Evil Virus
Virus Name: Evil
Aliases: P1, V1701New, Live after Death 3
V Status: Rare
Discovered: July, 1990
Symptoms: .COM growth; system reboots; CHKDSK program failure;
COMMAND.COM header change
Origin: Bulgaria
Eff Length: 1,701 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, NAV, AVTK, F-Prot, Sweep,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: NAV, or delete infected files
General Comments:
The Evil virus is of Bulgarian origin, and was submitted to the
author of this document in July, 1990 by Vesselin Bontchev. This
virus is one of a family of three viruses which may be referred
to as the P1 or Phoenix Family. Each of these viruses is being
documented separately due to their varying characteristics. The Evil
virus is a memory resident, generic infector of .COM files, and will
infect COMMAND.COM. It is the most advanced of the three viruses in
the Phoenix Family.
The Evil, or V1701New, virus is a later version of the PhoenixD
virus.
The first time a program infected with the Evil virus is executed,
the virus will install itself memory resident in free high memory,
reserving 8,192 bytes. Interrupt 2A will be hooked by the virus.
System total memory and free memory will decrease by 8,192 bytes.
Evil will then check to see if the current drive's root directory
contains a copy of COMMAND.COM. If a copy of COMMAND.COM is found,
it will be infected by Evil by overwriting part of the binary zero
portion of the program, and changing the program's header
information. COMMAND.COM will not change in file length. The virus
will then similarly infect COMMAND.COM residing in the C: drive root
directory.
After becoming memory resident, the virus will attempt to infect any
.COM file executed. Evil is a better replicator than either the
original Phoenix virus or PhoenixD, and was successful in infecting
.COM files in all cases on the author's system. Infected files will
increase in size by 1,701 bytes.
Evil is not able to recognize when it has previously infected a
file, so it may reinfect .COM files several times. Each infection
will result in another 1,701 bytes of viral code being appended to
the file.
Like PhoenixD, Evil will infect files when they are opened for any
reason, in addition to when they are executed. The simple act of
copying a .COM file will result in both the source and target .COM
files being infected.
Systems infected with the Evil virus will experience problems with
executing CHKDSK.COM. Attempts to execute this program with Evil
memory resident will result in a warm reboot of the system
occurring. The system, however, will not perform either a RAM memory
check or request Date and Time, if an autoexec.bat file is not
present.
This virus is not related to the Cascade (1701/1704) virus.
The Evil virus employs a complex encryption mechanism, and virus
scanners which are only able to look for simple hex strings will not
be able to detect it. There is no simple hex string in this virus
that is common to all infected samples.
Known variant(s) of Evil are:
Evil-B: This is an earlier version of Evil, and is a rather poor
replicator. It also was not too viable as infected programs
will hang when they are executed, with the exception of the
Runme.Exe file which the author received. The Runme.Exe
file was probably the original release file distributed by
the virus's author.
(Originally listed in VSUM9008 as V1701New-B)
See: Phoenix PhoenixD Proud