Details
Yosha.512
It is a very dangerous stealth virus that infects EXE files and the MBR of the hard drive. When an infected EXE file is executed, the virus infects the MBR and reboots the computer. While loading from infected MBR the virus cuts a block of the system memory by decreasing RamSize word at the address 0000:0413, hooks INT 13h and then writes itself to the beginning of EXE files that are accessed.
While infecting a file the virus saves the original EXE header to the random selected sector on the disk and stores that address in the EXE header. While accessing to an infected EXE file the virus gets the address of the sector that keeps the original EXE header and reads it from the disk to the read/write buffer. This routine realizes the complete stealth algorithm, but the disk sectors at the random selected addresses may be corrupted by the virus.
