Pogue Virus


 Virus Name:  Pogue 
 Aliases:    
 V Status:    Rare 
 Discovered:  January, 1992 
 Symptoms:    .COM file growth; decrease in total system & available free 
              memory; music 
 Origin:      Bulgaria 
 Eff Length:  2,973 - 3,850 Bytes 
 Type Code:   PRhC - Parasitic Resident .COM Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, PCScan, NAV, Sweep, NAVDX, 
                    VAlert, ViruScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, AVTK/N, NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Pogue virus was submitted in January, 1992.  It is originally 
       from Bulgaria.  Pogue is a memory resident infector of .COM 
       programs, but not those that have a base file name which starts 
       with the three characters "COM".  Pogue contains portions of 
       code from four other viruses:  512, Dark Avenger, Seventh Son, and 
       Yankee Doodle.  It employs a complex encryption mechanism, and 
       detection of infected files will require an algorithmic approach. 
       It does occassionally infect a file with an unencrypted copy of 
       itself, and as a result may appear to the user as an infection of 
       one of the four viruses on which it is based. 
 
       The first time a program infected with the Pogue virus is executed, 
       the Pogue virus will install itself memory resident at the top of 
       system memory but below the 640K DOS boundary.  Total system and 
       available free memory, as indicated by the DOS CHKDSK program, will 
       have decreased by 9,728 bytes.  Interrupt 12's return will not have 
       been moved.  Interrupts 1C and 21 will be hooked by the virus. 
 
       Once the Pogue virus is memory resident, it will infect .COM 
       programs when they are opened, executed, or copied.  In the case of 
       copying, both the source and the target file will infected.  The 
       exception is that Pogue will not infect a .COM file if the base file 
       name starts with the three characters "COM".  This is the mechanism 
       used by the virus to avoid infecting COMMAND.COM. 
 
       Pogue infected programs will have a file length increase of 2,973 to 
       3,850 bytes.  The virus will be located at the end of the infected 
       program.  The file's date and time in the DOS disk directory listing 
       will not have been altered by the viral infection process. 
 
       Usually the Pogue virus will encrypt itself using its garbling 
       encryption mechanism on infected files.  In these files, no text 
       strings will be visible within the viral code.  Occassionally, this 
       virus will infect a file with an unencrypted copy of the viral 
       code.  In these cases, the following text strings will be visible: 
 
               "Pogue Mahone!"     - or -     "Pgoue Mahone!" 
               "TNX2DAV" 
 
       The unencrypted infections of Pogue on files as well the Pogue virus 
       in system memory may be detected by anti-viral scanners as any of the 
       four viruses on which Pogue is based. 
 
       The Pogue virus will play music on the system speaker when it becomes 
       memory resident and the system time is between 08:00 and 09:00. 
  
       See:   DAME   Groove

Show viruses from discovered during that infect .

Main Page