Virus Name: Pa-5792 Virus Type: File Infector Virus (infects .EXE files) Virus Length: 5792 Bytes
PC Vectors Hooked: None Executing Procedure: 1) Searches for uninfected .EXE files in the current directory and the "A:" drive then infects them. 2) It infects seven files at a time. 3) It then executes the originally called file. Damage: None Detecting Method: Infected files will increase by 5792 bytes. Note: 1) Doesn't stay resident in memory. 2) PA-5792 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: Parity_Boot.B Alias Name: Parity_BOOT.B, Generic1 Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors Interrupt vectors hooked: INT 13h. Infection method: 1) When the system is booted from an infected diskette, the virus infects the master boot record and loads itself in memory. 2) While loaded, it infects all accessed, non-protected disks. 3) The DOS CHKDSK program will show a "total bytes memory" decrease of 1,024 bytes. Damage: 1) The virus sets a one-hour delay timer when the system is turned on. Each time a floppy is infected, the timer is reset. If no floppies are infected, the virus simulates a parity error, displaying the following message and hanging the system: Parity Check Note: If you attempt to examine boot sectors while the virus is in memory, it will display the original, uninfected version.
Virus Name: Psycho Virus Type: File Infector Virus (infects .EXE & .COM files) Virus Length: No change
PC Vectors Hooked: None Executing Procedure: 1) Searches for and infects all uninfected .COM or .EXE files in the current directory. Damage: Overwrites original files, so the length of infected files won't increase. Note: 1) Doesn't stay resident in memory. 2) Psycho doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: POX Virus Type: Highest Memory Resident, File Infector Virus (infects .COM files). Virus Length: 609 Bytes (COM) PC Vectors Hooked: 1) INT 21h (AX=4B00h) (execute program), 2) INT 9h Infecting Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3a) Once in resident memory it will infect any uninfected file that is executed. 3b) It doesn't infect .EXE files. Damage: 1) POX hooks INT 9h. 2) When a key is pressed and the system date indicates that it is the 24th day of the month, it will format the hard disk. Detecting Method: Infected files increase by 609 Bytes. Note: 1) The POX virus doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).
Virus Name: PCBB-B Virus Type: Highest Memory Resident, File Infector Virus (infects .COM & .EXE files). Virus Length: 3072 Bytes (COM & EXE) PC Vectors Hooked: 1) INT 21h (AX=4B00h) (execute program) 2) INT 24h Infecting Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory it will infect any uninfected file that is executed. Damage: None. Detecting Method: Infected files increase by 3072 Bytes. Note: 1) The PCBB virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: PROTO-T Other names: None Virus Type: File Infector Virus Virus Length:.COM 695 bytes. Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory it will infect any uninfected file that is executed. Damage: None Detecting Method Increases infected files size by 695 bytes Note: 1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).
Virus Name: Prudent Other names: 1210 Virus Type: File Infector Virus Virus Length: .EXE 1210 bytes Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3a) Once in resident memory it will infect any uninfected file that is executed. 3b) It doesn't infect .COM files. Damage: Overwrites original files. Detecting Method: From May 1-4, the virus will frequently check the disk. Note: 1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).
Virus Name: Pojer Virus Type: Parasitic Virus. Virus Length: Infected EXE and COM files increase by 1919 Bytes. PC Vectors Hooked: INT 21h and INT 24h Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the host program. Infecting Procedure: 1) The virus infects files by AH=4B in INT 21h. The uninfected files will be infected when they are executed. 2) Before infecting files, Pojer will hook INT 24h in order to ignore the I/O errors. Damage: None Detecting Method: Detectable if the lengths of files increase by 1919 Bytes.
Virus Name: Printmon Virus Type: COM File infector Virus Length: 853 bytes Executing Procedure: 1) Checks whether it has hooked INT 17h. 2) If not, the virus makes some procedure on INT 17h to stay resident in memory. 3) Then it proceeds to infect all uninfected COM files with length less than 64000 bytes in the current directory and goes back to the original routine (During the infection period, it hangs INT 24h to prevent divulging its trace when writing). Vectors hooked: Hooks INT 17h (Printing Function) to change printing data. Damage: It will make some mistakes in printing. Note: Date and time of infected files do not change. Detecting Method: Infected file sizes will increase by 853 bytes.
Virus Name: Path Virus Type: COM File infector Virus Length: 3+906 bytes Executing Procedure: 1) It will decode its later half section first. 2a) Then it checks for uninfected COM files of size between 10 and 64000 bytes and infects only one file. 2b) The search path is set to PATH. 3) Then it goes back to the original routine. Damage: None Note: 1)Does not stay resident in memory. 2)Date and time of infected files do not change. 3)Infected files will increase by 906+G bytes
Virus Name: Prime Virus Type: *.C*(Mainly *.COM) File infector Virus Length: 580 bytes Executing Procedure: 1) It will decode its later half section first. 2) If the current day is 1, displays a message and rotates the screen from left to right once. 3) Regardless of the date, it searches for one uninfected file in the current directory to infect. 4) The method of infection is: a) Get original codes and encode them with F3h. b) Get system time and encode it with virus's later half codes. c)Attach virus code to original file, followed by original codes. Vectors hooked: 1) Hooks INT 01h and INT 03h to disable the Debug program. When the Debug program is executed, it will jump to FE05Bh to reboot system. 2) Hooks INT 24h to prevent error messages if the current diskette is write-protected. When INT 24h called, it will halt the system because the virus has a faulty procedure. Damage: Original programs are encoded and consequently made unexecutable. Note: 1)Does not stay resident in memory. 2) If there are infected *.C* files on the current directory, the system will be halted after the virus has been executed. 3)Date and time of infected files do not change. Detecting Method: Infected files will increase by 580 bytes. Cleaning Method: Omit First 580 bytes of infected files. The surplus bytes should XOR with F3h one by one.
Virus Name: Psv-354 Virus Type: COM File infector Virus Length: 354 bytes Executing Procedure: 1) It will decode its later half section first. 2) Then it checks for uninfected COM files of size between 150 and 65000 bytes and infects only one file. 3) It then goes back to the original routine.
Damage: None Note: 1)Does not stay resident in memory. 2)Date and time of infected files do not change. 3)Does not infect the COMMAND.COM of DOS 5.0 Detecting Method: Infected files will increase by 354 bytes.
Virus Name: Pcbb Virus Type: Memory resident, COM File infector Virus Length: 3+(1675-1687) bytes Executing Procedure: 1) It will decode its later half section first. 2) Next, it checks whether it has stayed in memory. If not, it will move itself to high memory. 3) Then it hooks INT 21h,INT 09h,INT 1Ch and goes back to run the original routine. The infection happens when executing programs, copying files, changing a file's attributes, opening files, closing files, and renaming files(AH=56h). When it infects a file, it will check what day of the week it is. This lets it choose from 7 possible encoding modes. It does not infect the same file again, and the length of infectable files must be between 16 bytes and 61440 bytes. Symptom: 1) When the virus breaks out, the screen displays nothing every time the counter for keystrokes is equal to 957. 2) Then it will reset the counter. 3) You can press down all of the Alt, Control, and Shift keys together to make the screen display again. Damage: None Note: It stays resident in memory (It will take 4K bytes). Detecting Method: 1)Date and time of infected files changed. 2)Infected files will increase by 1675,1677,1679,1679,1680,1683,1687 bytes according to what day of the week it is (From Sunday to Saturday). 3)"PCBB" is attached to the end of the infected file.
Virus Name: Pa-5220 Virus Type: EXE & COM File infector Executing Procedure: 1) Searches for an uninfected COM or EXE file in the current directory from diskette A, B or C, then infects it. 2) It infects one file at a time. Damage: It will overwrite original files with virus code. Original files are destroyed. Note: 1) Does not stay in memory. 2) You will see an error message when writing because INT 24h has not been hanged. 3) This virus is written with an advanced language.
Virus Name: Pcbb11 Virus Type: EXE & COM File infector Virus Length: 3052 bytes Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) Then it goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh)to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. 3) If the program to be executed is an uninfected COM or EXE file, virus proceeds to infect it. Damage: ? Detecting Method: Infected file sizes increase by 3052 bytes.
Virus Name: Pcbb3072 Virus Type: EXE & COM File infector Virus Length: 3072 bytes Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) Then it goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh)to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. 3) If the program to be executed is an uninfected COM or EXE file, virus proceeds to infect it. Damage: ? Detecting Method: Infected file sizes increase by 3072 bytes.
Virus Name: PROTOVIR Virus Type: Virus infects .COM files and resides in HiMem. Virus Length: 730 bytes on file and 270 in memory. Interrupt Vectors Hooked: INT 21h. Infection Process: 1) Infects .COM programs when they are executed. Infected files will have a file length increase of 730 bytes with the virus being located at the end of the file. 2) The virus updates the first 7 bytes, makes the file head point to the virus code, and reserves the first 7 bytes at the end of the infected file . Damage: Increased file sizes. Decreased available memory. Symptoms: Available free memory will decrease by 720 bytes.
Virus Name: Pit-1228 Virus Type: COM & EXE File infector Virus Length: 1228 bytes Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, virus proceeds to infect it. Damage: None Detecting Method: Infected file sizes increase by 1228 bytes.
Virus Name: Penza Virus Type: COM File infector Virus Length: 700 bytes Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) Then it goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, virus proceeds to infect it. Damage: None Detecting Method: Infected file sizes increase by 700 bytes.
Alias:
Origin :
Eff Length : 1332 bytes
Symptoms :
Increase in file size of EXE, COM, and DLL programs with a size of 1332 bytes and decrease of 2672 in available memory. When in floppy and it is write protected, it usually displays a "Write Protect Error" message when you are only trying to read it.
General Comments:
On the first infection, this virus will first allocate 2672 bytes in the High Memory Area and then transfer 1332 bytes of its code to that area. It will then hook INT 21 with infection procedures to services 4B(Execute Program), 6C(Extended Open Create), 56(Rename File), and 43(Get File Attributes).
This virus will infect all EXE, COM, DLL files that are opened, renamed, or executed. It will also avoid files that ends with the string "AV" (NAV, TBAV), "AN" (PCSCAN, SCAN) and "DV".
The virus is named as such because of the string "PH33R" found in the virus code.
Eff Length : 965-968 bytes
Type Code :
Infected EXE and COM files increase by 965-968 bytes and there is a decrease of 1024 in the available memory. When in a write-protected floppy, it usually displays a "Write Protect Error" message when an attempt to read it is made.
On the first infection, this virus will first allocate 1024 bytes in the High Memory Area and then transfer 965 bytes of its code to that area. It will then hook INT 21 with infection procedures to services 4B00(Execute Program), 3D02(Open File Handle), and 40(Write to File/Device).
This virus will infect all EXE and COM files that are opened, renamed, or executed.
The virus is named as such because of the string "PHX" on the virus code.
Alias: PLAGIARIST
Eff Length : 2051 bytes
Type Code : Multi-partite Virus
EXE and COM files increase their lengths by 2051 bytes and there is a decrease of 2048 bytes in the available memory.
Plagiarist on first infection, will check if the date is between 1993 and 2042. If this is the case then it will make a copy of the boot record at the logical end of the drive and will also transfer its code right after the boot record. Then it will replace the current boot record with its own infected boot record. The virus will not be activated by this time. It will be activated when you boot from the infected drive. It will allocate 2048 bytes in the high memory and will transfer the virus code in the disk to the High Memory Area. Afterwards it will hook INT 21, INT 28, INT 08, and INT 13.
Virus Status:
Eff Length : 2448 bytes
Type Code : Polymorphic Virus
Increase of 2448 bytes in sizes of EXE and COM files and decrease of 6144 bytes in the available memory.
This virus is a variant of the PREDATOR-1072 virus. It will infect all EXE and COM files that are executed, opened or copied. It is also memory resident which resides in the High Memory Area.
During first infection, it will decrypt 2424 bytes of its code and then will allocate 6144 bytes in the High Memory Area and transfer its code there. It will also hook INT 13 and 21.
This message is found in the encrypted virus code:
"Predator Virus #2 (c) 1993 Priest - Phalcon/Skism"