Virus Name:  PUR'CYST
Aliases:     PURE CYST, PERSIST
V Status:    New, Research
Discovery:   February, 1995
Symptoms:    TSR, BSC - But Can Not Be Detected With Cold Boot, 
             CMOS Floppy Drive Type May Change
Origin:      USA
Eff Length:  378 Bytes
Type Code:   BRtX - Resident Boot Sector and Master Boot Sector Infector
Detection Method:  None
Removal Instructions:  See Below

General Comments:


        The PUR'CYST virus is very unique.  It will remain resident through
        a warm boot (Ctrl-Alt-Del).  It will remain resident through a cold
        boot (Reset Button).  It will remain resident through a very cold
        boot (Power Off and On).
        
        The PUR'CYST virus is a memory resident boot sector stealth virus.  
        It infects both the Patrition Table and the DOS Boot Record of the
        Hard Disk on both physical Drives C: and D:.  The original Partition
        Table will be moved to side 0 cylinder 0 sector 9.  The original
        DOS Boot Record will be moved to side 0 cylinder 0 sector 10.
        
        Once the virus is resident it will infect the DOS Boot Record of
        any Floppy Disk that is accessed.  It will infect disks in Drive A:
        and Drive B:.  The original Floppy DBR will be moved to the last 
        sector of the Root Directory.  It will infect 360k, 720k, 1.2M, 1.44M
        and 2.88M Floppies.

        The PUR'CYST virus does no intentional damage.  No messages are 
        displayed.  The text string "PUR'SYST" is contained in the virus
        code.  The CMOS Drive type of Drive A: may change.  If the infected
        computer does NOT use the ABIOS (IBM PS/1 and PS/2) CMOS structure,
        the CMOS will be modified as such:  1.2M will change to 360k, 1.44M
        will change to 720k.  By changing the CMOS drive type like this, the
        Floppy Disk will not load when the computer is rebooted.  The virus
        will load from the Partition Table, correct the CMOS, reload from
        the Floppy Disk and Boot up.  This way it will remain resident 
        through a cold boot.  The virus works very well with the AMI BIOS.

        As the name implies, the virus is very persistant in remaining in
        existance.  The Virus must be removed by following these directions
        exactly.  On an uninfected system with the same version of DOS,
        create a Boot Disk with the Operating system on it.  (FORMAT A:/S)  
        Copy FDISK.EXE and SYS.COM to the Floppy Disk.  Reboot the computer.  
        Run the CMOS setup and change the floppy drive type of Drive A: to 
        the correct drive type.  Boot from the clean write protected Boot 
        disk.  Type FDISK /MBR at the DOS prompt to remove the virus from 
        the Partition Table.  Type SYS C: to remove the virus from the DOS
        Boot Record of Drive C:.  Reboot again from the Hard Disk.  The system
        is clean.  Format all infected Floppy disks or run SYS A: or SYS B: 
        to remove the virus from each Floppy.