Virus Database

BootCOM.Peanut

Description BootCOM.Peanut

This is memory resident multipartite virus. It hits COM files as well as system sectors (boot or/and MBR).
It's a harmless memory resident multipartite virus. On execution of infected file it hits MBR of hard drive. On loading from infected disk it hooks INT 13h, 21h and writes itself at the end of COM-files are executed and hits boot sectors of floppy disks.

Check other viruses! Be aware! Use Antiviral Software

PK.4096

Description PK.4096

It is a dangerous memory resident polymorphic and stealth parasitic virus. It writes itself to the end of COM and EXE files. The virus infects files that are copied to A: or B: floppy disks. While installing memory resident it also searches for files on C: drive and infects them. Depending on its random counter it also infects COM files with "Small.66.b" parasitic COM virus.
The virus uses several level of encryption. The first level is polymorphic, the second level uses anti-debugging tricks, the third level is on-the-fly encryption - main part of virus code is encrypted at any time. In case of need the virus decrypts its subroutines, calls them and then encrypts with new key. The virus also uses other anti-debugging tricks, some of them are incorrect. As a result the virus does not work on Pentium PC.
The virus is memory resident, but it does not leave its TSR copy in the system memory - it encrypts and saves its code to the reserved sectors on the hard drive (on the first track), copies 200 bytes of its INT 21h handler to DOS data area (at address 0054:0000), hooks INT 21h and returns control to host program. In case of need INT 21h handler reads complete virus code from hard drive to video memory, then decrypts and calls it. To hook INT 21h the virus patches the DOS kernel.
The virus intercepts several DOS functions: Execute, Read, Write, Seek, Create, Close, FindFirst/Next, Get File Date&Time. All these hooks except Execute and Create/Close are used by virus in its stealth routine. When the ADINF.EXE program is executed, the virus cancels it, then displays random letters followed with the message:
Divide overflow

When COM and EXE files are created on A: or B: drives, the virus stores file handles and infects these files on closing.
The virus contains the text strings:
JESUS CHRIST SUPERSTAR
(C)PK 10/94

Pkunk.1586

Description Pkunk.1586

It is a harmless nonmemory resident partly encrypted parasitic virus. It searches for COM and EXE files, then infects them. While infecting the virus uses one of four possible methods: infecting COM files to the file end or header, infecting EXE to the file end with two possible methods.
The infection method is selected by the virus depending on the system and software installed on the system. The virus looks for DOS*, WIN*, GAM*, QWE* directories on the C: drive, and depending on their presence selects the infection method.
The virus contains the text string:
[PKUNK v1.0] (c) Wet Milk

Home