Swiss Phoenix Virus

Virus Name: Swiss Phoenix Aliases: V Status: Common Discovered: September, 1992 Symptoms: .COM & .EXE growth; decrease in total system & available free memory; file allocation errors Origin: Switzerland Eff Length: 927 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, Sweep, ViruScan, AVTK, IBMAV, VAlert, NAV, NAVDX, PCScan, ChAV, NShld, Sweep/N, LProt, Innoc, NProt, AVTK/N, IBMAV/N, NAV/N Removal Instructions: Delete infected files General Comments: The Swiss Phoenix virus was isolated in Switzerland in September, 1992. This virus is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. It exhibits some stealth techniques. The Swiss Phoenix virus becomes memory resident the first time an infected program is executed from a low-level subdirectory. When memory resident, it will reside at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 976 bytes. Interrupt 21 will be hooked by Swiss Phoenix in memory. Once the Swiss Phoenix virus is memory resident, it will infect .COM and .EXE programs when they are executed, opened, or copied, though it will usually only infect programs in subdirectories. Programs infected with the Swiss Phoenix will have a file length increase of 927 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text string is encrypted within the virus, and is not visible in infected programs: "Ph”nix" Systems infected with the Swiss Phoenix virus will experience file allocation errors on infected programs when the DOS CHKDSK program is executed with the virus memory resident. Not all infected programs will be flagged, but only those which were infected prior to the virus becoming memory resident. It is unknown what Swiss Phoenix may do besides replicate.