Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Roma


Aliases:


Roma
PG

Malware
Virus
W32

Summary

This virus was first reported in Milan during the summer of 1994. It is claimed that this virus was written by a student at the Polytechnic of Milan, the same author is also responsible for a slightly different variant called PG2.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

Once a machine has been booted from an infected floppy diskette or hard disk, the virus allocates 1K of conventional memory, copies itself to the allocated memory and installs it's own INT 13h handler. Once this is complete the virus loads and executes the original FBR or DBR, the boot process then continues as normal.

It is interesting to note that the virus will not attempt to infect all floppy diskettes or hard disks. When a call is made to the "Read Sector" function of INT 13h the virus makes an odd calculation based on the value returned in DX from INT 1Ah function 0. (This happens to be "Get System Time" and returns the number of clock ticks since midnight in CX:DX) The following pseudo code fragment best demonstrates the calculation:

if (previous_clock_count - current_clock_count) > 54 then begin

previous_clock_count = current_clock_count
        infect FBR/DBR
        else skip_infection

The virus deems the FBR or DBR to be infected if the byte at offset 74 (4Ah) is equal to "P". The only visible text string in the virus is "PG".

The virus can be disinfected quite easily using generic methods, always after booting from a clean system diskette:

Infected floppy diskettes can be disinfected with the SYS A: command.

Infected hard disks can be disinfected with the SYS C: command.

When using the SYS command be sure to use the same DOS version that is installed on the disk you are disinfecting.





Technical Details: Jeremy Gumbley, Command Software Systems UK



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.