Penza Virus


 Virus Name:  Penza 
 Aliases:    
 V Status:    Rare 
 Discovered:  July, 1992 
 Symptoms:    .COM & .EXE growth; message; decrease in total system and 
              available free memory; message 
 Origin:      Unknown 
 Eff Length:  700 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, Sweep, ViruScan, IBMAV, ChAV, 
                    AVTK, NAV, NAVDX, VAlert, PCScan, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Penza virus was submitted in July, 1992.  Its origin or point of 
       isolation is unknown.  Penza is based on the Vacsina family of 
       viruses.  It is a memory resident infector of .COM and .EXE programs, 
       including COMMAND.COM. 
 
       The first time a program infected with the Penza virus is executed, 
       this virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary.  It does not move interrupt 
       12's return.  Total system and available free memory, as indicated 
       by the DOS CHKDSK program, will have decreased by 2,288 bytes. 
       Interrupt 21 will be hooked by Penza in memory. 
 
       Once the Penza virus is memory resident, it will infect .COM and 
       .EXE programs, including COMMAND.COM, when they are executed. 
       Infected programs will have a file length increase of 700 bytes 
       with the virus being located at the end of the infected file.  The 
       program's date and time in the DOS disk directory listing will 
       not be altered.  No text messages are visible within infected 
       programs. 
 
       The Penza virus will occassionally display the following message 
       accompanied by a beep when programs are executed: 
 
               "Welcome to Penza!" 
 
       Penza doesn't appear to do anything besides display its message 
       and replicate. 
 
       Known variant(s) of Penza are: 
       Penza-1210: A 1,210 byte variant of the Penza virus, Penza-1210's 
                   size in memory is 1,328 bytes, hooking interrupt 89. 
                   Once resident, it infects .COM and .EXE programs when 
                   they are executed, increasing their size by 1,210 to 
                   1,225 bytes.  The virus will be located at the end of the 
                   file.  The program's date and time in the DOS disk 
                   directory listing will not be altered.  When this variant 
                   is memory resident, will it occassionally display the 
                   following message on the system monitor: 
                   "Best wished from Penza!" 
                   Origin:  Unknown  October, 1992. 
 
       See:   Vacsina 

Show viruses from discovered during that infect .

Main Page