There are 2 variants:
- Virus.DOS.Pizelun.3599 (A and B)
When the virus is loaded into memory, it first infects COMMAND.COM, followed by hooking INT 21h to infect any executable that is run by writing itself to the end of the file. It also searches and infects files that are accessed by the GetDir function.
The virus behaves stealthy so that there is no observable file size change of the infected files.
The system may fail to recognize the infected COMMAND.COM after next boot, even it can be loaded on manual execution.
The following table shows the memory usage of the variants.
|Variant||Memory usage in bytes|
|Pizelun.3599 (A and B)||8,192|
The virus activates in May 1995 only and it contains 5 payloads.
When activated, the virus first displays the message:
PIZELUN attivato, attivatissimo! Premere un tasto per continuare . . .
Translation (from Italian):
PIZELUN activated, very active! Press any key to continue . . .
After that all characters to be displayed on the screen will be turned to lowercase. Additionally, the virus hooks INT 8, 10h and 15h in order to manifest itself in 4 different ways.
KeyLock state swap
The virus swaps the state of NumLock, CapsLock and ScrollLock, which interferes the user's input.
Alternation of hard drive label
Instead of displaying the original label of the hard drive, it displays "pizelun", as long as the virus has been activated and stays memory.
Inverts the color palette
When a graphical program using colors is run, the virus inverts the color palette that the color display of every character on screen is inverted, even the user returns to DOS, the inverted state of color of the screen is not restored.
If the user issues CTRL-ALT-DEL, the virus run a video effect which looks like the screen of lost channel of an old TV and disable the keyboard input.
Pizelun is a direct variant of Froll.
The virus contains the encrypted internal text string: