Virus Name: Navi-282 Virus Type: File Infector Virus (infects .COM files only) Virus Length: 282 Bytes PC Vectors Hooked: None Executing Procedure: 1) Searches for uninfected COM files in the current directory and infects them. 2) Infects only one file at a time. Damage: None Detecting Method: Infected files will increase by 282 Bytes. Note: 1) Doesn't stay resident in memory. 2) NAVI-282 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: Nop Alias Name: Nops, Stealth_Boot, Description: See Stealth_Boot.C
Virus Name: Necro-B Virus Type: File Infector Virus (infects .EXE & .COM files) Virus Length: 696 Bytes(COM & EXE)
PC Vectors Hooked: None Executing Procedure: 1) Searches for uninfected .COM and .EXE files in the current directory and infects them. 2) It will infect only three files at a time. Damage: None Detecting Method: 1)Infected files will increase by 696 Bytes.
Note: 1) Doesn't stay resident in memory. 2) Necro doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect). 3) Infected files can't be executed or infect other files.
Virus Name: Nanite Virus Type: File Infector Virus (infects .EXE & .COM files) Virus Length: No change PC Vectors Hooked: None Executing Procedure: 1) Searches for uninfected .EXE and .COM files in the current directory and infects them. 3) It will infect all .EXE and .COM files until all files in the current directory have been infected. Damage: 1) Overwrites original files, so the size of infected files won't increase. Note: 1) Doesn't stay resident in memory. 2) Nanite doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: NO-WEDNESDAY Virus Type: File Infector Virus (infects .COM files) Virus Length: 520 Bytes(COM)
PC Vectors Hooked: INT 24h Executing Procedure: 1) Searches for uninfected COM files in the current directory and infects them. 3) It infects any .COM file in the current directory one at a time. 3) Then it shows the screen message: "file not found." Damage: Infected files don't execute original file. Detecting Method: 1)Infected files will increase by 520 Bytes. 2) "file not found" screen message occurs on screen. Note: 1) Doesn't stay resident in memory. 2) No-Wednesday hooks INT 24h when infecting files. Omits I/O error (such as write protect).
Virus Name: NULL Virus Type: File Infector Virus (infects .COM files) Virus Length: 733 Bytes(COM) PC Vectors Hooked: None Executing Procedure: 1) It first decodes. 2) Then it searches for uninfected COM files in the current directory and infects them. 3) It infects only one file at a time. 4) It then executes the original file. 5a) If it can not infect a .COM file, then it checks whether the DAY =30. 5b) If it is, it destroys all the data on the disk, then shows the message:"Your disk is dead! long live doomsday 1.0 " Damage: If DAY = 30 , then it destroys all data on current disk. Detecting Method: Infected files will increase by 733 Bytes.
Note: 1) Doesn't stay resident in memory. 2) Null doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).
Virus Name: NEW-S Virus Type: File Infector Virus (infects .EXE files) Virus Length: 1214 Bytes
PC Vectors Hooked: None Executing Procedure: 1) First, it shows a strange figure on the screen with music. 2) Then it searches for an EXE file in the current directory. 3) It then creates a file of the same name with the length of 1214 bytes and overwrites the original file. The new file is New-S. 3) Finally, it overwrites the COMMAND.COM in the root directory and copies the overwritten file to the root directory. Damage: Overwrites original file Detecting Method: Infected files increase by 1214 Bytes.
Note: 1) Doesn't stay resident in memory. 2) NEW-S doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).
Virus Name: NOV_17-1 Virus Type: Highest Memory Resident, File Infector Virus (infects .COM & .EXE files). Virus Length: 768 Bytes (COM & EXE) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program) Infecting Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory, it will infect any uninfected file that is executed. Damage: None. Detecting Method: 1) Infected files increase by 768 Bytes. Note: The NOV_17-1 virus doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).
Virus Name: NG-914 Virus Type: Memory Resident, File Infector Virus (infects .COM files). Virus Length: 914 Bytes (COM) PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3a) Once in resident memory, it will infect any uninfected file that is executed. 3b) It doesn't infect .EXE files. Damage: None. Detecting Method: Infected files increase by 914 Bytes. Note: The NG-914 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: NUKEX Virus Type: Trojan Virus Length: 469 Bytes
PC Vectors Hooked: None
Damage: Deletes all files on hard disk (include all subdirectories). Detecting Method: None.
Note: 1) Doesn't stay resident in memory. 2) Doesn't infect any files or partition or boot sector.
Virus Name: NOPX_2.1 Other names: None Virus Type: File Infector Virus Virus Length: Increase infected .EXE file size by 1686 bytes, also .COM file. PC Vectors Hooked: Int 21 Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory it will infect any uninfected file that is executed. Damage: 1) The virus has bugs in itself (Error in calculating entry point). 2) So some infected EXE files can't be executed correctly. Detecting Method: Infected files increase by 1686 bytes Note: An error message occurs if there is an I/O error (such as write protect).
Virus Name: NCU_Li Other names: None Virus Type: File Infector Virus Virus Length:.1690/1670 bytes. PC Vectors Hooked: Int 21 Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory, it will infect any uninfected file that is executed. Damage: None Detecting Method: Infected files increase by 1690/1670 bytes. Note: 1) An error message occurs if there is an I/O error (such as write protect).
Virus Name: November 17th Other names: None Virus Type: Parasitic Virus Virus Length: 885 bytes Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory it will infect any uninfected file that is executed. Damage: Infects every executable file. Detecting Method: It will be resident in memory, and infects all .COM files. Note: An error message occurs if there is an I/O error (such as write protect).
Virus Name: Npox-var Virus Type: Parasitic Virus Virus Length: Infected COM file sizes increase by 1000 Bytes . PC Vectors Hooked: None Executing Procedure: 1) The virus searches for uninfected COM files in the current directory and infects them. 2) The virus infects only one file each time.
Damage: None Detecting Method: Detectable if the lengths of files increase by 1000 Bytes. Remarks: 1) Not memory resident. 2) When infecting files, the virus does not hook INT 24h, and error information appears when I/O errors occur. 3) The beginning of the virus is INC BX PUSH AX POP AX DEC BX JMP XXXX
Virus Name: Necro Virus Type: Parasitic Virus. Virus Length: Infected COM and EXE file sizes increase by 696 bytes. PC Vectors Hooked: None. Executing Procedure: 1) Searches for an uninfected COM or EXE files and infects them. 2) It infects three files each time. Damage: None. Detecting Method: Files increase by 696 bytes Remarks: 1) The infecting part was poorly written, so most of the infected files can not be run. 2) Not memory resident. 3) Before infecting files, the virus does not hook INT 24h. Error messages will appear when I/O errors occur.
Virus Name: Nouin Virus Type: Memory Resident, COM & EXE File infector Virus Length: 855 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will move itself to high memory. 2) Then it hooks INT21h, INT 09h, INT 83h and goes back to the original routine (This virus's staying resident method is fairly crude; it needs the last MCB controlled by DOS in the address which loads executed programs). Vectors hooked: 1)Hooks INT 83h to store a word to keep track that the virus has stayed resident in memory. 2)Hooks INT 09h to decrease a counter by 1 every time you press a key down. Sets a damage_flag when the value decreases to zero. 3)Hooks INT 21h(AH=3Dh,aH=43h,AX=4B00h). It will check whether the program to be executed is an uninfected EXE or COM file (it will skip SCAN.EXE and CLEAN.EXE). If it is a COM file, then it checks if the file is smaller than 60000 bytes. If it is, then the file is infected. If the damage_flag is set or if the current date is between November 11 and 30, it destroys sectors 1 through 9 on the current diskette. Damage: Sectors 1 through 9 are destroyed on the current diskette on the above conditions.
Note: Date and time of infected files do not change. Detecting Method: Infected files will increase by 855 bytes.
Virus Name: Ninja Virus Type: EXE & COM File infector Virus Length: 1511 or 1466 bytes Executing Procedure: 1) Checks whether it has remained resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. 3) It will check whether the current calendar year is 1992, current day is 13, and current time is 13:00. If these conditions are met, the virus proceeds to destroy all data on the hard disk. Vectors hooked: Hooks INT 21H(AH=4Bh)to infect files. If the program to be executed is an uninfected EXE or COM file, the virus infects it. Damage: All data on the hard disk will sometimes be destroyed. Detecting Method: Infected file sizes increase by 1511 or 1466 bytes.
Virus Name: Nazi-Phobia Virus Type: EXE File infector Executing Procedure: 1) Searches for an uninfected EXE file in current directory and infects it. 2) It only infects one file at a time. Damage: It will overwrite original files with virus code. Original files are destroyed. Note: 1) Does not stay in memory. 2) You will see an error message when writing because INT 24h has not been hanged. 3) This virus is written with an advanced language.
Virus Name: NATAS Virus Type: Infects .COM, .EXE files, Boot record. Memory resident. Virus Length: 4744 bytes. Interrupt Vectors Hooked: INT 21h. Infection Process: This virus can be spread by executing an infected program or from booting the system with an infected disk. There are several methods of infection: 1. Infection of a clean system by an infected program. When an infected program is executed in a clean system, and the DOS version is greater than 3.0, the virus first uses a single step (INT 1h) to get the original entry of int 13h, int 15h, int 21h and int 40h, then the virus can use the original int 13h to copy itself to the first 9 sectors of sector 1 on the last side of the last cylinder (on floppy diskettes). or the last 9 sectors of side 0 on cyclinder 0 (for Hard disks). These sectors are not marked as "bad sectors" and get overwritten by the virus, with no regard for their previous contents. The virus will move itself to the top of the MCB (memory control block), and decrease available memory from the MCB by 5664 bytes. It will hook Int 13h and Int 21h and then run the original program. Damage: 1) This virus formats the hard disk. 2) Infected files will increase in length by 4744 bytes. Symptoms: 1) Loss of 9 sectors of data stored in the disk/diskette, file allocation errors, and increased file lengths. 2) Decreased available memory. If a PC is booted from an infected disk, the spreading of the infection is perfected. The boot code, previously overwritten by the virus on the disk boot sector, reads the main core of the virus from the last 9 sectors of side 0, cyclinder 0 (if read from HD), and loads it as a TSR in RAM, occupying 6Kb of the higher part of system memory
Virus Name: NOV-17-768 Virus Type: Infects .COM files shorter than 59920 bytes and infects .EXE files. Virus Length: 768 bytes in file and 800 bytes in memory. Interrupt Vectors Hooked: INT 21h. Infection Process: This virus is a variant of the November-17th virus: The November 17th virus was received in January, 1992. Its origin or point of original isolation was originally unknown, but it has since been reported as being widespread in Rome, Italy, during the month of December, 1991. November 17th is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. The first time a program infected with November 17th is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Damage: Destroys the current disk from sector 1 to sector 8. Total system and available free memory, as indicated by the DOS CHKDSK program, will decrease by 896 bytes. Interrupt 12's return will not have been moved. Interrupts 09 and 21 will be hooked. Symptoms: Infected programs will have a file length increase of 855 bytes with the virus located at the end of the infected file. There will be no visible change to the file's date and time in a DOS disk directory listing.
Virus Name: NOV-17-800 Virus Type: Infects .COM and .EXE files, memory block resident. Does not infect. "SCAN", "CLEAN." Virus Length: 800 bytes in files and 832 bytes in memory. Interrupt Vectors Hooked: INT 09h and 21h. Infection Process: The first time a program infected with November 17th is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary. Damage: Destroys the hard disk FAT. When the value of [00:46E] is changed and the month = 1, the virus will then write garbage to the current disk from sectors 1 to 8. Symptoms: File sizes increase by 800 bytes. Available memory decreased by 800 bytes.
Virus Name: Not-586 Virus Type: COM File infector Virus Length: 586 bytes Executing Procedure: 1) Virus checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it. Damage: None Detecting Method: Infected file sizes increase by 586 bytes.
Virus Name: Number6 Virus Type: COM File infector Virus Length: 631 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file,virus proceeds to infect it. Damage: None Detecting Method: Infected file sizes increase by 631 bytes.
Virus Name: Nines Virus Type: COM File infector Virus Length: 706 or 776 bytes Executing Procedure: 1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory. 2) Then it hooks INT 21h and goes back to the original routine. Vectors hooked: 1) Hooks INT 21H(AH=4Bh) to infect files. 2) If the program to be executed is an uninfected COM file, virus proceeds to infect it. Damage: None Note: You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected file sizes increase by 706 or 776 bytes.
Virus Name: Nazgul Virus Type: COM File infector Virus Length: 266 bytes Executing Procedure: Searches for all uninfected COM files in the current directory and infects them. Damage: None Note: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detecting Method: 1) Infected file sizes increase by 266 bytes.
Virus Name: Napc Virus Type: COM & EXE File infector Virus Length: 729 bytes Executing Procedure: 1) Searches for all uninfected COM & EXE files in the current directory and infects them. Damage: None Note: 1) It does not stay resident in memory. 2) You will see an error message when writing because INT 24h has not been hanged. Detecting Method: Infected file sizes increase by 729 bytes.
Virus Status:
Discovered :
Isolated :
Symptoms :
Origin :
Eff Length :
Type Code : File Virus
General Comments:
This virus first decrypts a part of its code with a size of 4526 bytes and then decrypts it again. Then it checks if it is already loaded in memory by checking the interrupt vectors of INT 13, INT 21 and INT 2A. Then it allocates 5680 bytes in the High Memory Area.
After loading itself resident in the High Memory Area, the virus seems to be doing nothing. It is possible that the virus has some bugs.
Alias: November-17th.800
Eff Length : 800
Type Code : File Virus;
Will increase .COM and .EXE files by 800 bytes and will allocate 832 bytes in the High Memory Area.
The November-17th virus on the first infection will first check if a file carrier is .EXE. It will infect .COM and .EXE differently because of the difference of the structure of the two. Then it allocates 832 bytes in the High Memory Area and then moves its virus code to the High Memory Area. Then it will hook INT 21, with points to services 3D (Open File Handle), 43 (Get/Set File Attributes) and 4B00 (Execute Child Process). After this, it will give back the control to the carrier program.
This virus will change the attributes of files opened or executed, in addition to infecting them, once the virus is in memory.
Upon loading, NO-17-800 will check if the system date is between November 17 and November 30, if it is then the virus will save the system time's hour of day and will always check it until it has changed; this is when it will write 8 sectors starting at the 1st sector of the default drive. This will destroy the Boot Record and files located in the first 8 sectors of floppy disks while it will destroy the Boot Record and the File Allocation Tables of the hard disk depending on which is the default drive of the system.
This string is found in the virus code:
"SCAN.CLEAN.COMEXE"
Alias: NOVEMBER 17-855
Eff Length : 855
Will increase .COM and .EXE files by 855 bytes and will allocate 896 bytes in the High Memory Area.
The November-17th virus on the first infection will first check if a file carrier is .EXE. It will infect .COM and .EXE differently because of the difference of the structure of the two. Then it allocates 896 bytes in the High Memory Area and then moves its virus code to the High Memory Area. Then it will hook INT 9 INT 21, with points to services 3D (Open File Handle), 43 (Get/Set File Attributes) and 4B00 (Execute Child Process). After this it will give back the control to the carrier program.
This is a variant of the NO17-800 virus but the difference is that this virus is triggered by the keys pressed and not by time as that of NO17-800 virus. When a certain number of keys are pressed and if the system date is between November 17-30, this is when it will write 8 sectors starting at the 1st sector of the default drive. This will destroy the Boot Record and files located in the first 8 sectors of floppy disks while it will destroy the Boot Record and the File Allocation Tables of the Hard Disk depending on which is the default drive of the system.
Eff Length : 1215
Type Code : File Virus; Encryption Virus
Will increase .COM and .EXE files by 1215 bytes and will allocate 4624 bytes in the High Memory Area.
On the first time it is loaded, NOFDUDLY will first decrypt 1153 bytesof its code. Then it will check if it is already loaded in memory. If it is not yet loaded then it will allocate 4624 bytes in the High Memory Area. Then it will transfer all of its 1215 bytes code to the High Memory Area. It will then hook INT 21, adding extra codes to services 54 (Get Verify Flag), 4B00 (Execute Program), 3D (Open File Handle), 56 (Rename File), and 6C (Extended Open/Create). Then it will transfer its control back to the carrier program.
When in memory, NOFDUDLY will temporarily hook INT 24 (Critical Error Handler) so that it can readily troubleshoot problems if errors occurred and then unhook it again. Then it will infect the command interpreter (COMMAND.COM) of the default drive.
This virus is an enhanced variant of the NOFRILLS virus with an additional encryption enhancement to the older variant.
Text message found in the virus code:
"[Oi Dudley] [PuKE]"
Alias: NO FRILLS
Eff Length : 843
Will increase .COM and .EXE files by 843 bytes and will allocate 1536 bytes in the High Memory Area.
This virus will first check if the carrier file is .COM or .EXE. It will do so to know which code will be transferred to the High Memory Area. It will then allocate 1536 bytes of High Memory Area and transfer 400h of its virus code to it. It will then hook INT 21 adding extra codes to services 54 (Get Verify Flag), 4B00 (Execute Program), 3D (Open File Handle), 43 (Get/Set File Attributes), and 6C (Extended Open/Create). Then it will transfer its control back to the carrier program.
When in memory, NOFRILLS will temporarily hook INT 24 (Critical Error Handler) so that it can readily troubleshoot problems if errors occurred and then unhook it again. Then it will infect the command interpreter (COMMAND.COM) of the default drive.
This message is found in the virus code:
"+-No Frills 2.0 by Harry McBungus-+"
Eff Length : 1024 bytes
Type Code :
Increase of 1024 bytes in sizes of EXE and COM files and decrease of 1072 in the available memory. Usually displays disk read/write errors like "Sector not found", "Invalid Media Type" and other disk related errors.
The NOMENKLATURA virus is almost similar to common viruses to date. The difference is that it uses INT 2F service 13 (Set Disk Interrupt Handler) which is more like an error-trapping procedure for the virus when infection of other files are impossible. It is common to other viruses because it will first allocate in the High Memory Area with a size of 1072 bytes and then transfer 1055 bytes of it to high memory. The extra bytes loaded by the virus are the addresses of specific locations in the Operating System in memory so it can directly access it and also the interrupt vectors of INT 21 and INT 13. It also has checking procedures if an executed file is infected or not, if it is COM or EXE. Executable files that are opened and/or executed will be infected immediately by this virus.
This virus was named as such because of the text string found in the virus code : "NOMENKLATURA"
Alias: EVIL GENIUS 2.0
Eff Length : 963 bytes
Increase of 963 bytes in sizes of EXE and COM files and decrease of 1024 in the available memory. When in a write-protected floppy, it usually displays a "Write Protect Error" message when you try to read from it.
The N-Pox virus on first infection, will first allocate 1024 bytes in the High Memory Area and then it will transfer its code to the HMA. After that, it will hook INT 21 and INT 9 and then returns back the control to the original program.
This text string can be found in the virus code:
"Evil Genius V2.0 - RS/NuKE" "C:\COMMAND.COM"
It will infect COM and EXE files that are loaded, executed or opened by other files. During infection, the file's time and date will not be modified except for the seconds count which will be set to :58. This is also the virus' signature if a file is already infected. But before infecting files, it checks whether the file is executed by another program (i.e., debuggers, anti-virus). If it is being executed by another file then it will check if the file loader has the following criteria:
1.) ****prot.*** (i.e. f-prot, nprot, lprot) 2.) ****scan.*** (i.e. pcscan, scan, viruscan) 3.) ****lean.*** (i.e. clean)
If the above characteristics are not satisfied then it will infect the executed program.
Once resident, the N-Pox virus will hide the increase in the size of infected programs when the user tries to view it (i.e., DIR). It will also modify loaded infected files in memory so as to hide them from anti-virus software.
The damage that N-Pox does is that if the system date is the 24th of any month and if a key is pressed, it will format the first 32 tracks of the hard disk, starting from track 0. This will damage the Boot Record, File Allocation Tables (FAT) and the system files on the hard disk.
Alias: NEVER-1
Eff Length : 1788 bytes
Type Code : File Virus; Encryption Virus; .COM files only
It will increase com files by 4744 bytes, decrease in available memory by 6144 bytes. Program execution slows down.
The virus first decrypts 2300 bytes of its code and then allocates 6144 bytes into the high Memory Area. It will then copy a part of its code to the area where INT 1 Vector is pointing to thus replacing it. Then it will move 5111 bytes to the High Memory Area. It will then hook INT 10, 13, 15 and 21.
Further analysis of the virus was not possible because it has replaced the code for INT 1 which is the Single Step Interrupt which is used by debuggers like DEBUG and S-ICE. NATA4744 will format a track of the Hard Disk every time INT 1 is used, and it will continue to do so until all local fixed drives are formatted.
"Time has come to pay (c) 1994 NEVER-1"
Origin : Tralee, Co. Kerry, Ireland
Eff Length : 1164 bytes
Type Code : File Virus; Encryption Virus; .COM files
It will increase com files by 1164 bytes, decrease in available memory by 2624 bytes. Execution of running programs slows down. A write protect error occurs when a program is opened and the disk is write protected.
This virus will first decrypt its code with a size of 1142 bytes and then will hook INT 3, INT 21 and INT 1C. Then it will allocate 2624 bytes in memory. This virus will be MCB resident after executing the carrier program because it will execute a TSR command.
It will immediately infect .COM files that are executed. When .EXE files are run, Necros will create a hidden .COM file of the same name and will also increase the file size to 1164 bytes.
The Necros virus will check if the system date is November 21. If this condition is satisfied then it will start to produce a countdown like sound 2 minutes after the virus has been loaded. This will go on for 15 seconds before this message is displayed on the screen:
"Virus V2.0 (c) 1991 Necros the Hacker." "Written on 29,30 June in Tralee, Co. Kerry, Ireland" "Happy Birthday, Necros!"
Other Name: XERAM
Virus Type: File Type Virus
Virus Length: Approximately 1667-1678 bytes
Virus Re-infect: Does not re-infect, infected file size is consistent. If the file is already corrupted it skips, and looks for another EXE file.
Virus Memory Type: Non Resident, Direct Infector
INT Vectors hooked: Int 21
Trigger Condition:
Checks for system date. If the day is the 13th of any month, it will name itself N-XERAM. Otherwise, it will name itself plainly as XERAM.
Infection Procedure:
Directly infects *.EXE files if source virus file is executed. Copies virus code to host program, adding approximately 648 bytes. Loads first the virus before running the host program.
Special note: The virus initially searches for *.COM files. It picks COMMAND.COM first, and infects it. After infecting COMMAND.COM, the virus searches for *.EXE files. It does not search for *.COM files again. It only searches for *.EXE.
The virus first task is to get the system date to compare the day (to establish what name it wants it to be), then sets DTA. The virus then searches for *.EXE files within the directory using Int 21 (4E). When the search is successful, the virus gets the file's attribute using Int 21 (43). It changes its attribute to enable itself to write on it, (especially for the COMMAND.COM). It takes note of the file time and date using Int 21 (51) so that when it accomplishes its task of altering the code, it can save it using the original file time and date. This therefore deceives the user that the file was never been changed.
After the alteration, the virus then protects itself from the following anti-virus programs, by deleting it using Int 21 (41):
1. /NCDTREE/NAV_._NO 2. /CHKLIST.MS 3. /SCANVAL.VAL
These files are virus information or data files used by the respective anti-virus programs. We can classify this virus as an anti-anti-virus virus.
*Every time an infected file is executed, one EXE file is infected within the same directory.
Damage:
Increase in file size. Adds approximately 1667-1678 bytes. Corrupts COMMAND.COM, making it unusable. Adds 1674 bytes. Infected EXE files run normally.
Symptom:
Delay in program execution due to virus activity.
Alias:
Place of Origin :
Eff Length : 4622 bytes
Type Code : File Virus, Encryption Virus
The NEUROQUI virus will decrypt a part of its code at the beginning of its execution and will decrypt 4622 bytes. Then it will copy this to the OS area 0000:7C00. Then it will hook INT 1.