Virus Name: PhoenixD
V Status: Rare
Discovered: July, 1990
Symptoms: .COM growth; system reboots; CHKDSK program failure;
COMMAND.COM header change
Eff Length: 1,704 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, NAV, AVTK, F-Prot, Sweep, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The PhoenixD virus is of Bulgarian origin, and was submitted to the
author of this document in July, 1990 by Vesselin Bontchev. This
virus is one of a family of three viruses which may be referred
to as the P1 or Phoenix Family. Each of these viruses is being
documented separately due to their varying characteristics. The
PhoenixD virus is a memory resident, generic infector of .COM
files, and will infect COMMAND.COM.
The PhoenixD virus is a "bug fixed" version of the Phoenix virus.
The first time a program infected with the PhoenixD virus is
executed, the virus will install itself memory resident in free
high memory, reserving 8,192 bytes. Interrupt 2A will be hooked by
the virus. System total memory and free memory will decrease by
8,192 bytes. PhoenixD will then check to see if the current drive's
root directory contains a copy of COMMAND.COM. If a copy of
COMMAND.COM is found, it will be infected by PhoenixD by
overwriting part of the binary zero portion of the program, and
changing the program's header information. COMMAND.COM will not
change in file length. The virus will then similarly infect
COMMAND.COM residing in the C: drive root directory.
After becoming memory resident, the virus will attempt to infect
any .COM file executed. PhoenixD is a much better replicator than
the original Phoenix virus, and is usually able to infect files.
Infected files will increase in length by 1,704 bytes.
PhoenixD is not able to recognize when it has previously infected a
file, so it may reinfect .COM files several times. Each infection
will result in another 1,704 bytes of viral code being appended to
A characteristic present in the PhoenixD virus which is not found
in the original Phoenix virus is that in addition to it infecting
.COM files as they are executed, .COM files will be infected when
they are opened for any reason. The simple act of copying a .COM
file with PhoenixD present in memory will result in both the source
and target files being infected.
Systems infected with the PhoenixD virus will experience problems
with executing CHKDSK.COM. Attempts to execute this program with
Phoenix memory resident will result in a warm reboot of the system
occurring. If an autoexec.bat file is not present on the drive
being booted from, the system will prompt for the user to enter
Date and Time.
The PhoenixD virus employs a complex encryption mechanism, and
virus scanners which are only able to look for simple hex strings
will not be able to detect it. There is no simple hex string in
this virus that is common to all infected samples.
This virus is not related to the Cascade (1701/1704) virus.
See: Evil Phoenix Proud