PE_CAW

Malware type: File Infector

Aliases: Virus.Win9x.Caw.1416 (Kaspersky), W95/Caw.1416 (McAfee), W95.Caw.1416 (Symantec), W95/caw.1416 (Avira), W98/Caw-1416 (Sophos), Virus:Win95/Caw.1416 (Microsoft)

In the wild: Yes

Language: English

Platform: Windows

Encrypted: No

Overall risk rating:

Description: 
This is a memory resident PE file infector. It adds its code to the last section of the infected files. Some infected files will have an increase in file size, and some will be overwritten. On the trigger date, July 7, the virus will attempt to overwrite some random locations in the hard drive. But since the write utility used does not support new versions of hard drives, this payload does not always happen. This file infector is also capable of deleting files.

For additional information about this threat, see:

Description created: Mar. 9, 2000 1:45:50 PM GMT -0800


TECHNICAL DETAILS


Initial samples received on: Dec 17, 1999

Payload 1: Deletes Files

Trigger date 1: July 7th

Trigger condition 1: Date = July 7

Payload 2: (overwrites portions of hard drive)

Trigger date 1: July 7th

Trigger condition 1: Date = July 7

Details:
The virus checks if a file named "C:\AW" exists in the system. This AW file is served as a log file of those files which will be deleted by the virus. This memory resident has the ability to delete files with the following extensions
BMP, JPG, DOC, WRI, BAS, SAV, PDF, RTF, and TXT and WINWORD.EXE
when these files are accessed.