Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Ph33r

Ph33r is a very interesting virus, the first of its kind. It has the ability to infect files executable under the operating system DOS and Windows. The virus infects COM, EXE and DLL files but it avoids those containing strings 'AV', 'DV', 'AN' and 'OT' in their names. It avoids also the file WIN386.EXE. When an infected file is executed the virus checks if it has already been in memory. It does it by calling the interrupt INT 21h with AX=51FFh and expects AX=0FF51h at return. If the virus is not resident in memory it tries to turn off VSAFE and to find out whether program MCB is the last. If so it allocates memory and moves to it while redirecting vector of the interrupt INT 21h. Under Windows it allocates memory by means of DPMI, creates sector which points to that memory and moves to it while redirecting the interrupt INT 21h. The virus infects files when they are executed, opened, renamed and their attributes changed. The virus does not show its presence in any way but when DEBUG is left the system will “fall”. In the virus body there are two text strings:

=Ph33r=

and

Qark/VLAD

The first one is the virus name, and in the second one is the author’s signature. This virus is linked with macro-virus WM/Nuclear which tries to install Ph33r into memory.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.