Classification

Category: Malware

Type: Virus

Aliases: PHX

Summary


This virus is quite common in South America, but isolated reports have been received from Northern Europe as well.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


PHX stays resident in memory and infects COM and EXE programs when they are executed.

When PHX is infecting a file, it calls it by a name that has the "!" character appended to the end of the name, ie. FILE.EXE is called by the name FILE.EXE!, which works as well. This is done in order to by-pass some behaviour blockers that monitor access to files with executable extensions.

PHX alters one field in CMOS memory, and might cause CMOS corruption. The virus will also sometimes corrupt disk writes. This happens only when several conditions are met. These conditions include that an environment variable beginning with "PHX" is present, a certain INT call is made from within a certain type of program code and that an IN to port 03E4h returns anything else except the value FFh.

The activation routines are directed against applications written by a specific person and company.