Pa 5792

Virus Name: Pa-5792

Virus Type: File Infector Virus (infects .EXE files)

Virus Length: 5792 Bytes

PC Vectors Hooked: None

Executing Procedure:
1) Searches for uninfected .EXE files in the current directory and the "A:" drive then infects them.
2) It infects seven files at a time.
3) It then executes the originally called file.

Damage: None

Detecting Method: Infected files will increase by 5792 bytes.

Note:
1) Doesn't stay resident in memory.
2) PA-5792 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


Parity_boot.b

Virus Name: Parity_Boot.B

Alias Name: Parity_BOOT.B, Generic1

Virus Type: Boot Virus

Virus Length: N/A

Description: This virus infects boot sectors

Interrupt vectors hooked: INT 13h.

Infection method:
1) When the system is booted from an infected diskette, the virus infects the master boot record and loads itself in memory.
2) While loaded, it infects all accessed, non-protected disks.
3) The DOS CHKDSK program will show a "total bytes memory" decrease of 1,024 bytes.

Damage:
1) The virus sets a one-hour delay timer when the system is turned on. Each time a floppy is infected, the timer is reset. If no floppies are infected, the virus simulates a parity error, displaying the following message and hanging the system:

Parity Check
Note: If you attempt to examine boot sectors while the virus is in memory, it will display the original, uninfected version.


Psycho

Virus Name: Psycho

Virus Type: File Infector Virus (infects .EXE & .COM files)

Virus Length: No change

PC Vectors Hooked: None

Executing Procedure:
1) Searches for and infects all uninfected .COM or .EXE files in the current directory.

Damage: Overwrites original files, so the length of infected files won't increase.

Note:
1) Doesn't stay resident in memory.
2) Psycho doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


POX

Virus Name: POX

Virus Type: Highest Memory Resident, File Infector Virus (infects .COM files).

Virus Length: 609 Bytes (COM)

PC Vectors Hooked:
1) INT 21h (AX=4B00h) (execute program),
2) INT 9h

Infecting Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3a) Once in resident memory it will infect any uninfected file that is executed.
3b) It doesn't infect .EXE files.

Damage:
1) POX hooks INT 9h.
2) When a key is pressed and the system date indicates that it is the 24th day of the month, it will format the hard disk.

Detecting Method: Infected files increase by 609 Bytes.

Note:
1) The POX virus doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).


PCBB-B

Virus Name: PCBB-B

Virus Type: Highest Memory Resident, File Infector Virus (infects .COM & .EXE files).

Virus Length: 3072 Bytes (COM & EXE)

PC Vectors Hooked:
1) INT 21h (AX=4B00h) (execute program)
2) INT 24h

Infecting Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3) Once in resident memory it will infect any uninfected file that is executed.

Damage: None.

Detecting Method: Infected files increase by 3072 Bytes.

Note:
1) The PCBB virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


Proto-T

Virus Name: PROTO-T

Other names: None

Virus Type: File Infector Virus

Virus Length:.COM 695 bytes.

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3) Once in resident memory it will infect any uninfected file that is executed.

Damage: None

Detecting Method Increases infected files size by 695 bytes

Note:
1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).


Prudent

Virus Name: Prudent

Other names: 1210

Virus Type: File Infector Virus

Virus Length: .EXE 1210 bytes

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3a) Once in resident memory it will infect any uninfected file that is executed.
3b) It doesn't infect .COM files.

Damage: Overwrites original files.

Detecting Method: From May 1-4, the virus will frequently check the disk.

Note:
1) Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).


Pojer

Virus Name: Pojer

Virus Type: Parasitic Virus.

Virus Length: Infected EXE and COM files increase by 1919 Bytes.

PC Vectors Hooked: INT 21h and INT 24h

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the host program.

Infecting Procedure:
1) The virus infects files by AH=4B in INT 21h. The uninfected files will be infected when they are executed.
2) Before infecting files, Pojer will hook INT 24h in order to ignore the I/O errors.

Damage: None

Detecting Method: Detectable if the lengths of files increase by 1919 Bytes.


Printmon

Virus Name: Printmon

Virus Type: COM File infector

Virus Length: 853 bytes

Executing Procedure:
1) Checks whether it has hooked INT 17h.
2) If not, the virus makes some procedure on INT 17h to stay resident in memory.
3) Then it proceeds to infect all uninfected COM files with length less than 64000 bytes in the current directory and goes back to the original routine (During the infection period, it hangs INT 24h to prevent divulging its trace when writing).

Vectors hooked: Hooks INT 17h (Printing Function) to change printing data.

Damage: It will make some mistakes in printing.

Note: Date and time of infected files do not change.

Detecting Method: Infected file sizes will increase by 853 bytes.


Path

Virus Name: Path

Virus Type: COM File infector

Virus Length: 3+906 bytes

Executing Procedure:
1) It will decode its later half section first.
2a) Then it checks for uninfected COM files of size between 10 and 64000 bytes and infects only one file.
2b) The search path is set to PATH.
3) Then it goes back to the original routine.

Damage: None

Note:
1)Does not stay resident in memory.
2)Date and time of infected files do not change.
3)Infected files will increase by 906+G bytes


Prime

Virus Name: Prime

Virus Type: *.C*(Mainly *.COM) File infector

Virus Length: 580 bytes

Executing Procedure:
1) It will decode its later half section first.
2) If the current day is 1, displays a message and rotates the  screen from left to right once.
3) Regardless of the date, it searches for one uninfected file in the current directory to infect.
4)  The method of infection is:
a) Get original codes and encode them with F3h.
b) Get system time and encode it with virus's later half codes.
c)Attach virus code to original file, followed by original codes.

Vectors hooked:
1) Hooks INT 01h and INT 03h to disable the Debug program. When the Debug program is executed, it will jump to FE05Bh to reboot system.
2) Hooks INT 24h to prevent error messages if the current diskette is write-protected. When INT 24h called, it will halt the system because the virus has a faulty procedure.

Damage: Original programs are encoded and consequently made unexecutable.

Note:
1)Does not stay resident in memory.
2) If there are infected *.C* files on the current directory, the system will be halted after the virus has been executed.
3)Date and time of infected files do not change.

Detecting Method: Infected files will increase by 580 bytes.

Cleaning Method: Omit First 580 bytes of infected files. The surplus bytes should XOR with F3h one by one.


PSV-354

Virus Name: Psv-354

Virus Type: COM File infector

Virus Length: 354 bytes

Executing Procedure:
1) It will decode its later half section first.
2) Then it checks for uninfected COM files of size between 150 and 65000 bytes and infects only one file.
3) It then goes back to the original routine.

Damage: None

Note:
1)Does not stay resident in memory.
2)Date and time of infected files do not change.
3)Does not infect the COMMAND.COM of DOS 5.0

Detecting Method: Infected files will increase by 354 bytes.


PCBB

Virus Name: Pcbb

Virus Type: Memory resident, COM File infector

Virus Length: 3+(1675-1687) bytes

Executing Procedure:
1) It will decode its later half section first.
2) Next, it checks whether it has stayed in memory. If not, it will move itself to high memory.
3) Then it hooks INT 21h,INT 09h,INT 1Ch and goes back to run the original routine.
The infection happens when executing programs, copying files, changing a file's attributes, opening files, closing files, and renaming files(AH=56h). When it infects a file, it will check what day of the week it is. This lets it choose from 7 possible encoding modes. It does not infect the same file again, and the length of infectable files must be between 16 bytes and 61440 bytes.

Symptom:
1) When the virus breaks out, the screen displays nothing every time the counter for keystrokes is equal to 957.
2) Then it will reset the counter.
3) You can press down all of the Alt, Control, and Shift keys together to make the screen display again.

Damage: None

Note: It stays resident in memory (It will take 4K bytes).

Detecting Method:
1)Date and time of infected files changed.
2)Infected files will increase by 1675,1677,1679,1679,1680,1683,1687 bytes according to what day of the week it is (From Sunday to Saturday).
3)"PCBB" is attached to the end of the infected file.


Pa-5220

Virus Name: Pa-5220

Virus Type: EXE & COM File infector

Executing Procedure:
1) Searches for an uninfected COM or EXE file in the current directory from diskette A, B or C, then infects it.
2) It infects one file at a time.

Damage: It will overwrite original files with virus code. Original files are destroyed.

Note:
1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.
3) This virus is written with an advanced language.


PCBB-11

Virus Name: Pcbb11

Virus Type: EXE & COM File infector

Virus Length: 3052 bytes

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) Then it goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh)to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing.
3) If the program to be executed is an uninfected COM or EXE file, virus proceeds to infect it.

Damage: ?

Detecting Method: Infected file sizes increase by 3052 bytes.


PCBB-3072

Virus Name: Pcbb3072

Virus Type: EXE & COM File infector

Virus Length: 3072 bytes

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) Then it goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh)to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing.
3) If the program to be executed is an uninfected COM or EXE file, virus proceeds to infect it.

Damage: ?

Detecting Method: Infected file sizes increase by 3072 bytes.


Protovir

Virus Name: PROTOVIR

Virus Type: Virus infects .COM files and resides in HiMem.

Virus Length: 730 bytes on file and 270 in memory.

Interrupt Vectors Hooked: INT 21h.

Infection Process:
1) Infects .COM programs when they are executed. Infected files will have a file length increase of 730 bytes with the virus being located at the end of the file.
2) The virus updates the first 7 bytes, makes the file head point to the virus code, and reserves the first 7 bytes at the end of the infected file .

Damage: Increased file sizes. Decreased available memory.

Symptoms: Available free memory will decrease by 720 bytes.


Pit-1228

Virus Name: Pit-1228

Virus Type: COM & EXE File infector

Virus Length: 1228 bytes

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM or EXE file, virus proceeds to infect it.

Damage: None

Detecting Method: Infected file sizes increase by 1228 bytes.


Penza

Virus Name: Penza

Virus Type: COM File infector

Virus Length: 700 bytes

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) Then it goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, virus proceeds to infect it.

Damage: None

Detecting Method: Infected file sizes increase by 700 bytes.


Ph33r.1332-1

Alias:

Origin :

Eff Length : 1332 bytes

Symptoms :

Increase in file size of EXE, COM, and DLL programs with a size of 1332 bytes and decrease of 2672 in available memory. When in floppy and it is write protected, it usually displays a "Write Protect Error" message when you are only trying to read it.

General Comments:

On the first infection, this virus will first allocate 2672 bytes in the High Memory Area and then transfer 1332 bytes of its code to that area. It will then hook INT 21 with infection procedures to services 4B(Execute Program), 6C(Extended Open Create), 56(Rename File), and 43(Get File Attributes).

This virus will infect all EXE, COM, DLL files that are opened, renamed, or executed. It will also avoid files that ends with the string "AV" (NAV, TBAV), "AN" (PCSCAN, SCAN) and "DV".

The virus is named as such because of the string "PH33R" found in the virus code.

 


Phx.96s

Alias:

Origin :

Eff Length : 965-968 bytes

Type Code :

Symptoms :

Infected EXE and COM files increase by 965-968 bytes and there is a decrease of 1024 in the available memory. When in a write-protected floppy, it usually displays a "Write Protect Error" message when an attempt to read it is made.

General Comments:

On the first infection, this virus will first allocate 1024 bytes in the High Memory Area and then transfer 965 bytes of its code to that area. It will then hook INT 21 with infection procedures to services 4B00(Execute Program), 3D02(Open File Handle), and 40(Write to File/Device).

This virus will infect all EXE and COM files that are opened, renamed, or executed.

The virus is named as such because of the string "PHX" on the virus code.

 


Plagiarist.2051

Alias: PLAGIARIST

Origin :

Eff Length : 2051 bytes

Type Code : Multi-partite Virus

Symptoms :

EXE and COM files increase their lengths by 2051 bytes and there is a decrease of 2048 bytes in the available memory.

General Comments:

Plagiarist on first infection, will check if the date is between 1993 and 2042. If this is the case then it will make a copy of the boot record at the logical end of the drive and will also transfer its code right after the boot record. Then it will replace the current boot record with its own infected boot record. The virus will not be activated by this time. It will be activated when you boot from the infected drive. It will allocate 2048 bytes in the high memory and will transfer the virus code in the disk to the High Memory Area. Afterwards it will hook INT 21, INT 28, INT 08, and INT 13.

 


Predator.2448

Virus Status:

Origin :

Eff Length : 2448 bytes

Type Code : Polymorphic Virus

Symptoms :

Increase of 2448 bytes in sizes of EXE and COM files and decrease of 6144 bytes in the available memory.

General Comments:

This virus is a variant of the PREDATOR-1072 virus. It will infect all EXE and COM files that are executed, opened or copied. It is also memory resident which resides in the High Memory Area.

During first infection, it will decrypt 2424 bytes of its code and then will allocate 6144 bytes in the High Memory Area and transfer its code there. It will also hook INT 13 and 21.

This message is found in the encrypted virus code:

"Predator Virus #2 (c) 1993 Priest - Phalcon/Skism"