Virus Name: Pegg-833
V Status: Rare
Discovered: March, 1993
Symptoms: COMMAND.COM & .EXE growth; decrease in total system &
available free memory; write protect errors
Eff Length: 833 - 847 Bytes
Type Code: PRhEK - Parasitic Resident COMMAND.COM & .EXE Infector
Detection Method: F-Prot, ViruScan, AVTK, IBMAV, Sweep, NAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, NAV/N, AVTK/N, NProt, IBMAV/N, Innoc,
Removal Instructions: Delete infected files
The Pegg-833 virus was submitted in March, 1993. Pegg-833 is a
memory resident infector of COMMAND.COM and .EXE programs. It does
not infect other .COM programs.
When the first Pegg-833 infected program is executed, the Pegg-833
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, hooking interrupts 21 and
6C. Total system and available free memory, as indicated by the
DOS CHKDSK program, will have decreased by 1,120 bytes. Interrupt
12's return will not be moved. Also at this time, the Pegg-833
virus will infect COMMAND.COM, if it was not previously infected.
Once memory resident, the Pegg-833 virus will infect .EXE programs
when they are executed or opened. Infected programs will have a
file length increase of 833 to 847 bytes with the virus being
located at the end of the file. The program's date and time in the
DOS disk directory listing will not be altered. No text strings
are visible within the viral code in Pegg-833 infected programs.
Systems infected with the Pegg-833 virus will experience repeated
write protect errors when the user attempts to execute uninfected
programs from write-protected diskettes. The write-protect error
messages will scroll down the screen without user response.