Pegg-833 Virus

Virus Name: Pegg-833 Aliases: Pegg V Status: Rare Discovered: March, 1993 Symptoms: COMMAND.COM & .EXE growth; decrease in total system & available free memory; write protect errors Origin: Unknown Eff Length: 833 - 847 Bytes Type Code: PRhEK - Parasitic Resident COMMAND.COM & .EXE Infector Detection Method: F-Prot, ViruScan, AVTK, IBMAV, Sweep, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, NAV/N, AVTK/N, NProt, IBMAV/N, Innoc, LProt Removal Instructions: Delete infected files General Comments: The Pegg-833 virus was submitted in March, 1993. Pegg-833 is a memory resident infector of COMMAND.COM and .EXE programs. It does not infect other .COM programs. When the first Pegg-833 infected program is executed, the Pegg-833 virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, hooking interrupts 21 and 6C. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 1,120 bytes. Interrupt 12's return will not be moved. Also at this time, the Pegg-833 virus will infect COMMAND.COM, if it was not previously infected. Once memory resident, the Pegg-833 virus will infect .EXE programs when they are executed or opened. Infected programs will have a file length increase of 833 to 847 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. No text strings are visible within the viral code in Pegg-833 infected programs. Systems infected with the Pegg-833 virus will experience repeated write protect errors when the user attempts to execute uninfected programs from write-protected diskettes. The write-protect error messages will scroll down the screen without user response.