Virus Name: Pif
Aliases: Pif Paf B v1.0
V Status: Rare
Discovered: May, 1992
Symptoms: .COM & .EXE growth; decrease in total system & available
Eff Length: 760 - 774 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, AVTK, Sweep, IBMAV, F-Prot,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N,
Removal Instructions: Delete infected files
The Pif, or Pif Paf B v1.0, virus was received in May, 1992 from
Hungary. Pif is a memory resident infector of .COM and .EXE
programs, including COMMAND.COM.
The first time a program infected with the Pif virus is executed,
this virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. Total system and available
free memory, as indicated by the DOS CHKDSK program, will have
decreased by 800 bytes with the first infection of memory. Interrupt
12's return will not be moved. Interrupt 21 will be hooked by
Pif in memory.
Once the Pif virus is memory resident, it will infect .COM and .EXE
programs when they are executed. If COMMAND.COM is executed, it
will become infected. Infected .COM programs will have a file length
increase of 760 bytes. .EXE programs will have increased in length
by 760 to 774 bytes. In both cases, the virus will be located at the
end of the infected file.
The following text strings can be found within the viral code in
Pif infected programs:
"PIF-PAF B v1.0"
"Nincs kegyelem !"
Systems infected with the Pif virus will notice that total system
and available free memory will continue to decrease the longer the
virus is in memory. Each time an infected program is executed, Pif
will install another copy of itself in memory, decreasing total
system and available free memory by an additional 800 bytes.