   
V.6000
   
   
     _________________________________________________________________
   
   V.6000 is a dangerous memory resident polymorphic stealth multipartite
   virus. On execution of an infected file or loading from an infected
   floppy the virus writes itself into the MBR of the hard drive. The
   virus stays memory resident on loading from the infected MBR only, it
   hooks INT 8, 13h, 17h, 1Ch, 20h, 21h, 25h, 26h, 27h and writes itself
   at the end of COM- and EXE-files that are accessed or upon program
   termination. Depending on its internal counter the virus searches for
   the files and hits them. The virus checks the file names and does not
   hit the following files:
   
   COMMAND.COM, GDI.EXE, DOSX.EXE, WIN386.EXE, KRNL286.EXE, KRNL386.EXE,
   USER.EXE, WSWAP.EXE, CHKDSK.EXE
   
   On accessing floppy disks the virus writes itself into their boot
   sector. Depending on its internal counters and under debuggers the
   virus erases CMOS and hard drive sectors.
   
   The virus uses a complex algorithm allowing it to stay "memory
   resident after cold reboot and loading from clean DOS floppy disk". On
   installation the virus stores the CMOS memory that keeps the
   information about floppy drives and sets that info to zero (i.e. the
   virus emulates situation when no floppy drives are installed). On
   accessing disks the virus temporary restores the CMOS and then erases
   these fields again. On any (cold or warm) reboot the system checks the
   CMOS, does not detect the floppy disks and passes the control to the
   MBR of the hard drive. The virus installs itself into the memory and
   then passes the control to the floppy disk loader. As the result the
   virus stays memory resident after loading from clean write-protected
   floppy disk.
   
   
     _________________________________________________________________
   
   &copy; Copyright 1995 Eugene V. Kaspersky
