last week a friend had an ugly Internet worm virus. The interesting thing was,
that the virus was attached as a .pif file, which contains a word document and the virus exe.
After double click, the documents where splitted and the word file
could be viewed normally. The exe part was executed. So the user
didnt recognize, that anything unusual happend.

So I wonder, what for is a .pif? (I only know for storing DOS program information and icons) And how to wire some other
data into a pif?


( I dont want to make an own virus! I'm only interested in the technical stuff)

also funny - the virus was written in TurboPascal / Delphi and
is 130 KByte large :grin: !!
Posted on 2001-09-03 04:08:49 by beaster
I get about 40 version of that virus during this summer
It's most of the time a short msg with a document like

Posted on 2001-09-03 04:38:46 by (scalp)

Sounds like a copy of SirCam. I have had 20 or 30 of them but they are starting to die out now, about 160k of Delphi junk with random attachment names taken from the DOCS directory apparently. AVP and a few of the AV companies have data on it and how to get rid of it.

Posted on 2001-09-03 04:52:16 by hutch--

.pif is a file extension for DOS shortcuts and typically windows
wouldn't show this extension in explorer.
If for example you rename any exe file to a .pif extension it will still execute as inside first two bytes is MZ signature.
Simply any exe file have the ability to call ms-word and display any .doc file.

All extension as (scalp) showed will execute any exe file.
He just miss .SCR extension.

This is just poor trick taking advantage of innocent people.
Posted on 2001-09-03 04:52:53 by forge
Thanks, quite interesting!

Indeed, it was a SirCam.
Posted on 2001-09-03 07:39:11 by beaster
I got hit by something similiar a month ago, cept it attached .VBS to my media files (BMP, MP3, etc)... i was a resource dictator and didn't allow NAV to run in the background.

lost quite a few files on the harddrive and pretty much hosed it. I will reformat when I save up enuff to get win2k pro...but still have my best porn links on the net saved in IE heh

Posted on 2001-09-04 10:17:14 by drarem
PIF was the extension used for Win16 shortcuts.
Posted on 2001-09-04 16:44:57 by tank
.PIF is the extension for all DOS programs. I mean shortcuts.
Just try in the windows:
Find *.pif
and you will be surprised of how many you will find on your hard drive.
And if it is more then 4kb in size, you have something suspicious going on your PC.
Posted on 2001-09-05 01:44:37 by forge
Windows creates a PIF file anytime you run a DOS program, and change the default properties of the "DOS box" that it runs in. Foe example, if you hide the toolbar, use a different font, or change the memory management settings for a certain program. Windows saves the info in a PIF file with the same name as the associated EXE file. When you run the program, Windows loads the PIF file to set-up the DOS box. :)
Posted on 2001-09-05 02:53:20 by S/390
Just try to save this little file and double click it.
It is innocent file, which you already have on your machine anyway. Just with different extension.
It is a stupid trick, isn't it?
Posted on 2001-09-05 06:35:49 by forge
I got hit by something similiar a month ago, cept it attached .VBS to my media files (BMP, MP3, etc)...
What do you mean attached? If the file extension is BMP, MP3, etc, then the file is pretty much harmless, even if it is an executable file in reality. If the extension name is .exe, .pif, .com, but its actually a media with with an executable "attached" to the end, it still wont execute and do any harm, so what do you mean?
Posted on 2001-09-05 09:31:17 by vcv