F-Secure Virus Descriptions : WereWolf
This is a large family of related viruses. Many of them were reported to
be in the wild in France in December 1995 - February 1996. Most of the
WereWolf viruses are resident infectors of COM and EXE files.
WereWolf is a stealth virus, but it will only stealth the change in
file sizes. Virus is not encrypted and contains the following text:
BEAST
WereWolf avoids infecting the following programs:
CLEAN - McAfee CLEAN
AVP - Antiviral Toolkit Pro
TB - ThunderByte Antivirus
QB - QBasic
SCAN - McAfee SCAN
COMM - Many communication programs
NAV - Norton Antivirus
V - Anything starting with a 'V'
FINDV - S&S Findvirus
GUARD - S&S VirusGuard
FV - S&S Findvirus
CHKDS - DOS CHKDSK
F-PR - F-PROT
-D - AVP TSR
This polymorphic variant got widespread distribution in April 1996, as
it was attached to a shareware game called 'PackMan', which was
available in the upload directory of a major shareware ftp server.
This variant has been found in the wild in several countries.
Werewolf.1500.B corrupts data randomly and slowsly while it is being
written to the hard drive by any other program. Such changes are very
difficult to locate and repair afterwards.
Werewolf.1500.B contains this text:
[WULF]
[Analysis: Mikko Hypponen, F-Secure]
|
![](/images/pixel.gif"){kind=tracking}
