| Alias: | P1 |
| Strain: | |
| detected when: | |
| where: | Bulgaria |
| Classification: | Link (COM), RAM-resident, trojan horse(EXE) |
| Length: | core: 8192 byte, .COM: 1706 byte, .EXE: 132 byte |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | >= 3.2 |
| Computer model(s): | PC |
| Caroname: | Phoenix.Phoenix |
Attributes | |
| Easy identification: | core: "PHOENIX" |
Type of Infection: | core: Allocate memory at the high end. Reroute INT 2Ah. If dos bios disk handler changed then reroute dos disk handler and starts original program. .COM: File starts with a near jump to virus code that is inside the original program. The original code is saved near the end of the file if it wasn't zero. .EXE: Append a procedure that test infection and start original programm. See also Damage Trigger. |
| Infection Technique: | core: Int 2Ah is used by virus. .COM: - .EXE: file time second is 60. |
| Infection Trigger: | core: Start of an infected .COM file. .COM: open, close or exec dos call with the file, 1960 <= file size < 64K, system flag unset, "*.COM" file, (file not zero blocked OR not "COMMAND.COM", (file size/2K)%8 != 7) .EXE: exec dos call with a none .COM file, in which directory an uninfected .EXE file is found, correct magic number, .EXE file allocates hole memory. |
| Storage Media affected: | any drive |
| Interrupts hooked: | Int 2Ah dos disk handler Int 13h, Int 24h inside virus |
| Stealth: | .COM: In core virus code is overwritten after initiation. |
| Tunneling/Selfprot: | .COM: Decoding, Mutation. |
| Oligo/Polymorphism: | .COM: Register and branch condition alternate inside decoding part of virus. |
| Encoding Method: | XOR with changing keys (infection generation) |
| Damage: | 1. Overwrite each sector of all hard disks. 2. Changing randomly choosed words in a sector |
| Damage Trigger: | 1. core: Dos bios disk handler is located in the TPA during initiation. .EXE: core isn't infected. 2. core: virus dos disk handler reads or writes one or more sector(s), 2 <= words between 1 and 0FFFEh <= 2*words in sequence in the 1st sector, damage trigger (512) counted down |
| Particularities: | 1. .EXE files have magic word "MZ" or "ZM". |
| Similarities: | |
Agents | |
| Countermeasures: | The virus will be (for example) detected by F-PROT 2.14 (F. Skulason) |
| Standard means: | 1. Reboot from a clear bootdisk. 2. Delete all infected files. |
Acknowledgements | |
| Location: | VTC Uni Hamburg |
| Classification by: | Jochen Metzinger |
| Documentation by: | Jochen Metzinger |
| Date: | 24.10.1994 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg