Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!


From Malware Wiki
Jump to: navigation, search
DateEarly 1990s
PlatformMicrosoft Windows
This box: view  talk  edit

Apparition (also known as Virus.Win16.Apparition) is a virus on Microsoft Windows. While programmed for Win16 operating systems, this virus also works on Windows 9x and NT-based systems. If the user finds a window that says "The Apparition", it is dropped by the virus and is a manual file-infector, which means the user can infect files that they choose using the program.


When opened, the program appears to be a functioning copy of the Windows 3.1 calculator program, albeit with glitched text. When the program is closed, the virus has then infected the computer. Every ten seconds, it attempts to infect files and remap drives; while it does this, the computer's performance is hampered by a slowdown.

The next payload will depend on the date: for instance, if the user was infected on January 1st, the virus will run another payload on February 1st. This payload attempts to delete every file it can find (except WIN386.SWP and 386SPART.PAR) in all drives. When the user restarts the computer, the virus has deleted the command.com file and will fail to boot into DOS.

In order to infect files, it adds itself to the win.ini directory as the line [The Apparition]. There are debugging features that can be used by editing the line that allows the user to terminate the virus, delete all files, add dialogues about infection and even a command dialogue. The command dialogue can check files, infect a single file, remove itself from the memory, terminate itself for the current session, or activate its payload (destruct). The following are how the virus will work:

  • BootInfected - indicates if the VIDACCEL.EXE file is already dropped. If 1, the virus will not re-drop it.
  • DieDay/DieMonth- Date for payload to activate
  • AtomID/IDAtom - ID for system calls
  • Running NOW - If virus is running in memory
  • Die - If set to 0, the virus will not activate the destructive payload on the payload day
  • NoRun - The virus will not infect the system
  • NoInfect - The virus will not infect files
  • ShowDotsOn - Shows dialogue on infected files and prompts user to run infected files or infect a file
  • ShowDialogue - Shows a command dialogue on boot
  • Logging - Creates a "Winapp.log" file that will log the virus's input