%%File: VIRS0352.TXT
%%Name/Aliases: Empire, Empire A, Empire C, Empire D, Stoned variant, 
Empire B.2, UofA
%%Platform: PC/MS-DOS
%%Type: Boot sector., 
%%Disk Location: Floppy disk boot sector., Hard disk boot sector.
%%Features: Memory resident; TSR.
%%Damage: Corrupts boot sector
%%Size: Overlays boot sector, no increase
%%See Also: Azusa
%%Notes: Derived from the Stoned virus, originally from Univ. of 
Alberta.  Last known variant released July 10, 1991, total of 18 
variants identified to date.  Variants have differences in the code, 
indicating separate prramming efforts on the part of the virus writer.  
Empire C gets around the simple "chkdsk" for boot sector viruses.  Since 
most boot sector viruses have to reduce the number of "total bytes of 
memory" of a computer to hide at the top of memory, the virus can be 
detected by seeing whether "chkdsk" returns 1k or 2k less than it is 
supposed to return.  Empire C didn't bother telling DOS that the virus 
was present in memory when it installed itself.  It puts itself at 
9000:0000 or 80000:0000 and functioned until something else used that 
memory location, then the system crashed.  
Empire D was a response to an installation of "Disk Secure".  It 
recognized the presense of Disk Secure and removes it before infecting 
the computer.  
These are the most common viruses at the Univ. of Alberta and in 
Edmonton.  See also listing for Empire B.2, or UofA virus
McAfee Scan v80 may detect some Empire strains as Azusa