Copy Link
Add to Bookmark
Report
40Hex Issue 02 File 006
40Hex Volume 1 Issue 2 0006
The Whale Virus
Oh yes here it is, the biggest and meanest virus around. First
before you go and compile it read what Patti thinks of it.
Aliases: Mother Fish, Stealth Virus, Z The Whale
V Status: Research
Discovered: August, 1990
Symptoms: .COM & .EXE growth; decrease in available memory;
system slowdown; video flicker; slow screen writes;
file allocation errors; simulated system reboot
Origin: Hamburg, West Germany
Eff Length: 9,216 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan V67+, Pro-Scan 2.01+, NAV, IBM Scan 2.00+
Removal Instructions: Scan/D, CleanUp V67+, Pro-Scan 2.01+,
or Delete infected files
General Comments:
The Whale Virus was submitted in early September, 1990. This virus
had been rumored to exist since the isolation of the Fish 6 Virus in
June, 1990. It has been referred to by several names besides Whale,
including Mother Fish and Z The Whale. The origin of this virus is
subject to some speculation, though it is probably from Hamburg,
West Germany due to a reference within the viral code once it is 0*0*0*°° Ô decrypted.
The first time a program infected with the Whale Virus is executed,
the Whale will install itself memory resident in high system memory
but below the 640K DOS boundary. On the author's XT clone, the
virus always starts at address 9D90. Available free memory will
be decreased by 9,984 bytes. Most utilities which display memory
usage will also indicate a value for total system memory which is
9,984 bytes less than what is actually installed.
The following text string can be found in memory on systems
infected with the Whale virus:
"Z THE WHALE".
Immediately upon becoming memory resident, the system user will
experience the system slowing down. Noticeable effects of the
system slowdown include video flicker to extremely slow screen
writes. Some programs may appear to "hang", though they will
eventually execute properly in most cases since the "hang" is due
to the slowing of the system.
When a program is executed with the Whale memory resident, the virus
will infect the program. Infected programs increase in length, the
actual change in length is usually 9,216 bytes. Note the "usually":
this virus does occasionally infect a program with a "mutant" which
will be a different length. If the file length increase is exactly
9,216 bytes, the Whale will hide the change in file length when a
disk directory command is executed. If the file length of the viral
code added to the program is other than 9,216 bytes, the file length
displayed with the directory command will either the actual infected
file length, or the actual infected file length minus 9,216 bytes.
Executing the DOS CHKDSK program on infected systems will result in
file allocation errors being reported. If CHKDSK /F is executed,
file damage will result.
The Whale also alters the program's date/time in the directory when
the file is executed, though it is not set to the system date/time
of infection. Occasionally, Whale will alter the directory entry
for the program it is infecting improperly, resulting in the directory
entry becoming invalid. These programs with invalid directory
entries will appear when the directory is listed, but some disk
utilities will not allow access to the program. In these cases, the
directory entry can be fixed with Norton Utilities FD command to
reset the file date.
The Whale occasionally will change its behavior while it is memory
resident. While most of the time it only infects files when
executed, there are periods of time when it will infect any file
opened for any reason. It will also, at times, disinfect files
when they are copied with the DOS copy command, at other times it
will not "disinfect on the fly".