This virus was first reported in Bulgaria. It is 512 bytes long, but the
length of infected files does not appear to increase. This is because the
virus overwrites the first 512 bytes of the programs it infects with
itself, and stores the original 512 bytes in the unused space after the end
of the file. This is possible because DOS allocates file space in
"clusters", which are usually 1024 or 2048 bytes long.
In addition, if a program attempts to read from an infected file, while
the virus is active in memory, the read operation will be intercepted and
instead of finding the virus, the original code will be read instead,
which makes this virus one of the few fully "stealth" viruses.
This means that the virus will be able to fool any checksum program, as
well as any virus-scanning program if it is active in memory when the
program is run. It does not matter how sophisticated the checksum
algorithm is - if the virus is active in memory, no infected program
can be detected.
At the end of the virus code, the string "666" appears - hence the name.
Several new variants are also known in Bulgaria, where this string is
missing, but they are functionally identical.
