Threat description




Emperor is memory-resident polymorphic multipartite virus. It infects DOS COM and EXE files by writing its code to the end of the file, and overwrites the MBR of the hard drive and boot sector on floppy disks with its own loading routine that installs the virus into the system memory on rebooting. The virus has many anti-debugging tricks, uses stealth functions and quite complex routines to get addresses of DOS kernel to bypass anti-virus protection.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

The virus has bugs and in some cases it corrupts the files while infecting them, and they halt the system when executed.

While infecting the MBR the virus uses several tricks to bypass anti-virus protection: writes data by direct calls to HDD controller ports, or stuffs 'Y' to keyboard buffer, in case Megatrends or AWARD BIOS is installed the virus disables VirusWarning BIOS protection by clearing necessary field in the CMOS.

The virus stores the original MBR and boot sectors to the reserved sectors on the drive, but encrypts and corrupts this code so, that these data will work correctly only in case the virus TSR copy is active (i.e. only in case the disk is infected, the virus already installed its code into the memory and released control to the original bootstrap routine). The virus also patches the MBR DiskPartitionTable - it loops its tables. As a result it is not possible to load the system from clean MS DOS floppy disk, and it is necessary to use other DOS versions, or special tools to access the hard drive.

While infecting the MBR or floppy disk boot sector the virus checks it for some specific code, and erases the CMOS memory if this code is found, the message "Error in CMOS" is displayed then and computer halts.

The virus also has more dangerous destruction routine. It erases the data on the hard drive and corrupts the Flash BIOS in the same way the "Win95.CIH" (aka "Chernobyl") virus does. The virus at the same time displays the message:


 I will grind my hatred upon the loved ones.
Despair will be brought upon the hoping childs of happiness.
Wherever there is joy the hordes of the eclipse will pollute

sadness and hate under the reign of fear.

In the name of the almighty Emperor....

This routine is executed if the virus founds an active debugger in the system memory, or the system is rebooted in period from 5am till 10am. This routine also may take control because of a bug in the virus code.

The virus also contains the text strings:

the EMPEROR virus
written by Lucrezia Borgia
In Colombia, 1999

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info