Prizzy | |
---|---|
Type | File virus |
Creator | Prizzy |
Date Discovered | 1999.08 |
Place of Origin | Czech Republic |
Source Language | Assembly |
Platform | MS Windows |
File Type(s) | .exe |
Infection Length | 12948 bytes |
Prizzy is a Windows 9x virus that appeared in the 4th issue of the magazine 29A. It infects RAR and ACE archives acting almost like a worm. It is also polymorphic, using Prizzy's own polymorphic engine. It is also notable for being the first virus to take advantage of some new Intel instructions for the Pentium processor.
Behavior
When a file infected with Prizzy is executed, the Prizzy Polymorphic Engine decodes the virus. After the polymorphic engine is finished, the virus calls a routing to get the base address of the file KERNEL32.DLL. It searches for GetProcAddressA, which it uses to get GetDriveTypeA, which the virus uses for what its coder calls "hyper-infection". It displays a message box with the text "Win9x.Prizzy - welcome to my world…" and "First generation sample".
To go resident, Prizzy patches the Interrupt Descriptor Table, which isn't protected under Win9x systems. It modifies the INT 3 vector to point to the virus, then executes the interrupt. The code is executed in ring 0, the virus allocates memory using IFSMgr_GetMem and hooks IFSMgr_InstallFileSystemApiHook to work with files.
Every three seconds, it activates its hyper-infection routine. During hyper-infection, the virus scans all drives that are not CD ROM, RAM, a floppy disk, or a network share for .exe files. It also infects ACE and RAR archives. It adds a virus dropper to the end of the archive with a file name of INSTALL, SETUP, RUN, SOUND, CONFIG, HELP, GRATIS, CRACK or README, all with an .exe extension.
Origin
Prizzy was coded in the Czech Republic by a coder of the same name. It appeared in the 4th issue of 29A magazine in December of 1999 but was known to researchers in August. Shortly after contacting darkman and showing the source code for the virus, Prizzy was admitted into 29A. Prizzy credits Vecna (particularly his Inca virus), Griyo and z0mbie as influences on the virus.
Other Facts
The Prizzy Polymorphic Engine uses Intel's then-recently introduced MMX (Matrix Math eXtension) instructions for generating garbage instructions and was the first virus to do so. A fully 32-bit Windows virus named Legacy appeared a short time later using these instructions.
Sources
Prizzy. 29A, Issue 4, Win9x.Prizzy. 1999
Matrix, Interview with Prizzy. 2000.04
Francesca Thorneloe. The Virus Bulletin, December 1999.