Virus Name: PUR'CYST Aliases: PURE CYST, PERSIST V Status: New, Research Discovery: February, 1995 Symptoms: TSR, BSC - But Can Not Be Detected With Cold Boot, CMOS Floppy Drive Type May Change Origin: USA Eff Length: 378 Bytes Type Code: BRtX - Resident Boot Sector and Master Boot Sector Infector Detection Method: None Removal Instructions: See Below General Comments: The PUR'CYST virus is very unique. It will remain resident through a warm boot (Ctrl-Alt-Del). It will remain resident through a cold boot (Reset Button). It will remain resident through a very cold boot (Power Off and On). The PUR'CYST virus is a memory resident boot sector stealth virus. It infects both the Patrition Table and the DOS Boot Record of the Hard Disk on both physical Drives C: and D:. The original Partition Table will be moved to side 0 cylinder 0 sector 9. The original DOS Boot Record will be moved to side 0 cylinder 0 sector 10. Once the virus is resident it will infect the DOS Boot Record of any Floppy Disk that is accessed. It will infect disks in Drive A: and Drive B:. The original Floppy DBR will be moved to the last sector of the Root Directory. It will infect 360k, 720k, 1.2M, 1.44M and 2.88M Floppies. The PUR'CYST virus does no intentional damage. No messages are displayed. The text string "PUR'SYST" is contained in the virus code. The CMOS Drive type of Drive A: may change. If the infected computer does NOT use the ABIOS (IBM PS/1 and PS/2) CMOS structure, the CMOS will be modified as such: 1.2M will change to 360k, 1.44M will change to 720k. By changing the CMOS drive type like this, the Floppy Disk will not load when the computer is rebooted. The virus will load from the Partition Table, correct the CMOS, reload from the Floppy Disk and Boot up. This way it will remain resident through a cold boot. The virus works very well with the AMI BIOS. As the name implies, the virus is very persistant in remaining in existance. The Virus must be removed by following these directions exactly. On an uninfected system with the same version of DOS, create a Boot Disk with the Operating system on it. (FORMAT A:/S) Copy FDISK.EXE and SYS.COM to the Floppy Disk. Reboot the computer. Run the CMOS setup and change the floppy drive type of Drive A: to the correct drive type. Boot from the clean write protected Boot disk. Type FDISK /MBR at the DOS prompt to remove the virus from the Partition Table. Type SYS C: to remove the virus from the DOS Boot Record of Drive C:. Reboot again from the Hard Disk. The system is clean. Format all infected Floppy disks or run SYS A: or SYS B: to remove the virus from each Floppy.