Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Peter

Peter is an encrypted, stealth boot virus with body length of 5 sectors. When the computer system is booted from an infected diskette the virus decreases the amount of memory usable by DOS by 4 KB. It will locate the rest of its code in memory and move to always the same address 9F00:0000h. From the CMOS memory it will read the current date and test if it is not February 27th. The virus redirects the interrupt INT 13h to its code in memory. MBR of hard disk is infected if there is no value 0BBh on the offset 1FDh MBR which serves to the virus as an identifier of infected MBR. The original MBR is written to cylinder 0, side 0, sector 6. The virus header is written into MBR and 4 sectors behind MBR are occupied by the virus body. Finally, the virus transfers control to the original contents of boot sector which it reads into memory. Then the virus infects diskettes that are not write-protected. Identifier of infected boot sector of diskettes is a byte with value 11h on offset 1FDh in boot sector. With the infection an additional side is formatted where the virus body is loaded. The header occupies the original boot sector which is moved to the last sector of the root directory. The virus utilizes the following stealth technique: each access to hard disk sectors 1 to 6 is redirected to sector 8 which has the same contents as the above mentioned sectors (all these sectors contain zeros). Access to MBR is redirected to its saved copy. On February 27th the virus writes the following text on the screen:

Good morning,EVERYbody,I am PETER II Do not turn off the power, or you will lost all of the data in Hardisk!!! WAIT for 1 MINUTES,please...

Then the virus codes the hard disk and after a while requires the user to answer the following quiz questions:

Ok.If you give the right answer to the following questions,I will save your HD:
A. Who has sung the song called "I`ll be there" ?
1.Mariah Carey
2.The Escape Club
3.The Jackson five
4.All (1-4):

B. What is Phil Collins ?
1.A singer
2.A drummer
3.A producer
4.Above all (1-4):

C. Who has the MOST TOP 10 singles in 1980`s ?
1.Michael Jackson
2.Phil Collins (featuring Genesis)
3.Madonna
4.Whitney Houston (1-4):

If the user answers 4, 4, 2, the following message is displayed:

CONGRATULATIONS !!! YOU successfully pass the quiz! AND NOW RECOVERING YOUR HARDISK ......

If the user answers incorrectly the virus writes:

Sorry! Go to Hell. Lousy man!

For encrypting the data simple operation XOR with the constant 787h is used and so recovery is possible even if the given answers are evaluated as incorrect by the virus. In that case it is necessary to have the hard disk data recovered by an expert.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.