McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• 1226

• V1226

Characteristics

Phoenix.1226 is a memory resident, encrypted, file infecting virus. It infects .COM files, though it does not infect COMMAND.COM. The Phoenix.1226 virus is a self-encrypting virus, and simple search string algorithms do not work to detect its presence on a system.

Upon infection, the virus becomes memory resident, reserving 8,192 bytes of memory at the top of free memory. Interrupt 2A is hooked.

Once Phoenix.1226 is memory resident, the virus attempts to infect any .COM file that is executed that is at least 1,226 bytes in length before infection. The virus is rather "buggy" and the infection process is not always successful.

Additional Comments:
The 1226 virus was isolated in Bulgaria in July 1990 by Vesselin Bontchev. This virus is a memory resident generic .COM infector, though it does not infect COMMAND.COM. The 1226 virus is a self- encrypting virus, and simple search string algorithms will not work to detect its presence on a system. The first time a program infected with the 1226 virus is executed, the virus will install itself memory resident, reserving 8,192 bytes of memory at the top of free memory. Interrupt 2A will be hooked. Once 1226 is memory resident, the virus will attempt to infect any .COM file that is executed that is at least 1,226 bytes in length before infection. The virus is rather "buggy" and the infection process is not always entirely successful. Successfully infected files will increase in length by 1,226 bytes. This virus will infect .COM files multiple times, it is unable to determine that the file is already infected. Each time the file is infected it will grow in length by another 1,226 bytes. Eventually, the .COM files will grow too large to fit into memory. Systems infected with the 1226 virus may experience unexpected system hangs when attempting to execute programs. Another effect is that instead of a program executing, a line or two of spurious characters will appear on the system display. Lastly, infected systems will always indicate that they have 8,192 less bytes of total system and free memory available than is actually on the machine. Known variant(s) of 1226 are:

Symptoms

Successfully infected files increase in length by 1,226 bytes. This virus infects .COM files multiple times, it is unable to determine if the file is already infected. Each time the file is infected it grows in length by another 1,226 bytes. Eventually, the .COM files grow too large to fit into memory.

Systems infected with the Phoenix.1226 virus may experience unexpected system hangs when attempting to execute files. Another effect is that instead of a file executing, a line or two of spurious characters appear on the system display. Infected systems always indicate that they have 8,192 less bytes of total system and free memory available than is actually on the machine.

Method of Infection

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

• 1226-B
• 1226-BDropper
• 1226D
• 1226M
• V1226M

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• 1226

• V1226

Characteristics

Characteristics -

Phoenix.1226 is a memory resident, encrypted, file infecting virus. It infects .COM files, though it does not infect COMMAND.COM. The Phoenix.1226 virus is a self-encrypting virus, and simple search string algorithms do not work to detect its presence on a system.

Upon infection, the virus becomes memory resident, reserving 8,192 bytes of memory at the top of free memory. Interrupt 2A is hooked.

Once Phoenix.1226 is memory resident, the virus attempts to infect any .COM file that is executed that is at least 1,226 bytes in length before infection. The virus is rather "buggy" and the infection process is not always successful.

Additional Comments:
The 1226 virus was isolated in Bulgaria in July 1990 by Vesselin Bontchev. This virus is a memory resident generic .COM infector, though it does not infect COMMAND.COM. The 1226 virus is a self- encrypting virus, and simple search string algorithms will not work to detect its presence on a system. The first time a program infected with the 1226 virus is executed, the virus will install itself memory resident, reserving 8,192 bytes of memory at the top of free memory. Interrupt 2A will be hooked. Once 1226 is memory resident, the virus will attempt to infect any .COM file that is executed that is at least 1,226 bytes in length before infection. The virus is rather "buggy" and the infection process is not always entirely successful. Successfully infected files will increase in length by 1,226 bytes. This virus will infect .COM files multiple times, it is unable to determine that the file is already infected. Each time the file is infected it will grow in length by another 1,226 bytes. Eventually, the .COM files will grow too large to fit into memory. Systems infected with the 1226 virus may experience unexpected system hangs when attempting to execute programs. Another effect is that instead of a program executing, a line or two of spurious characters will appear on the system display. Lastly, infected systems will always indicate that they have 8,192 less bytes of total system and free memory available than is actually on the machine. Known variant(s) of 1226 are:

Symptoms

Symptoms -

Successfully infected files increase in length by 1,226 bytes. This virus infects .COM files multiple times, it is unable to determine if the file is already infected. Each time the file is infected it grows in length by another 1,226 bytes. Eventually, the .COM files grow too large to fit into memory.

Systems infected with the Phoenix.1226 virus may experience unexpected system hangs when attempting to execute files. Another effect is that instead of a file executing, a line or two of spurious characters appear on the system display. Infected systems always indicate that they have 8,192 less bytes of total system and free memory available than is actually on the machine.

Method of Infection

Method of Infection -

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

• 1226-B
• 1226-BDropper
• 1226D
• 1226M
• V1226M