This virus was first reported in Milan during the summer of 1994. It is claimed that this virus was written by a student at the Polytechnic of Milan, the same author is also responsible for a slightly different variant called PG2.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Once a machine has been booted from an infected floppy diskette or hard disk, the virus allocates 1K of conventional memory, copies itself to the allocated memory and installs it's own INT 13h handler. Once this is complete the virus loads and executes the original FBR or DBR, the boot process then continues as normal.
It is interesting to note that the virus will not attempt to infect all floppy diskettes or hard disks. When a call is made to the "Read Sector" function of INT 13h the virus makes an odd calculation based on the value returned in DX from INT 1Ah function 0. (This happens to be "Get System Time" and returns the number of clock ticks since midnight in CX:DX) The following pseudo code fragment best demonstrates the calculation:
if (previous_clock_count - current_clock_count) > 54 then begin
previous_clock_count = current_clock_count infect FBR/DBR else skip_infection
The virus deems the FBR or DBR to be infected if the byte at offset 74 (4Ah) is equal to "P". The only visible text string in the virus is "PG".
The virus can be disinfected quite easily using generic methods, always after booting from a clean system diskette:
Infected floppy diskettes can be disinfected with the SYS A: command.
Infected hard disks can be disinfected with the SYS C: command.
When using the SYS command be sure to use the same DOS version that is installed on the disk you are disinfecting.