Online VSUM - Pojer Virus

Pojer Virus

Virus Name: Pojer Aliases: V Status: Rare Discovered: September, 1992 Symptoms: .COM & .EXE growth; decrease in total system & available free memory Origin: Prague, Czechoslovakia Eff Length: 1,919 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, AVTK, F-Prot, Sweep, IBMAV, NAVDX, NAV, VAlert, PCScan, ChAV, NShld, Sweep/N, AVTK/N, NProt, NAV/N, IBMAV/N, Innoc, LProt Removal Instructions: Delete infected files General Comments: The Pojer virus was discovered in Prague, Czechoslovakia, in September, 1992. Pojer is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. When the first Pojer infected program is executed, the Pojer virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 2,160 bytes. Interrupt 21 will be hooked by Pojer in memory. Once memory resident, the Pojer virus will infect .COM and .EXE programs, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 1,919 bytes. The Pojer virus will be located at the end of infected programs. The file's date and time in the DOS disk directory listing will not be altered. It is unknown what Pojer does besides replicate. Known variant(s) of Pojer are: Pojer-1935: Received from Czechoslovakia in April, 1993, Pojer-1935 is a 1,935 byte variant of the Pojer virus described above. Its size in memory is 2,096 bytes, hooking interrupt 21. Once it is memory resident, it will infect .COM and .EXE programs, including COMMAND.COM, when they are executed. Infected files increase in size by 1,935 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. No text strings are visible within the viral code. Origin: Czechoslovakia April, 1993. Pojer-1941: Received in August, 1993, this variant appears to be from Poland. Pojer-1941 is a 1,941 byte variant of the Pojer virus described above. Its size in memory is 2,096 bytes, hooking interrupt 21. Once it is memory resident, it will infect .COM and .EXE programs, including COMMAND.COM, when they are executed. Infected files increase in size by 1,941 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. No text strings are visible within the viral code. Origin: Poland August, 1993. Pojer-1949: Received in August, 1993, this variant appears to be from Poland. Pojer-1949 is a 1,949 byte variant of the Pojer virus described above. Its size in memory is 2,272 bytes, hooking interrupt 21. Once it is memory resident, it will infect .COM and .EXE programs, including COMMAND.COM, when they are executed. Infected files increase in size by 1,949 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. No text strings are visible within the viral code. Origin: Poland August, 1993.