%%File: VIRS0790.TXT
%%Name/Aliases: V1701New, V1701New-B, Evil, Evil-B, P1, Phoenix related
%%Platform: PC/MS-DOS
%%Type: Program., Encrypted/Stealth The virus actively hides., 
%%Disk Location: COM application., COMMAND.COM
%%Features: Memory resident; TSR above TOM., Encrypted, Polymorphic
%%Damage: 
%%Size: 1701 All .COM files but COMMAND.COM, It overlays part of 
COMMAND.COM, Multiple infections are possible., Polymorphic: each 
infection different
%%See Also: 
%%Notes: The V1701-New virus is of Bulgarian origin, a variant of 
Phoenix.  The V1701-New virus is a memory resident, generic infector of 
.COM files, and will infect COMMAND.COM. V1701-New infects COMMAND.COM 
by overwriting part of the binary zero  portion of the program, and 
changing the program's header information. COMMAND.COM will not change 
in file length. V1701-New is not able to recognize when it has 
previously infected a file,  so it may reinfect .COM files several 
times. Each infection of a .COM file will result in another 1,701 bytes 
of viral code being appended to the file.  Systems infected with the 
V1701-New virus will experience problems with  executing CHKDSK.COM.  
Attempts to execute this program with V1701-New memory resident will 
result in a warm reboot of the system occurring,  however the memory 
resident version of V1701-New will not survive the reboot.  The V1701-
New Virus employs a complex encryption mechanism, and virus  scanners 
which are only able to look for simple hex strings will not  be able to 
detect it.  There is no simple hex string in this virus that is common 
to all infected samples.
 Also see: PhoenixD, Phoenix 
  A warmboot occurs when CHKDSK.COM is run.    ViruScan V66+  Scan/D, or 
delete infected files