Virus.PHP.Pirus

Class Virus
Platform PHP
Description

Technical Details

This is the first known virus infecting PHP script programs (Hypertext Preprocessor scripting language, see http://www.php.net for more details). It was discovered in October 2000.

When the virus is activated, it looks for all .PHP and .HTM files in current directory and infects them. The infection is done in quite silly way. The virus does not write its complete code to the file, but just a reference to
the virus file: the virus adds one command to the end of the file, and that is “include virus file” command that refers to virus code.

When an affected file is opened, the PHP scripting machine processes that “include” command as well, gets (reads) complete virus code from virus file and activates it.

As a result, the virus copy presents on the computer in just one instance. All infected files just refers to that copy. Because of that infection way the virus cannot spread from a computer to other computers, but is able to operate inside one computer only.

The virus contains the text “pirus.php”.