%%File: VIRS0621.TXT
%%Name/Aliases: Phoenix D,  P1
%%Platform: PC/MS-DOS
%%Type: Program., Encrypted/Stealth The virus actively hides., 
%%Disk Location: COM application., COMMAND.COM.
%%Features: Memory resident; TSR above TOM., Encrypted, Polymorphic
%%Damage: 
%%Size: 1704 All .COM files but COMMAND.COM, It overlays part of 
COMMAND.COM, Multiple infections are possible., Polymorphic: each 
infection different
%%See Also: 
%%Notes: The Phoenix-D virus is of Bulgarian origin, and is a bug fixed 
version of Phoenix.  This virus is one of a family of three (3) viruses 
which may be referred to as the P1 or Phoenix Family.  The Phoenix virus 
is a memory resident, generic infector of .COM files, and will infect 
COMMAND.COM. Phoenix infects COMMAND.COM by overwriting part of the 
binary zero  portion of the program, and changing the program's header 
information. COMMAND.COM will not change in file length. Phoenix is not 
able to recognize when it has previously infected a file,  so it may 
reinfect .COM files several times. Each infection of a .COM file will 
result in another 1,704 bytes of viral code being appended to the file.  
Systems infected with the Phoenix virus will experience problems with  
executing CHKDSK.COM.  Attempts to execute this program with Phoenix 
memory resident will result in a warm reboot of the system occurring,  
however the memory resident version of Phoenix will not survive the 
reboot.  The Phoenix Virus employs a complex encryption mechanism, and 
virus  scanners which are only able to look for simple hex strings will 
not  be able to detect it.  There is no simple hex string in this virus 
that is common to all infected samples.
 Also see: Phoenix, V1701New 
  A warmboot occurs when CHKDSK.COM is run.    ViruScan V66+  Scan/D, or 
delete infected files