After infecting a document or installing into the system the virus takes a
random selected word from document and moves it to random selected
position. The virus repeats that up to three times depending on the random
counter. Then it also depending on the random counter inserts the string
“wazzu ” at random selected position within document.
The virus modifies the document with the probabilities (p): replacing words
– three times with p=1/5, inserting “wazzu” – p=1/4.
The original “Wazzu” (“Wazzu.a”) virus is one of the most widespread
viruses on the world. The possible reason is that this virus was placed on the
Microsoft WWW site, infected documents also were (are) distributed on
several CD disks. As a result there are several dozens of related viruses,
and the number of such related viruses is increasing every month. Below short
descriptions are given, to name viruses CARO standard names are used (AVP
does detect and disinfect majority of these viruses as “Wazzu.a”).
“Wazzu.c,t,ac” do not manifest themselves in any way – they have no Payload
subroutine (RndWord subroutine presents in virus, but is never called).
“Wazzu.k” is corrupted “Wazzu.a”.
“Wazzu.y,z” are the same as “Wazzu.a”, but code of these virus is slightly
modified, for example all TAB (09h) symbols are replaced with 8 spaces in
|Find out the statistics of the threats spreading in your region|