Classification

Category :

Malware

Type :

Virus

Aliases :

Peter_II, Peter

Summary

Peter_II is a boot sector virus which infects diskette boot sectors and hard disk Master Boot Records. As is normal for boot sector viruses, Peter_II can infect a hard disk only if the computer is booted from an infected diskette. After the initial Master Boot Record infection, Peter_II will go resident in high DOS memory every time the computer is booted from the hard disk.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Once Peter_II has managed to install itself into memory, it will infect practically all non-write protected diskettes used in the computer. Peter_II is also a stealth virus - if you try to examine the boot record in an infected computer, the virus will show you the original, clean record.

Peter_II activates every year on the 27th of February. When the computer is booted, the virus displays the following message:

Good morning,EVERYbody,I am PETER II
 Do not turn off the power, or you will lost all of the data in
 Hardisk!!!
 WAIT for 1 MINUTES,please...

After this, the virus encrypts the whole hard disk by issuing XOR 78h to every byte on each sector. Having done that, the virus continues by displaying the following questionnaire:

Ok. If you give the right answer to the following questions, I will
 save your HD:
 A. Who has sung the song called "I'll be there" ?
 1.Mariah Carey
2.The Escape Club
3.The Jackson five
4.All
(1-4):
 B. What is Phil Collins ?
 1.A singer
2.A drummer
3.A producer
4.Above all(1-4):
 C. Who has the MOST TOP 10 singles in 1980's ?
 1.Michael Jackson
2.Phil Collins (featuring Genesis) 3.Madonna
 4.Whitney Houston(1-4):

If the user gives correct answers to every question, the virus decrypts the hard disk and displays the following message:

CONGRATULATIONS !!! YOU successfully pass the quiz!
 AND NOW RECOVERING YOUR HARDISK ......

The user can then continue using the computer normally. However, if incorrect answers are given, the virus will not decrypt the hard disk. Instead, it will just display the following message:

Sorry!Go to Hell.Clousy man!

In case you do not find out about the infection until the virus starts its mischief, the correct answers are 4, 4 and 2. Of course, it is better to take care of the matter beforehand; F-Secure anti-virus products are able to detect and disinfect the Peter_II virus.