Phoenix 2000 Virus


 Virus Name:  Phoenix 2000 
 Aliases:    
 V Status:    Rare 
 Discovered:  December, 1991 
 Symptoms:    .COM file growth; .EXE files altered; TSR; decrease in total 
              system and available free memory 
 Origin:      Bulgaria 
 Eff Length:  2,000 Bytes 
 Type Code:   PRshAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, Sweep, F-Prot, NAV, NAVDX, AVTK, 
                    NShld, Sweep/N, AVTK/N, NAV/N, NProt, LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Phoenix 2000 virus was received from The Netherlands in December, 
       1991, where it was uploaded to several BBSes by a person identifying 
       themself as "Dark Avenger".  This virus originated in Bulgaria, and 
       is closely related to the earlier V82 virus.  Phoenix 2000 is a 
       memory resident infector of .COM and .EXE files, as well as 
       COMMAND.COM. 
 
       The first time a program infected with Phoenix 2000 is executed, the 
       Phoenix 2000 virus will become memory resident at the top of system 
       memory but below the 640K DOS boundary.  It will also install a 
       small TSR in low system memory of 112 bytes.  The virus at the top 
       of system memory is 8,192 bytes in size, this is the amount total 
       system memory as indicated by the DOS CHKDSK program will decrease 
       by.  The decrease in available free memory will be slightly more. 
       The Phoenix 2000 virus hooks interrupt 2A.  Interrupt 12's return 
       will not have been moved. 
 
       Once Phoenix 2000 is memory resident, it will infect .COM and .EXE 
       programs, including COMMAND.COM, when they are opened, executed, 
       copied, or accessed in any way.  While it will always infect .COM 
       files, .EXE files are only successfully infected if they contain 
       2,000 bytes of binary 00 characters in a continuous block.  If the 
       2,000 bytes of binary 00 characters do not exist, the file may be 
       partially infected, but will not be replicating copy of the virus. 
 
       .COM programs, other than COMMAND.COM, will have a file length 
       increase of 2,000 bytes with the virus being located in the middle 
       or end of the infected file.  Phoenix 2000 is unable to identify 
       previous infections of itself on infected .COM files, so they 
       may become reinfected by Phoenix 2000, adding an additional 2,000 
       bytes to the file for each reinfection.  There will be no change 
       to the file's date and time in the DOS disk directory listing. 
 
       COMMAND.COM and .EXE files will not have a file length increase when 
       they are infected with the Phoenix 2000 virus.  In these two cases, 
       the virus will overwrite 2,000 bytes of binary 00 characters within 
       the file with the virus code.  For .EXE files with less than 2,000 
       bytes of binary 00 characters, the file will be partially infected 
       and may not function properly as a result. 
 
       See:   Phoenix   V82 
 
  

Show viruses from discovered during that infect .

Main Page