Once Peter_II has managed to install itself into memory, it will
infect practically all non-write protected diskettes used in the
computer. Peter_II is also a stealth virus - if you try to examine
the boot record in an infected computer, the virus will show you the
original, clean record.
Peter_II activates every year on the 27th of February. When the
computer is booted, the virus displays the following message:
Good morning,EVERYbody,I am PETER II
Do not turn off the power, or you will lost all of the data in
WAIT for 1 MINUTES,please...
After this, the virus encrypts the whole hard disk by issuing XOR
78h to every byte on each sector. Having done that, the virus
continues by displaying the following questionnaire:
Ok. If you give the right answer to the following questions, I will
save your HD:
A. Who has sung the song called "I'll be there" ?
1.Mariah Carey 2.The Escape Club 3.The Jackson five 4.All (1-4):
B. What is Phil Collins ?
1.A singer 2.A drummer 3.A producer 4.Above all(1-4):
C. Who has the MOST TOP 10 singles in 1980's ?
1.Michael Jackson 2.Phil Collins (featuring Genesis) 3.Madonna
If the user gives correct answers to every question, the virus
decrypts the hard disk and displays the following message:
CONGRATULATIONS !!! YOU successfully pass the quiz!
AND NOW RECOVERING YOUR HARDISK ......
The user can then continue using the computer normally. However, if
incorrect answers are given, the virus will not decrypt the hard
disk. Instead, it will just display the following message:
Sorry!Go to Hell.Clousy man!
In case you do not find out about the infection until the virus
starts its mischief, the correct answers are 4, 4 and 2. Of course,
it is better to take care of the matter beforehand; F-Secure
anti-virus products are able to detect and disinfect the Peter_II
[Analysis: Mikko Hypponen, F-Secure]