PhoenixD Virus


 Virus Name:  PhoenixD 
 Aliases:     P1 
 V Status:    Rare 
 Discovered:  July, 1990 
 Symptoms:    .COM growth; system reboots; CHKDSK program failure; 
              COMMAND.COM header change 
 Origin:      Bulgaria 
 Eff Length:  1,704 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, NAV, AVTK, F-Prot, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The PhoenixD virus is of Bulgarian origin, and was submitted to the 
       author of this document in July, 1990 by Vesselin Bontchev. This 
       virus is one of a family of three viruses which may be referred 
       to as the P1 or Phoenix Family.  Each of these viruses is being 
       documented separately due to their varying characteristics. The 
       PhoenixD virus is a memory resident, generic infector of .COM 
       files, and will infect COMMAND.COM. 
 
       The PhoenixD virus is a "bug fixed" version of the Phoenix virus. 
 
       The first time a program infected with the PhoenixD virus is 
       executed, the virus will install itself memory resident in free 
       high memory, reserving 8,192 bytes.  Interrupt 2A will be hooked by 
       the virus. System total memory and free memory will decrease by 
       8,192 bytes. PhoenixD will then check to see if the current drive's 
       root directory contains a copy of COMMAND.COM.  If a copy of 
       COMMAND.COM is found, it will be infected by PhoenixD by 
       overwriting part of the binary zero portion of the program, and 
       changing the program's header information. COMMAND.COM will not 
       change in file length.  The virus will then similarly infect 
       COMMAND.COM residing in the C: drive root directory. 
 
       After becoming memory resident, the virus will attempt to infect 
       any .COM file executed.  PhoenixD is a much better replicator than 
       the original Phoenix virus, and is usually able to infect files. 
       Infected files will increase in length by 1,704 bytes. 
 
       PhoenixD is not able to recognize when it has previously infected a 
       file, so it may reinfect .COM files several times.  Each infection 
       will result in another 1,704 bytes of viral code being appended to 
       the file. 
 
       A characteristic present in the PhoenixD virus which is not found 
       in the original Phoenix virus is that in addition to it infecting 
       .COM files as they are executed, .COM files will be infected when 
       they are opened for any reason.  The simple act of copying a .COM 
       file with PhoenixD present in memory will result in both the source 
       and target files being infected. 
 
       Systems infected with the PhoenixD virus will experience problems 
       with executing CHKDSK.COM.  Attempts to execute this program with 
       Phoenix memory resident will result in a warm reboot of the system 
       occurring. If an autoexec.bat file is not present on the drive 
       being booted from, the system will prompt for the user to enter 
       Date and Time. 
 
       The PhoenixD virus employs a complex encryption mechanism, and 
       virus scanners which are only able to look for simple hex strings 
       will not be able to detect it.  There is no simple hex string in 
       this virus that is common to all infected samples. 
 
       This virus is not related to the Cascade (1701/1704) virus. 
 
       See:   Evil   Phoenix   Proud

Show viruses from discovered during that infect .

Main Page