Pif Virus

Virus Name: Pif Aliases: Pif Paf B v1.0 V Status: Rare Discovered: May, 1992 Symptoms: .COM & .EXE growth; decrease in total system & available free memory Origin: Hungary Eff Length: 760 - 774 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: ViruScan, AVTK, Sweep, IBMAV, F-Prot, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N, LProt Removal Instructions: Delete infected files General Comments: The Pif, or Pif Paf B v1.0, virus was received in May, 1992 from Hungary. Pif is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. The first time a program infected with the Pif virus is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 800 bytes with the first infection of memory. Interrupt 12's return will not be moved. Interrupt 21 will be hooked by Pif in memory. Once the Pif virus is memory resident, it will infect .COM and .EXE programs when they are executed. If COMMAND.COM is executed, it will become infected. Infected .COM programs will have a file length increase of 760 bytes. .EXE programs will have increased in length by 760 to 774 bytes. In both cases, the virus will be located at the end of the infected file. The following text strings can be found within the viral code in Pif infected programs: "PIF-PAF B v1.0" "Nincs kegyelem !" Systems infected with the Pif virus will notice that total system and available free memory will continue to decrease the longer the virus is in memory. Each time an infected program is executed, Pif will install another copy of itself in memory, decreasing total system and available free memory by an additional 800 bytes.