This virus was first reported in Milan during the summer of 1994. It is claimed that this virus was written by a student at the Polytechnic of Milan, the same author is also responsible for a slightly different variant called PG2.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Once a machine has been booted from an infected floppy diskette or hard disk, the virus allocates 1K of conventional memory, copies itself to the allocated memory and installs it's own INT 13h handler. Once this is complete the virus loads and executes the original FBR or DBR, the boot process then continues as normal.
It is interesting to note that the virus will not attempt to infect all floppy diskettes or hard disks. When a call is made to the "Read Sector" function of INT 13h the virus makes an odd calculation based on the value returned in DX from INT 1Ah function 0. (This happens to be "Get System Time" and returns the number of clock ticks since midnight in CX:DX) The following pseudo code fragment best demonstrates the calculation:
if (previous_clock_count - current_clock_count) > 54 then begin
previous_clock_count = current_clock_count infect FBR/DBR else skip_infection
The virus deems the FBR or DBR to be infected if the byte at offset 74 (4Ah) is equal to "P". The only visible text string in the virus is "PG".
The virus can be disinfected quite easily using generic methods, always after booting from a clean system diskette:
Infected floppy diskettes can be disinfected with the SYS A: command.
Infected hard disks can be disinfected with the SYS C: command.
When using the SYS command be sure to use the same DOS version that is installed on the disk you are disinfecting.
Technical Details: Jeremy Gumbley, Command Software Systems UK