%%File: VIRS0209.TXT
%%Name/Aliases: Cansu, V, V-sign, Sigalit
%%Platform: PC/MS-DOS
%%Type: Boot sector., 
%%Disk Location: Floppy disk boot sector., Hard disk partition table.
%%Features: Memory resident; TSR.
%%Damage: Interferes with a running application., Corrupts hard disk 
partition table, Corrupts floppy disk boot sector
%%Size: Overlays boot sector, no increase
%%See Also: Brasil
%%Notes: Strange Video effects
Seen in Queensland Australia.

The virus has two parts, the boot sector and the  virus body. The boot 
sector contains  a short routine  which  loads the  virus  body  into  
memory  and transfers control to it. The virus body is located in:

    Cylinder 0, Head 0, Sector 4 + 5        Harddisk

    Track 0, Head 1, Sector 2 + 3           5.25" DD
    Track 0, Head 1, Sector 13 + 14         5.25" HD
    Track 0, Head 1, Sector 4 + 5           3.5"  DD
    Track 0, Head 1, Sector 14 + 15         3.5"  HD

On floppy  disks these  sectors are the last two sectors of the root 
directory.

When executed,  the virus  goes memory  resident  and hooks interrupt  
vector 13 . 

A bug causes floppy disks infected in drive  B: to not  work correctly.  
If  you  boot  with  such  an
infected disk,  the virus  try's to  load the  virus body  from drive  
B: instead of A:.  If  there isn't an infected disk in drive B, your 
system hangs.

There are  two variants  which differ  in the  payload  trigger. After 
64  (variant 1)  or 32  (variant  2)  infections  in  a system that has 
not been shut down or rebooted, it will display a "V" (Victory) sign on 
screen and hang the computer.

To remove  the virus from a  hard disk use the undocumented  FDISK /MBR 
command which  writes a  new partition  record without changing the 
partition table.

Detect with Virhunt 4.0B, SCANV106, fprot 209d, vispy 11.0.