Evil Empire Virus


 Virus Name:  Evil Empire 
 Aliases:     Evil Empire-A 
 V Status:    Common 
 Discovered:  April, 1991 
 Symptoms:    BSR; decrease in total system and available free memory 
 Origin:      Alberta, Canada 
 Eff Length:  N/A 
 Type Code:   BRtX - Resident Boot Sector & Master Boot Sector Infector 
 Detection Method:  ViruScan, F-Prot, Sweep, AVTK, 
                    NAV, IBMAV, NAVDX, VAlert, PCScan, ChAV 
 Removal Instructions:  M-Disk/P 
 
 General Comments: 
       The Evil Empire virus was isolated in Alberta, Canada, in April 
       1991. This virus is a memory resident infector of floppy boot 
       sectors and the hard disk master boot sector (partition table).  It 
       is based on the Stoned virus. 
 
       The first time a system is booted from a diskette infected with the 
       Evil Empire virus, this virus will install itself memory resident as 
       well as infect the hard disk master boot sector.  The virus will be 
       resident at the top of system memory, but below the 640K DOS 
       boundary, and interrupt 12's return will be moved.  Total system and 
       available free memory will be 2,048 bytes less than expected.  The 
       hard disk's master boot sector will be infected, with the virus 
       having moved the original master boot sector to cylinder 0, side 0, 
       sector 6, and then writing a copy of itself to cylinder 0, side 0, 
       sector 0 (the master boot sector location). 
 
       After Evil Empire is memory resident, it will infect diskettes non- 
       write protected diskettes as they are accessed on the system. 
       Infected diskettes will have their original boot sector moved to 
       sector 10, which is part of the root directory. 
 
       The text string "PCAT", can be found near the end of the 
       floppy boot sector as well as in the hard disk master boot sector of 
       infected systems. 
 
       Diskettes may be damaged when they are infected with Evil Empire due 
       to the virus overwriting sector 10 of the disk directory.  If root 
       directory entries were originally in this sector, they will be lost. 
 
       A note on disinfecting Evil Empire: copying the original master boot 
       sector from sector 6 to sector 0 will result in the diskette being 
       disinfected, but it will also now be a non-system hard disk.  If 
       this occurs, Norton Disk Doctor can be used to correct the situation. 
 
       Some anti-viral programs may detect Evil Empire as Azusa. 
 
       Known variant(s) of Evil Empire are: 
       Evil Empire-B: Based on the Evil Empire virus described above, 
                      this variant's size in memory is 1,024 bytes.  It 
                      moves the original master boot sector to cylinder 0, 
                      side 0, sector 3, and then replaces the original 
                      master boot sector at sector 1 with a copy of itself. 
                      This copy will extend to sector 2 as the virus is 
                      longer than 512 bytes.  On diskettes, the virus will 
                      move the original boot sector to sector 11.  Evil 
                      Empire-B is a fully encrypted virus, no text messages 
                      will appear in infected boot sectors or master boot 
                      sectors.  The following message, however, may be 
                      displayed on boot of systems: 
                      "PCAT LIVE FR LVE ˙becomes  
 
       See:   Azusa   Stoned

Show viruses from discovered during that infect .

Main Page