Details
Pers
It is a harmless memory resident boot virus. It hooks INT 13h and writes itself to the MBR sector of the hard drive and to boot sector of floppy drive A:. The virus infects the hard drive MBR on loading from infected floppy disk; floppy disks get infection on accessing to them.
The virus does not manifest itself in any way. It contains the text:
Pers?fone 1.1
Details
Permutan.544
It is a very dangerous memory resident parasitic virus. It hooks INT 13h, 20h and stays memory resident. While installing into the memory the virus leaves in the system memory its own code as well as the code of host file.
On INT 20h calls (Terminate) the virus gets from PSP the file name of active program and writes itself to the end of the file.
Depending on the system timer the virus corrupts the data that is saved on disk (INT 13h). The virus contains the text string:
Permutan
Details
Perfume Family
These are very dangerous memory resident parasitic viruses. They write themselves to the end of the .COM files. Being executed these viruses infect the COMMAND.COM file, then they hook INT 21h, stay memory resident, and then they infect the files that are executed. While installing into the memory they do not fix MCB list, that may halt PC.
Sometimes they erase the random sectors on the floppy disk. On the 80th attempt to infect already infected file the virus runs a dialogue, it displays:
Bitte gebe den G-Virus Code ein :
and waits for “4711″ input. If this string is entered, the virus displays:
Tut mir Leid !
“Perfume.731″ also contains the text:
G-VIRUS V1.3
“Perfume.731.b” contains/displays the texts:
IRA Virus 18
Irish Republican Army v18 Virus :
hat
By Capt Picard
Details
Pepper Family
These are not dangerous nonmemory resident parasitic viruses. They search for .COM files and write themselves to the end of the file. Depending on the system timer they set the system date to previous day number and display:
“Pepper.529″: GOL Strikes again!
“Pepper.529″: yesterday once more
They also contain the text strings:
*.COM [pepper]
Details
Penza Family
These are not dangerous memory resident parasitic viruses. They trace and hook INT 21h, then they write themselves to the end of COM and EXE files that are executed. While infecting “Penza.700″ converts the EXE files to COM format (see the “VACSINA” family). If an error appears while infecting, “Penza.1210″ displays the message:
Best wished from Penza!
Details
Pentagon
This is a dangerous virus. It infects Boot sectors of floppy disks in a “Brain” way. If the floppy disk is already infected by the “Brain virus, “Pentagon” will “cure” the Boot sector of this disk, change its label and infect the disk by itself. The file PENTAGON.TXT will be created on the infected disk. The virus survives “warm” rebooting. Some part of the virus is encrypted. The virus hooks INT 9, 13h. The virus contains the text: “(c) 1987 The Pentagon, Zorell Group”, “first sector in segment”.
Details
Penetrator.984
It is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed or opened. On 77th infection the virus erases the disk sectors and displays the message:
Cat scratch fever.(CSF)
by Penetrator (IRI).Special thanks to Dr.Armageddon.
Writing such funny things is not a crime!
This Trojan has a malicious payload. It is a Windows PE EXE file. It is 11776 bytes in size. It is packed using UPX. The unpacked file is approximately 48KB in size. It is written in Delphi.
This Trojan has a malicious payload. It is a Windows PE EXE file. It is 11264 bytes in size. It is packed using UPX. The unpacked file is approximately 48KB in size. It is written in Delphi.
This Trojan has a malicious payload. It is a Windows PE EXE file. It is 11776 bytes in size. It is packed using UPX. The unpacked file is approximately 22KB in size. It is written in Delphi.
Details
Pempe family
These are not dangerous memory resident parasitic viruses, “Pempe.1943″ encrypted. They trace INT 13h, 21h, hook INT 8, 21h and on disk access DOS calls search for .EXE files and write themselves to the end of the file. Depending on their counters the viruses decrypt and display the message:
+—————————–+
| P E M P E |
| AMACC (Makati,Phils) [PM] |
+—————————–+
The “Pempe.1811″ virus also contains the text:
PEMPE 1.2
Details
Pelf.2132
(aka Lindose)
This is a harmless non-memory resident parasitic multipartite virus. It infects Windows executable files as well as Linux ones (Windows PE files and Linux ELF files).
The virus is written in Assembler, and is about 2.5 Kb in size. It does not manifest itself in any way, and it is like a multiplatform Windows-Linux virus concept.
The virus contains the text strings:
[Win32/Linux.Winux] multi-platform virus by Benny/29A
This GNU program is covered by GPL.
To infect executable files of both systems, and to spread under both these system, the virus routines are separated into two blocks: the former block is activated under Windows, it then looks for Windows and Linux executable files and infects them; the latter block is activated under Linux, looking for executables files and infecting them as well.
The Windows part
It searches for the all files in the current and upper directory, and infects PE files and Linux ELF files (it checks the file type by file format). It infects both types, and has two subroutines for each (Windows version).
The Linux part
This part searches for the all files in the current directory, and infects PE files and Linux ELF files (it checks the file type by file format). It infects both types, and has two subroutines for each type (Linux version).
Infecting Windows PE files
The virus scans for the “.reloc” section. If this section is found, the virus writes itself to the middle of the file. It saves the original Entry Point address, and restores the PE file after it has finished its work.
Infecting Linux ELF files
The virus writes itself to the Entry Point of the file. It saves original data at the end, and saves code from Entry Point and restores the ELF file after finishing its work.
Details
Pebble
It is a dangerous memory resident boot virus. It hooks INT 9, 13h and writes itself to the boot sector of floppy disks on reading from them. It infects the hard drive while loading from infected floppy. It saves the original MBR sector on the 7th hard drive sector and the original boot sector on the last root directory sector of a diskette. Because of an error while infecting floppy disks the virus corrupts the disk parameters table.
On entering keys (INT 9) the virus changes the color attribute of top-left character on the screen.
Details
Peasant.1243
This is a dangerous memory resident parasitic virus. When an infected EXE file is executed, the virus searches for a command interpreter (COMMAND.COM) by using the string “COMSPEC=”, and overwrites it. The virus stores the part of the code that is overwritten into the unused sectors of the hard drive, then the virus returns control to the host program.
When an infected COMMAND.COM is executed, the virus reads its original code from the hard drive sectors, hooks INT 21h and returns control to COMMAND.COM. Then the virus writes itself to the end of EXE files that are accessed.
On Mondays, it disables the DOS functions SetDir, RemoveDir and ChangeDir; and when the files are deleted, it “hides” them with corresponding attributes, upon writing to files, the virus appends to them with the string:
“”"NoImportRICE!”"”
It displays the same string while terminating the programs. The virus also contains the text string:
(c)KoRea-PeaSant
Details
Peach.887
It is not a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files. It writes 13h bytes of Jmp-Virus routine to the beginning of COM files.
The virus deletes the CHKLIST.CPS file, and sometimes writes to the BIOS data area at the address 0040:00FC the string:
Roy CuatroNo 2 Peach GardenMeyer Rd. Spore 1543