Apparition (also known as Virus.Win16.Apparition) is a virus on Microsoft Windows.
When opened, the program appears to be the Windows 3.1 calculator program, but it has glitched text. However, the program does function like a calculator. However, when the program is closed, the virus itself has then infected the computer, every ten seconds, the virus will attempt to infect files, and also attempts to remap drives. While it does this, there is also a slowdown on the computer itself, affecting the computer's performance. The next payload will depend on the date. For example, if the user was infected on January 1st, the virus will run another payload on February 1st. The next payload, is unnoticeable, but it works. This payload attempts to delete every file it can find (except WIN386.SWP and 386SPART.PAR) in all drives. When the user restarts the computer, the virus has deleted the command.com file and will fail to boot into DOS.
In order to infect files, it adds itself to the win.ini directory as the line [The Apparition]. There are debugging features that can be used by editing the line that allows the user to terminate the virus, allow the user to delete all files, add dialogues about infection, and even a command dialogue. The command dialogue can check files, infect a single file, remove itself from the memory, terminate itself for the current session, or activate its payload (destruct). The following are how the virus will work:
- BootInfected - indicates if the VIDACCEL.EXE file is already dropped. If 1, the virus will not re-drop it.
- DieDay/DieMonth- Date for payload to activate
- AtomID/IDAtom - ID for system calls
- Running NOW - If virus is running in memory
- Die - If set to 0, will not activate payload on the payload day
- NoRun - The virus will not infect the system
- NoInfect - The virus will not infect files
- ShowDotsOn - Shows dialogue on infected files and prompts user to run infected files or infect a file
- ShowDialogue - Shows a command dialogue on boot
- Logging - Creates a "Winapp.log" file that will log the virus's input
It is possible to infect 9x and NT-based systems if the virus is transported to a Windows 95 or up system. Its payload will work correctly and delete all files on the hard drive.