FANDOM


The Evil virus is a virus that runs on MS-DOS. The virus is one of a family of three viruses which may be referred to as the P1 or Phoenix Family. Each of these viruses is being documented separately due to their varying characteristics. The Evil virus is a memory resident, generic infector of .COM files, and will infect COMMAND.COM.  It is the most advanced of the three viruses in the Phoenix Family. This virus is not related to the Cascade (1701/1704) virus. 

Payload

The first time a program infected with the Evil virus is executed, the virus will install itself memory resident in free high memory, reserving 8,192 bytes.  Interrupt 2A will be hooked by the virus. System total memory and free memory will decrease by 8,192 bytes. Evil will then check to see if the current drive's root directory contains a copy of COMMAND.COM.  If a copy of COMMAND.COM is found, it will be infected by Evil by overwriting part of the binary zero portion of the program, and changing the program's header information. COMMAND.COM will not change in file length. The virus will then similarly infect COMMAND.COM residing in the C: drive root directory. After becoming memory resident, the virus will attempt to infect any .COM file executed.  Evil is a better replicator than either the original Phoenix virus or PhoenixD, and was successful in infecting .COM files in all cases on the author's system.  Infected files will increase in size by 1,701 bytes. Evil is not able to recognize when it has previously infected a file, so it may reinfect .COM files several times.  Each infection will result in another 1,701 bytes of viral code being appended to the file. Like PhoenixD, Evil will infect files when they are opened for any reason, in addition to when they are executed.  The simple act of copying a .COM file will result in both the source and target .COM files being infected. Systems infected with the Evil virus will experience problems with executing CHKDSK.COM.  Attempts to execute this program with Evil memory resident will result in a warm reboot of the system occurring. The system, however, will not perform either a RAM memory check or request Date and Time, if an autoexec.bat file is not present. The Evil virus employs a complex encryption mechanism, and virus scanners which are only able to look for simple hex strings will not be able to detect it. There is no simple hex string in this virus that is common to all infected samples. 

Removal

Delete the infected files.

Community content is available under CC-BY-SA unless otherwise noted.