Winvir is the first virus to run on Microsoft Windows. It is a non-resident direct action virus which will only replicate in a Windows environment. It infects .EXE programs which are in Microsoft's New Executable (Windows executable) format. It does not infect .EXE programs which are not Windows specific programs.
When a program infected with WinVir is executed under Windows, this virus will search the current directory to locate Windows executable .EXE programs. These programs will then be infected, with the virus relocating a portion of the host program to the end of the file, and then infecting the middle of the host program. The infected program will increase in size by 854 bytes, the file's date and time in the DOS disk directory listing will not be altered.
WinVir will then remove itself from the program the user was attempting to execute, though the program is not always returned to its original condition before it was infected. The program then terminates, and the program the user was attempting to execute does not run. If the user again attempts to execute the program, it will function properly.
Two text strings can be found in all programs infected by WinVir:
Virus_for_Windows v1.4 MK92
Either of these two text strings may also be found in programs which WinVir has previously disinfected.
This virus is rather buggy, and in testing was found to only function properly when it was copied into the Windows directory. When executed from any other directory, unexpected results would occur, including some rather bizarre error messages.
Replace the infected file.