Silly Willy Virus (25-07-1992)
Entry...............: Silly Willy Virus
Standard CARO Name..: Silly_Willy Virus
Alias(es)...........: ---
Virus Strain........: Silly Willy (Trojan/Virus) Strain
Virus detected when.: March 91
              where.: Munich, Germany
Classification......: Direct action COM-infector, Trojan dropper (EXE)
Length of Virus.....: Length in COM-files: 2261-2314 bytes
--------------------- Preconditions -----------------------------------
Operating System(s).: IBM PC & Compatibles
Version/Release.....: DOS 2.x and above
Computer model(s)...: IBM PC, XT, AT and upward, and compatibles
--------------------- Attributes --------------------------------------
Easy Identification.: Increased file size; unusual long loading time.
Scan signature......: The string : BE 15 00 8B 1A B9 D0 08 81 E9 can be
                         found at about 2300 bytes offset from the end
                         of an infected file.
Type of infection...: COM-files will be searched via FindFirst,FindNext,
                         starting with root directory, and in sub-
                         directories, if no uninfected files are found 
                         in the root.
                      EXE-files will be overwritten with Silly Willy
                         Trojan (see separate Virus Catalog entry).
Infection Trigger...: Starting an infected file; virus will search 
                         for one COM-file to infect and for one EXE-
                         file to trojanize.
Storage media affected: Only files on drive C: will be affected.
Interrupts hooked...: ---
Damage..............: Transient damage: ---
                      Permanent damage: EXE-files are overwritten 
                        with Silly Willy Trojan (see separate Virus 
                        Catalog entry).
Damage Trigger......: Start of an infected program
Particularities.....: 1) The virus uses polymorphic methods to hide 
                         from detection in COM-files. At offset 0, 
                         16 Bytes are inserted in COM-files; these 
                         can hold 16 different values of code. The 
                         virus merges two 8 byte strings, and each 
                         string has four different values; moreover, 
                         a random number of bytes is inserted, too.
                         Due to a very simple decryption algorithm 
                         (XOR) and some unincrypted code, the poly-
                         morphic routine is rather ineffective.  
                      2) Date and time of infected programs will not 
                         be changed.
                      3) Only COM-files with a length between 1087 
                         and 58,932 bytes will be infected.
                      4) No exact match to recognize EXE and COM 
                         files is performed.
Similarities........: ---
--------------------- Agents -----------------------------------------
Countermeasures.....: Checksums, etc.
Countermeasures successful: Solomon FindViru 4.23, H&B-EDV AntiVir
Standard means......: Delete and replace infected files.
--------------------- Acknowledgement --------------------------------
Location............: Siemens Nixdorf AG (SNI), Munich, Germany
                      Virus Test Center, University Hamburg, Germany
Classification by...: Ralph Dombach (SNI), Toralv Dirro (VTC)
Documentation by....: Toralv Dirro
Date................: 16--July-1992
Information Source..: Orignal virus analysis

.