| Alias: | Phalcon-Skism Mass Produced Code Generator |
| Strain: | PS-MPC generated Viruses |
| detected when: | Summer 1992 |
| where: | North America (USA) |
| Classification: | Virus-Generator: creates Assembly Code for Non-resident File |
| Length: | Depends on creation options and infection routine |
Preconditions | |
| Operating System(s): | MS-DOS 4.0 and above |
| Version/Release: | Versions 0.90 á, 0.91 á |
| Computer model(s): | IBM & compatibles |
| Caroname: | PS-MPC |
Attributes | |
| Easy identification: | Variable self-identification |
Type of Infection: | COM and EXE appending |
| Infection Technique: | |
| Infection Trigger: | Every INT 21 call in resident viruses |
| Storage Media affected: | EXE and COM files are infected (v.0.90 á); COMMAND.COM may be infected (v.0.91 á) |
| Interrupts hooked: | INT 21 all functions, (INT 24) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | To be written by oneself and linked to asm-code of generated code. |
| Damage Trigger: | Various time-checks may be selected. |
| Particularities: | - Viruses decrease memory in high memory-area if resident. - Normally files in the current directory will be infected. It is possible to make the virus traversal (infects current directory and below) - Major Skeleton configuration options v.0.91 á: * Infection C(OM)/E(XE) * CommandCom (Yes/No): infect COMMAND.COM * Resident (Yes/No) * Traversal (same dir/subdirectories) * Residence Methods (Interrupt,Direct DOS manipulation,BIOS manipulation) * Encrypted (Yes/No) * IDWord (2 character:self-identification) * MinSize/MaxSize: minimum/maximum size of COM files to be infected * Infections#: max.number of infections * ErrorHandler: critical error handler for Abort,Retry,Fail messages * VirusName, AuthorName: strings * Activation Conditions: IfMonth,IfDay, IfYear,IfDayofWeek,IfMonthDay,IfHour, IfMinute,IfSecond,Percentage(counter) |
| Similarities: | More than 20 viruses have appeared which have clearly been produced with this virus generator: 1) 203 Virus 2) 644 Virus 3) Abraxas Virus 4) ARCV Virus Strain ARCV-1 ,-2, -3, -4, -5, -6, -7, -8, -9 Remark: ARCV group has also produced viruses with TPE engine (see TPE strain) and developed the ARCV strain. 5) Joshua Virus 6) Kersplat Virus 7) McWhale Virus 8) Mimic Virus 9) Small_ARCV Virus 10) Small_EXE Virus 11) Swan_Song Virus |
Agents | |
| Countermeasures: | FindViru, F-Prot (etc) |
| Standard means: | |
Acknowledgements | |
| Location: | University of Hamburg, Virus Test Center, Germany |
| Classification by: | Holger Prescher |
| Documentation by: | Holger Prescher |
| Date: | 02-January-1993 |
| Information Source: | Reverse-Analysis of Generator, Skeleton files. |
(c) 1996 Virus-Test-Center, University of Hamburg