

WereWolf avoids infecting the following programs:

CLEAN - McAfee CLEAN
  AVP- Antiviral Toolkit Pro
  TB - ThunderByte Antivirus
  QB - QBasic
  SCAN  - McAfee SCAN
  COMM  - Many communication programs
  NAV- Norton Antivirus
  V  - Anything starting with a 'V'
  FINDV - S&S Findvirus
  GUARD - S&S VirusGuard
  FV - S&S Findvirus
  CHKDS - DOS CHKDSK
  F-PR  - F-PROT
  -D - AVP TSR

Variant:Werewolf.1500.B

This polymorphic variant got widespread distribution in April 1996, as it was attached to a shareware game called 'PackMan', which was available in the upload directory of a major shareware ftp server. This variant has been found in the wild in several countries.

Werewolf.1500.B corrupts data randomly and slowsly while it is being written to the hard drive by any other program. Such changes are very difficult to locate and repair afterwards.

Werewolf.1500.B contains this text:

  [WULF]




Description Created: Mikko Hypponen, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More