Power_Pump is very simple and badly programmed companion virus. The
virus operates by using two separate executable files.
First of these programs is always called POWER.EXE, and is programmed
in Turbo C. The second program changes name with every infection,
picking the file name of the victim file, but using a COM extension
instead of EXE extension; this way the program gets accidentally
executed by the user if he runs a program without specifying the
extension (as it is usually done).
The second program is actually a batch file, which has been compiled
with BAT2EXE. Once this program is run, it attempts to execute
POWER.EXE, which will do the actual replication and then execute the
original victim file.
Power_Pump is so badly programmed that it crashes with almost every
execution with "Null pointer assignment" error. Sometimes the virus
displays this text:
Power Pump v1.1 = The Choice Of A New Generation
The virus is probably made in England, since there were multiple
reports of it being found from there in 1992.
In addition to that, Power_Pump has been spread with several
different shareware games collections, in a file called XYPHR2.ZIP
or similar. In despite of this, the virus is not common.
Power_Pump can not be considered a real threat due the bugginess
of it's code. It's highly unlikely that it could spread very far
from an infected machine without being noticed.
It should be noted that since the virus is programmed in Turbo
C and DOS batch language, false alarms of this virus are more
likely than usual. If an antivirus program flags a file infected
with Power_Pump, re-check with other products.
[Analysis: Mikko Hypponen, F-Secure]
