PH33R Virus


 Virus Name:  PH33R 
 Aliases:     PH33R.1332 
 V Status:    Common 
 Discovered:  January, 1996 
 Symptoms:    .COM & .EXE growth; decrease in available free memory 
 Origin:      Australia 
 Eff Length:  1,332 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, ViruScan, NAV, NAVDX, PCScan, 
                    AVTK/N, IBMAV/N, NShld, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The PH33R virus was received in January, 1996 and appears to be 
       from Australia.  This virus is a memory resident infector of .COM 
       and .EXE files, including COMMAND.COM.  It has been reported to be 
       "in the wild" in North America. 
 
       When the first PH33R infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, not moving interrupt 12's return.  Available 
       free memory, as indicated by the DOS CHKDSK program from DOS 5.0, 
       will have decreased by 2,672 bytes.  Interrupt 21 will be hooked by 
       the virus in memory. 
 
       Once the PH33R virus is memory resident, it will infect .COM and 
       .EXE files, including COMMAND.COM, when they are executed.  Infected 
       programs will have a file length increase of 1,332 bytes with the 
       virus being located at the end of the file.  The program's date and 
       time in the DOS disk directory listing will not be altered.  The 
       following text strings are visible within the viral code: 
 
           "Ph33r" 
           "Qark/VLAD" 
 
       It is unknown what this virus may do besides replicate. 
 
       See:   Vlad

Show viruses from discovered during that infect .

Main Page