56 lines
3.0 KiB
Plaintext
56 lines
3.0 KiB
Plaintext
Virus Name: PUR'CYST
|
|
Aliases: PURE CYST, PERSIST
|
|
V Status: New, Research
|
|
Discovery: February, 1995
|
|
Symptoms: TSR, BSC - But Can Not Be Detected With Cold Boot,
|
|
CMOS Floppy Drive Type May Change
|
|
Origin: USA
|
|
Eff Length: 378 Bytes
|
|
Type Code: BRtX - Resident Boot Sector and Master Boot Sector Infector
|
|
Detection Method: None
|
|
Removal Instructions: See Below
|
|
|
|
General Comments:
|
|
|
|
|
|
The PUR'CYST virus is very unique. It will remain resident through
|
|
a warm boot (Ctrl-Alt-Del). It will remain resident through a cold
|
|
boot (Reset Button). It will remain resident through a very cold
|
|
boot (Power Off and On).
|
|
|
|
The PUR'CYST virus is a memory resident boot sector stealth virus.
|
|
It infects both the Patrition Table and the DOS Boot Record of the
|
|
Hard Disk on both physical Drives C: and D:. The original Partition
|
|
Table will be moved to side 0 cylinder 0 sector 9. The original
|
|
DOS Boot Record will be moved to side 0 cylinder 0 sector 10.
|
|
|
|
Once the virus is resident it will infect the DOS Boot Record of
|
|
any Floppy Disk that is accessed. It will infect disks in Drive A:
|
|
and Drive B:. The original Floppy DBR will be moved to the last
|
|
sector of the Root Directory. It will infect 360k, 720k, 1.2M, 1.44M
|
|
and 2.88M Floppies.
|
|
|
|
The PUR'CYST virus does no intentional damage. No messages are
|
|
displayed. The text string "PUR'SYST" is contained in the virus
|
|
code. The CMOS Drive type of Drive A: may change. If the infected
|
|
computer does NOT use the ABIOS (IBM PS/1 and PS/2) CMOS structure,
|
|
the CMOS will be modified as such: 1.2M will change to 360k, 1.44M
|
|
will change to 720k. By changing the CMOS drive type like this, the
|
|
Floppy Disk will not load when the computer is rebooted. The virus
|
|
will load from the Partition Table, correct the CMOS, reload from
|
|
the Floppy Disk and Boot up. This way it will remain resident
|
|
through a cold boot. The virus works very well with the AMI BIOS.
|
|
|
|
As the name implies, the virus is very persistant in remaining in
|
|
existance. The Virus must be removed by following these directions
|
|
exactly. On an uninfected system with the same version of DOS,
|
|
create a Boot Disk with the Operating system on it. (FORMAT A:/S)
|
|
Copy FDISK.EXE and SYS.COM to the Floppy Disk. Reboot the computer.
|
|
Run the CMOS setup and change the floppy drive type of Drive A: to
|
|
the correct drive type. Boot from the clean write protected Boot
|
|
disk. Type FDISK /MBR at the DOS prompt to remove the virus from
|
|
the Partition Table. Type SYS C: to remove the virus from the DOS
|
|
Boot Record of Drive C:. Reboot again from the Hard Disk. The system
|
|
is clean. Format all infected Floppy disks or run SYS A: or SYS B:
|
|
to remove the virus from each Floppy.
|