This virus is able to infect not only documents but also COM, EXE and NewEXE (Windows format) files. It reveals its presence in DOC files by macros with names: AutoExec, AutoOpen, FileSaveAs, FilePrINT, FilePrINTDefault, InsertPayload, Payload, DropSuriv, FileExit. The names are obviously self-explanatory – just the name Suriv should be read starting from the end. Infection of files takes place only from 5 to 6 in the afternoon and it is done in a very interesting way. By means of the DOS program DEBUG the virus temporarily creates files PH33R.SCR and EXEC_PH.BAT in the C:\DOS directory. With help of these files it installs the virus body into memory and redirects the DOS services (INT 21h) to it. After that it deletes the supplementary files. When the virus is in memory it infects programs and adds itself to their end. If there is a document being printed which has data on seconds at the time of origin higher that 55, the virus writes just before the document is sent to the printer the following message to the end of the text:

And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!
When an infected program is run or an infected document is read in on April 5th the virus destroys system files.

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.