This virus was first reported in Bulgaria. It is 512 bytes long, but the length of infected files does not appear to increase. This is because the virus overwrites the first 512 bytes of the programs it infects with itself, and stores the original 512 bytes in the unused space after the end of the file. This is possible because DOS allocates file space in "clusters", which are usually 1024 or 2048 bytes long.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
In addition, if a program attempts to read from an infected file, while the virus is active in memory, the read operation will be intercepted and instead of finding the virus, the original code will be read instead, which makes this virus one of the few fully "stealth" viruses.
This means that the virus will be able to fool any checksum program, as well as any virus-scanning program if it is active in memory when the program is run. It does not matter how sophisticated the checksum algorithm is - if the virus is active in memory, no infected program can be detected.
At the end of the virus code, the string "666" appears - hence the name. Several new variants are also known in Bulgaria, where this string is missing, but they are functionally identical.