Pinworm Virus


 Virus Name:  Pinworm 
 Aliases:    
 V Status:    New 
 Discovery:   August, 1994 
 Symptoms:    .COM & .EXE growth; PIWRM.G! directory on disk; 
              decrease in total system & available free memory; 
              CHKLIST.MS & CHKLIST.CPS files deleted; 
              "Not enough memory" errors with some anti-viral programs; 
              flashing of keyboard lights on 1st of month 
 Origin:      Unknown 
 Eff Length:  2,174 - 2,242 Bytes (Approx) 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  Sweep, F-Prot, ViruScan, NAV, NAVDX, VAlert, 
                    AVTK, IBMAV, PCScan, ChAV, 
                    Sweep/N, NShld, NAV/N, IBMAV/N, AVTK/N, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Pinworm virus was received in August, 1994.  Its origin or 
       point of isolation is unknown.  Pinworm is a memory resident, 
       polymorphic virus which infects .COM and .EXE programs, including 
       COMMAND.COM. 
 
       When the first Pinworm infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, moving interrupt 12's return.  Total system 
       and available free memory, as indicated by the DOS CHKDSK program, 
       will have decreased by 6,144 bytes.  Interrupt 21 will be hooked by 
       the virus in memory. 
 
       Once the Pinworm virus is memory resident, it will infect .COM and 
       .EXE programs when they are executed.  Infected programs increase 
       in size by approximately 2,174 to 2,242 bytes.  The virus will be 
       located at the end of the file.  The program's date and time in the 
       DOS disk directory listing will not be altered.  The following 
       text strings are encrypted within the Pinworm viral code: 
 
               "PINWOrM v1.00 - Coded by irogen in April 1994" 
               "CHKLIST.MS CHKLIST.CPS" 
               "PINWOrM.g! .. I hope y ou have enjoyed your infestation 
                by the  mighty p inworm p arasite" 
               "Fuck you all!" 
               "-irogen" 
 
       The Pinworm virus contains code to delete the files "CHKLIST.MS" 
       and "CHKLIST.CPS" which are used by the Microsoft Anti-Virus and 
       Central Point Anti-Virus programs.  It also contains code which 
       checks to see if the program the user is executing ends with the 
       characters "AV", "SCAN", or "OT".  If the program the user is 
       attempting to execute ends with any of these characters, the virus 
       will alter the program so that when executed it will result in a 
       "Not enough memory" message and not run.  It may also deinstall from 
       memory some versions of Central Point Anti-Virus and Microsoft 
       Anti-Virus. 
 
       On the 1st of any month, the Pinworm virus activates.  At this 
       time, the virus will cause flashing of the Caps Lock, Num Lock, 
       and Scroll Lock keys on the system keyboard.  It will also create 
       directories named "PIWRM.G!".  If a DOS directory command is 
       issued on these directories, they will display the following 
       message in 0 byte file names (the file names will have file 
       dates and time corresponding to when the directory was created): 
 
               "I HOPE Y 
                OU HAVE 
                ENJOYED 
                YOUR INF 
                ESTATION 
                 BY THE 
                MIGHTY P 
                INWORM P 
                ARASITE 
                 
                FUCK YOU 
                ALL! 
                -IROGEN" 

Show viruses from discovered during that infect .

Main Page