Power_Pump

Classification

Category :

Malware

Type :

Virus

Aliases :

Power_Pump

Summary

There are at least two different version of this virus, versions 1.1 and 1.2.

Power_Pump is very simple and badly programmed companion virus. The virus operates by using two separate executable files.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

First of these programs is always called POWER.EXE, and is programmed in Turbo C. The second program changes name with every infection, picking the file name of the victim file, but using a COM extension instead of EXE extension; this way the program gets accidentally executed by the user if he runs a program without specifying the extension (as it is usually done).

The second program is actually a batch file, which has been compiled with BAT2EXE. Once this program is run, it attempts to execute POWER.EXE, which will do the actual replication and then execute the original victim file.

Power_Pump is so badly programmed that it crashes with almost every execution with "Null pointer assignment" error. Sometimes the virus displays this text:

 Power Pump v1.1 = The Choice Of A New Generation
 

The virus is probably made in England, since there were multiple reports of it being found from there in 1992.

In addition to that, Power_Pump has been spread with several different shareware games collections, in a file called XYPHR2.ZIP or similar. In despite of this, the virus is not common.

Power_Pump can not be considered a real threat due the bugginess of it's code. It's highly unlikely that it could spread very far from an infected machine without being noticed.

It should be noted that since the virus is programmed in Turbo C and DOS batch language, false alarms of this virus are more likely than usual. If an antivirus program flags a file infected with Power_Pump, re-check with other products.