Details
PHP.Neworld

This is script virus written in PHP scripting language. It uses the same infection technology as first known PHP virus PHP.Pirus: it appends to files an “include” instruction that refers to main virus code.
The virus infects .PHP, .HTML, .HTM, .HTT files in the C:\Windows directory.
The virus contains the texts:
Neworld.PHP
Welcome To The New World Of PHP Programming
neworld.php
Neworld.PHP Virus - Made By Xmorfic, www.shadowvx.com/bcvg, Black Cat Virii Group.

Details
Phonix.927

It is a very dangerous memory resident parasitic virus. Being executed it infects the COMMAND.COM file and returns to the host program. Being executed with infected COMMAND.COM the virus hooks INT 21h and then writes itself to the end of COM and EXE files that are closed. On Friday, 13th it erases the hard disk sectors, displays “Phönix” and halts the computer.

Details
Phone.688

It is a dangerous nonmemory resident virus, it searches for .COM and .EXE files and overwrites them. It deals the phone numbers: it outputs to COM port the modem command “ATDT1900″ and then dials the numbers: 9034600, 4545388, 2888100, 6809100, 9038181, 4540759, 8840758, 8965581, 6804900, 4075240, 9038700, 7868482. Then this virus displays “Out of Memory” and returns to DOS.

Details
Phoenix Family

These are very dangerous resident polymorphic parasitic viruses. They write themselves to the middle of COM files that are executed or closed. They write to the end of EXE files the trojan program that in some cases erases all information on installed hard disks.
“Phoenix.Proud,Live” infect COM files only, “Phoenix.Live.a” does not infect COMMAND.COM.
While infecting a COM file the virus reads the data from the middle of the file, saves it to the end of the file, and then overwrites the data in the file middle with its copy and writes Jmp-Virus command to the beginning of the file. While infecting COMMAND.COM the virus writes itself to the the stack area of COMMAND.COM, and the file length does not grow.
Infection of COM file Infection of COMMAND.COM file
+———–+ +———–+ +———–+ +———–+
¦ File ¦ ¦ File ¦ ¦COMMAND.COM¦ ¦COMMAND.COM¦
¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
+ - - - - - ¦ +———–¦ + - - - - - ¦ +———–¦
¦ ¦–+ ¦ Virus ¦ ¦ ¦ ¦ Virus ¦
+ - - - - - ¦ ¦ +———–¦ + - - - - - ¦ +———–¦
+———–+ ¦ ¦- - - - - -¦ +———–+ +———–+
+–>¦ ¦
+———–+

The viruses also hook INT 13h and then, depending on some preconditions, randomly rearrange bytes in information blocks being read from, and written to disks.
The viruses of the family for the first time uses two new methods. First, the viruses intercept DOS calls to the files by using INT 2Ah instead of INT 21h. Second, the viruses (except “Phoenix.Live.a”) are polymorphic and do not have any constant mask (signature): the main part of the virus is encrypted, and a decoding program (32 bytes long) is selected from 204 possible variants (one have to bear in mind that these viruses have the following lengths: “Phoenix” - 1704 bytes, “Phoenix.Evil” - 1701 bytes, “Phoenix.Proud” - 1102 bytes).
The viruses contain the text strings:
“Phoenix”: PHOENIX
“Phoenix.Evil”: The evil that men do lives on and on and onall
“Phoenix.Proud”: Proudly made in Sofia
“Phoenix.Live.a,b”: Live after Death

Details
Phardera.5824

This is a benign memory resident parasitic polymorphic virus. It hooks INT 21h, and writes itself to the end of COM and EXE files that are executed. The resident code of virus is also encrypted with different keys, and the virus decrypts/encrypts its routines “on-the-fly” in case of need. The virus also uses a lot of anti-debugging tricks.
On the 10th of each month, the virus displays the following message:
Phardera + Dianita

The virus contains the text strings:
Phardera
-by Phardera’95—–Batavia——–Indonesia—-
RaredrahP Dianita

Details
Phantom1

It is not a dangerous memory resident parasitic polymorphic virus. It hooks INT 1Ch, 21h and writes itself to the end of COM and EXE files that are executed or opened. If there is long period of keyboard inactivity this virus draws the picture of death’s head with the text “PHANTOM 1″ and displays the message:
Congradulations!!! Your computer is now infected with a high performance
PHANTOM virus! Coming soon: next virii based on the _C00LEST_ mutation
engine all over the world: the Advanced Polymorphic Engine! Enjoy this
intro! (C) 1994 by Dark Prince.

This virus has bugs. Sometimes it corrupts the files while infecting: the decryption routine cannot decrypt the virus body. While executing these files halt the system. Second, the video effect does not work under MS-Windows, Win95 and different memory managers.

Details
Phantom.2201

It is a dangerous memory resident encrypted virus. It hooks INT 21h and writes itself to the end of .COM files that are opened or executed. It infects only the files that begin from JMP command. It creates the “bad” clusters in the FAT sectors, shifts and overturns the screen, displays the message:
HI ROOKIE! I`m a THESEASE! I live in YOUR computer - sorryall Thanks to
Brains in the Computer Siences!

The virus also appends to the end of .EXE, .DBF and .ARC files the texts:
The PHANTOM Was HERE - Sorry…
Copyright (c) PHANTOM — This virus was designed in the HUNGARIAN VIRUS
DEVELOPING LABORATORY. (H.V.D.L.)v1

Details
Phantasmagoria

It is not a dangerous nonmemory resident parasitic virus. It searches for .COM files of the current directory and writes itself to the end of the file. Before return to the host program it decrypts and displays the message:
PHANTASMAGORIA ! Sleep Well

It set INT 20h to JMP RESET instruction and if the host program terminates by INT 20h call, the computer reboots.

Details
Ph33r

It is a harmless memory resident parasitic virus. While executing an infected program the virus hooks INT 21h and stays memory resident. In case of DOS host file the virus uses the standard methods of the INT 21h hooking, in case of NewEXE file the virus uses DPMI calls.
While opening, execution, renaming executable files including NewEXE, and on changing the file attributes the virus writes itself at the end of the file. The virus checks the file length and infects only *.DL*, *.CO* and *.EX* files. The virus does not infect the *AV.*, *DV.*, *AN.*, *OT.* files.
While executing COM and EXE files the virus writes itself to the end of the file. While infecting a NewEXE file the virus moves NE header 8 bytes up, creates new descriptor there, and writes itself the end of the file.
The virus does not manifest itself. It contains the text strings:
=Ph33r=
Qark/VLAD

On October 21st “Ph33r.1460″ displays:
Cheng Cheng:
Happy Birthday to you, HandSome Boy!

This virus also contains the text:
> Joan for Windows v1.0 of T.N.T. Taipei/Taiwan 1995/09 <

Details
PG

It’s a harmless memory resident boot virus. It hooks INT 13h and writes itself into boot sectors of floppy disks and first boot sector of hard drive. Original sector is stored at the last disk sector. This virus contains internal text string: “PG”.

Details
PFS.3786

This is a benign memory resident encrypted stealth multipartite virus. It infects the MBR of the hard drive and writes itself to the end of COM and EXE files. When an infected file is executed, the virus infects the MBR, hooks INT 21h and stays memory resident. When the system is booted from the infected disk, the virus stays memory resident, hooks INT 8 (timer), wait for DOS loading, then it releases INT 8 and hooks INT 21h.
The virus INT 21h handler hooks more than 10 DOS functions: FindFirst/Next (including long-names calls), open file, close, execute, rename, read, e.t.c. On opening, executing, renaming and file attribute access the virus infects the files. In case of other functions the virus calls its stealth routines.
Plus to file stealth ability the virus uses several quite complex tricks to hide its presence in the system. First of all the virus uses direct disk access calls to bypass BIOS anti-virus protection. To hide its TSR copy the virus leaves in the system memory just 339 bytes of its code - it copies it to the Interrupt Vectors Table. This code contains INT 21h handler that in case of needs reads the complete virus code from the first track of the hard drive and calls it. As a result the virus does not occupy the conventional system memory and is not visible by memory browsers. Depending on the system environment the virus also copies its code to the XMS memory and in case of need reads it from there, not from the hard drive.
The virus contains the text strings:
PowerFul Stealth v6.1 (c)’98 DK eyegabooom

Details
PeterII

This is a ordinary memory resident stealth infector which hits floppy boot sectors and hard drive MBR sector. It occupies six sectors (0C00h or 3072 bytes) - five sectors of the virus body and one sector which contains the original sector which is replaced by the virus.
On loading from infected disk it installs itself into the system memory. On installation the virus decreases the size of system memory (the word at the address [0000:0413]) on four (i.e. 4K), reads the rest of its body (four sectors) from the disk from where the virus is loaded and copies itself in the memory at the constant address 9F00:0000. So the virus cut out four kilobytes of the system memory for its code and data.
Then the virus checks the system date, it’s interesting for virus the current date and month only. For getting these values the virus uses the CMOS data storage: the virus outputs the address value into PORT 70h and reads the contents of the addressed cell from PORT 71h. If the current date is February, 27th the virus calls the trigger routine. That routine is described below.
Not depending on system date and the results of trigger manifestation the virus reads the INT 13h (disk access) value, saves it in its body and sets the new value of this interrupt to the virus body. If the virus is loaded from floppy-disk it infects the hard drive also. The installation is finished and the virus reads the original sector (Boot sector or MBR) and passes the control to it, then the program of that sector loads and run operation system.
But in some cases the virus hands up earlier than the DOS is loaded. It’s because on installation virus doesn’t check the previous itself copy in the memory. This situation can appear if you try to load computer from not-DOS but infected floppy. The virus installs itself in the memory and pass the control to the original sector of the infected disk. The boot-program which is written into that sectors searches for DOS files, doesn’t find them and displays the message like “Non-System disk, replace and press any key”. Then the user replaces the floppy as the computer asks and reboots it. But the next disk is infected also - and the second copy of the virus overwrites the previous copy, and as the result the computer hangs up.
The master boot record is infected during virus loading. The virus reads the original sector and checks the virus ID byte - if the byte of sector at the offset 01FDh is equal to BBh the virus doesn’t infect it. If not, the virus saves this sector on the hard drive at the address 6/0/0 (sector/head/cylinder) and writes itself body into the first physical sector of hard drive and into four next sectors. So the hard drives gets infection.
By hooking INT 13h the virus realizes the stealth mechanism for the infected hard drive: on reading or writing to/from the sectors which are occupied by the virus body this infector substitutes the registers values so as the disk is not infected: the reading/writing to/from infected MBR sector is passed to 6th sector (where the original MBR is saved), the access to other sectors is passed to sector number 8 (usually the contents of that sector is equal to contents of the sectors 2-7, these sectors contains the zero bytes only).
If the access is directed to floppy disk the virus tries to infect it. In the first place the virus reads the boot sector of the floppy disk and checks the ID byte, this is the byte at the address 01FDh (the same address as in case of hard drive), but the value of this byte is equal to 11h if the disk is infected.
The virus checks then another byte of boot sector - the byte at the address 0018h. It is one of the system data bytes of the MS-DOS boot sectors, it contains the number of the sectors which are placed in one cylinder (track) on the physical disk. The virus infects the floppy if the value of that byte is equal to 15 (i.e. if it is 1.2Mb 5″1/4 floppy disk).
If that pair of bytes answers the demands of the virus, it prepare the floppy to infection: the 80th cylinder of floppy is formatted as ordinary floppy cylinder. It’s needed to comment that the standard 1.2 Mb floppy contains 80 cylinders which are accessed by DOS and are numerated from 0 till 79, it’s not possible to read/write 80th cylinder of standard floppy by using DOS possibility only. But it’s possible to format more than 80 sectors on floppy (if the floppy disk controller can do it). In that case the floppy disk can contains several sectors which are ready to use by INT 13h and are not accessed by DOS - several extra sectors.
These extra sectors are in use when the virus saves its body on the floppy: it saves the original boot sector into the last sector of standard root directory - at the absolute address 14/1/0 (sector/head/cylinder, it’s equal to 28th logical sector of 1.2 Mb floppy), then it overwrites the boot sector by its own loader which is the same as infected hard drive loader (except the value of ID byte) and saves the rest (four sectors) into the just formatted cylinder. The floppy disk is infected now.
On February, 27th, as it described above, the virus calls the trigger routine. This routine decrypts and types the message:
Good morning,EVERYbody,I am PETER II
Do not turn off the power, or you will lost all of the data in Hardisk!!!
WAIT for 1 MINUTES,pleaseall

Then the virus encrypts all the sectors of hard drives disk: all the words are XORed with the value 7878h. As the result all the executable, data and other files are unassessable! If you reset the computer in that moment they will be lost. It’s easy re-format the hard drive and restore information from back-up (if you have this) than decrypt all the encrypted sectors. If you want to save your information you should wait and read next messages of the virus:
Ok.If you give the right answer to the following questions,I will save
your HD:
A. Who has sung the song called “I`ll be there” ?
1.Mariah Carey 2.The Escape Club 3.The Jackson five 4.All (1-4):
B. What is Phil Collins ?
1.A singer 2.A drummer 3.A producer 4.Above all (1-4):
C. Who has the MOST TOP 10 singles in 1980`s ?
1.Michael Jackson 2.Phil Collins (featuring Genesis)
3.Madonna 4.Whitney Houston (1-4):

The user should give three correct answers, in this case the virus decrypts and restores the hard drive sectors and types:
CONGRATULATIONS !!! YOU successfully pass the quiz!
AND NOW RECOVERING YOUR HARDISK ……

If any of answers are wrong, the virus displays:
Sorry!Go to Hell.Clousy man!

and you’ll receive empty hard drive.
It’s fortunate that the virus sets no time limits - you can call your friends which are specialists in rock-music and ask the correct answers, you can call system programmer which can analyze the code of this virus and tell you the numbers which should be entered.
And this is the answer for “three questions of sphinx”: four, four and two.

Details
Peterburg.529

It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the beginning of .COM files that are executed. It does not manifest itself in any way.

Details
Pest.2728

This is a very dangerous memory resident parasitic polymorphic virus. It traces INT 13h, hooks INT 21h, and writes itself to the end of COM and EXE files that are executed. The virus checks the file names by using the text string:
ASCECLHVSPF-ACPRVINWI

and does not infect files with names that begin with: SCA, CLE, VSH, F-P, CPA, VIR, and WIN. While infecting a file, the virus also checks it for some specific code and pathes it.
Under a debugger, or on the 13th of any month, and depending on the system timer, the virus corrupts the hard drives sectors and reboots the computer. Starting from the 4096th (1000h) infection, the virus overwrites the data saved on the disk with the following text:
PRIEST V.D.G.I. hopes you can recover your data !!!

The virus also contains the text string:
Pest (c) 12/10/93 by (and best wishes from) PRIEST Int., Gbw/Germany

Details
Peru

It is a dangerous boot virus. It hooks INT 13h and writes itself to the boot sector of hard drive and floppy disks. It infects the hard drive while loading from infected floppy drive and affects floppy disks that are accessed. Because of an error while infecting floppy disks the virus writes original boot sector to one of the FAR sectors. That may corrupt data on disk.
After five infections the virus displays the message:
No Existe Otra Mujer Como JOHANA

The virus also contains the text:
Peru