Virus.Multi.Ph33r

Class Virus
Platform Multi
Description

Technical Details


It is a harmless memory resident parasitic virus. While executing an
infected program the virus hooks INT 21h and stays memory resident. In case
of DOS host file the virus uses the standard methods of the INT 21h
hooking, in case of NewEXE file the virus uses DPMI calls.


While opening, execution, renaming executable files including NewEXE, and
on changing the file attributes the virus writes itself at the end of the
file. The virus checks the file length and infects only *.DL*, *.CO* and
*.EX* files. The virus does not infect the *AV.*, *DV.*, *AN.*, *OT.*
files.


While executing COM and EXE files the virus writes itself to the end of the
file. While infecting a NewEXE file the virus moves NE header 8 bytes up,
creates new descriptor there, and writes itself the end of the file.


The virus does not manifest itself. It contains the text strings:


=Ph33r=
Qark/VLAD

On October 21st “Ph33r.1460” displays:

Cheng Cheng:
Happy Birthday to you, HandSome Boy!

This virus also contains the text:

> Joan for Windows v1.0 of T.N.T. Taipei/Taiwan 1995/09 <