Threat Description

Roma

Details

Aliases:Roma, PG
Category:Malware
Type:Virus
Platform: W32

Summary



This virus was first reported in Milan during the summer of 1994. It is claimed that this virus was written by a student at the Polytechnic of Milan, the same author is also responsible for a slightly different variant called PG2.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Once a machine has been booted from an infected floppy diskette or hard disk, the virus allocates 1K of conventional memory, copies itself to the allocated memory and installs it's own INT 13h handler. Once this is complete the virus loads and executes the original FBR or DBR, the boot process then continues as normal.

It is interesting to note that the virus will not attempt to infect all floppy diskettes or hard disks. When a call is made to the "Read Sector" function of INT 13h the virus makes an odd calculation based on the value returned in DX from INT 1Ah function 0. (This happens to be "Get System Time" and returns the number of clock ticks since midnight in CX:DX) The following pseudo code fragment best demonstrates the calculation:

if (previous_clock_count - current_clock_count) > 54 then begin

previous_clock_count = current_clock_count
  infect FBR/DBR
  else skip_infection

The virus deems the FBR or DBR to be infected if the byte at offset 74 (4Ah) is equal to "P". The only visible text string in the virus is "PG".

The virus can be disinfected quite easily using generic methods, always after booting from a clean system diskette:

Infected floppy diskettes can be disinfected with the SYS A: command.

Infected hard disks can be disinfected with the SYS C: command.

When using the SYS command be sure to use the same DOS version that is installed on the disk you are disinfecting.





Technical Details: Jeremy Gumbley, Command Software Systems UK


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More