Navi 282

Virus Name: Navi-282

Virus Type: File Infector Virus (infects .COM files only)

Virus Length: 282 Bytes

PC Vectors Hooked: None

Executing Procedure:
1) Searches for uninfected COM files in the current directory and infects them.
2) Infects only one file at a time.

Damage: None

Detecting Method: Infected files will increase by 282 Bytes.

Note:
1) Doesn't stay resident in memory.
2) NAVI-282 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


Nop

Virus Name: Nop

Alias Name: Nops, Stealth_Boot,

Description: See Stealth_Boot.C


Necro-B

Virus Name: Necro-B

Virus Type: File Infector Virus (infects .EXE & .COM files)

Virus Length: 696 Bytes(COM & EXE)

PC Vectors Hooked: None

Executing Procedure:
1) Searches for uninfected .COM and .EXE files in the current directory and infects them.
2) It will infect only three files at a time.

Damage: None

Detecting Method:
1)Infected files will increase by 696 Bytes.

Note:
1) Doesn't stay resident in memory.
2) Necro doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
3) Infected files can't be executed or infect other files.


Nanite

Virus Name: Nanite

Virus Type: File Infector Virus (infects .EXE & .COM files)

Virus Length: No change

PC Vectors Hooked: None

Executing Procedure:
1) Searches for uninfected .EXE and .COM files in the current directory and infects them.
3) It will infect all .EXE and .COM files until all files in the current directory have been infected.

Damage:
1) Overwrites original files, so the size of infected files won't increase.

Note:
1) Doesn't stay resident in memory.
2) Nanite doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).


No Wednsday

Virus Name: NO-WEDNESDAY

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 520 Bytes(COM)

PC Vectors Hooked: INT 24h

Executing Procedure:
1) Searches for uninfected COM files in the current directory and infects them.
3) It infects any .COM file in the current directory one at a time.
3) Then it shows the screen message: "file not found."

Damage: Infected files don't execute original file.

Detecting Method:
1)Infected files will increase by 520 Bytes.
2) "file not found" screen message occurs on screen.

Note:
1) Doesn't stay resident in memory.
2) No-Wednesday hooks INT 24h when infecting files. Omits I/O error (such as write protect).


Null

Virus Name: NULL

Virus Type: File Infector Virus (infects .COM files)

Virus Length: 733 Bytes(COM)

PC Vectors Hooked: None

Executing Procedure:
1) It first decodes.
2) Then it searches for uninfected COM files in the current directory and infects them.
3) It infects only one file at a time.
4) It then executes the original file.
5a) If it can not infect a .COM file, then it checks whether the DAY =30.
5b) If it is, it destroys all the data on the disk, then shows the message:"Your disk is dead! long live doomsday 1.0 "

Damage: If DAY = 30 , then it destroys all data on current disk.

Detecting Method: Infected files will increase by 733 Bytes.

Note:
1) Doesn't stay resident in memory.
2) Null doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).


New-s

Virus Name: NEW-S

Virus Type: File Infector Virus (infects .EXE files)

Virus Length: 1214 Bytes

PC Vectors Hooked: None

Executing Procedure:
1) First, it shows a strange figure on the screen with music.
2) Then it searches for an EXE file in the current directory.
3) It then creates a file of the same name with the length of 1214 bytes and overwrites the original file.
The new file is New-S.
3) Finally, it overwrites the COMMAND.COM in the root directory and copies the overwritten file to the root directory.

Damage: Overwrites original file

Detecting Method: Infected files increase by 1214 Bytes.

Note:
1) Doesn't stay resident in memory.
2) NEW-S doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).


Nov. 17-1

Virus Name: NOV_17-1

Virus Type: Highest Memory Resident, File Infector Virus (infects .COM & .EXE files).

Virus Length: 768 Bytes (COM & EXE)

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program)

Infecting Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3) Once in resident memory, it will infect any uninfected file that is executed.

Damage: None.

Detecting Method:
1) Infected files increase by 768 Bytes.

Note: The NOV_17-1 virus doesn't hook INT 24h when infecting files. An error message occurs if there is an I/O error (such as write protect).


NG-914

Virus Name: NG-914

Virus Type: Memory Resident, File Infector Virus (infects .COM files).

Virus Length: 914 Bytes (COM)

PC Vectors Hooked: INT 21h (AX=4B00h) (execute program), INT 24h

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3a) Once in resident memory, it will infect any uninfected file that is executed.
3b) It doesn't infect .EXE files.

Damage: None.

Detecting Method: Infected files increase by 914 Bytes.

Note: The NG-914 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).


Nuke X

Virus Name: NUKEX

Virus Type: Trojan

Virus Length: 469 Bytes

PC Vectors Hooked: None

Damage: Deletes all files on hard disk (include all subdirectories).

Detecting Method: None.

Note:
1) Doesn't stay resident in memory.
2) Doesn't infect any files or partition or boot sector.


NOPX 2.1

Virus Name: NOPX_2.1

Other names: None

Virus Type: File Infector Virus

Virus Length: Increase infected .EXE file size by 1686 bytes, also .COM file.

PC Vectors Hooked: Int 21

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3) Once in resident memory it will infect any uninfected file that is executed.

Damage:
1) The virus has bugs in itself (Error in calculating entry point).
2) So some infected EXE files can't be executed correctly.

Detecting Method: Infected files increase by 1686 bytes

Note: An error message occurs if there is an I/O error (such as write protect).


NCU-LI

Virus Name: NCU_Li

Other names: None

Virus Type: File Infector Virus

Virus Length:.1690/1670 bytes.

PC Vectors Hooked: Int 21

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3) Once in resident memory, it will infect any uninfected file that is executed.

Damage: None

Detecting Method: Infected files increase by 1690/1670 bytes.

Note:
1) An error message occurs if there is an I/O error (such as write protect).


November 17th

Virus Name: November 17th

Other names: None

Virus Type: Parasitic Virus

Virus Length: 885 bytes

Executing Procedure:
1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h.
2) It then executes the original file.
3) Once in resident memory it will infect any uninfected file that is executed.

Damage: Infects every executable file.

Detecting Method: It will be resident in memory, and infects all .COM files.

Note: An error message occurs if there is an I/O error (such as write protect).


NPOX-Var

Virus Name: Npox-var

Virus Type: Parasitic Virus

Virus Length: Infected COM file sizes increase by 1000 Bytes .

PC Vectors Hooked: None

Executing Procedure:
1) The virus searches for uninfected COM files in the current directory and infects them.
2) The virus infects only one file each time.

Damage: None

Detecting Method: Detectable if the lengths of files increase by 1000 Bytes.

Remarks:
1) Not memory resident.
2) When infecting files, the virus does not hook INT 24h, and error information appears when I/O errors occur.
3) The beginning of the virus is

INC BX
PUSH AX
POP AX
DEC BX
JMP XXXX


Necro

Virus Name: Necro

Virus Type: Parasitic Virus.

Virus Length: Infected COM and EXE file sizes increase by 696 bytes.

PC Vectors Hooked: None.

Executing Procedure:
1) Searches for an uninfected COM or EXE files and infects them.
2) It infects three files each time.

Damage: None.

Detecting Method: Files increase by 696 bytes

Remarks:
1) The infecting part was poorly written, so most of the infected files can not be run.
2) Not memory resident.
3) Before infecting files, the virus does not hook INT 24h. Error messages will appear when I/O errors occur.


Nouin

Virus Name: Nouin

Virus Type: Memory Resident, COM & EXE File infector

Virus Length: 855 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will move itself to high memory.
2) Then it hooks INT21h, INT 09h, INT 83h and goes back to the original routine (This virus's staying resident method is fairly crude; it needs the last MCB controlled by DOS in the address which loads executed programs).

Vectors hooked:
1)Hooks INT 83h to store a word to keep track that the virus has stayed resident in memory.
2)Hooks INT 09h to decrease a counter by 1 every time you press a key down. Sets a damage_flag when the value decreases to zero.
3)Hooks INT 21h(AH=3Dh,aH=43h,AX=4B00h). It will check whether the program to be executed is an uninfected EXE or COM file (it will skip SCAN.EXE and CLEAN.EXE). If it is a COM file, then it checks if the file is smaller than 60000 bytes. If it is, then the file is infected. If the damage_flag is set or if the current date is between November 11 and 30,  it destroys sectors 1 through 9 on the current diskette.

Damage: Sectors 1 through 9 are destroyed on the current diskette on the above conditions.

Note: Date and time of infected files do not change.

Detecting Method: Infected files will increase by 855 bytes.


Ninja

Virus Name: Ninja

Virus Type: EXE & COM File infector

Virus Length: 1511 or 1466 bytes

Executing Procedure:
1) Checks whether it has remained resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.
3) It will check whether the current calendar year is 1992, current day is 13, and current time is 13:00. If these conditions are met, the virus proceeds to destroy all data on the hard disk.

Vectors hooked: Hooks INT 21H(AH=4Bh)to infect files. If the program to be executed is an uninfected EXE or COM file, the virus infects it.

Damage: All data on the hard disk will sometimes be destroyed.

Detecting Method: Infected file sizes increase by 1511 or 1466 bytes.


Nazi-Phobia

Virus Name: Nazi-Phobia

Virus Type: EXE File infector

Executing Procedure:
1) Searches for an uninfected EXE file in current directory and infects it.
2) It only infects one file at a time.

Damage: It will overwrite original files with virus code. Original files are destroyed.

Note:
1) Does not stay in memory.
2) You will see an error message when writing because INT 24h has not been hanged.
3) This virus is written with an advanced language.


Natas

Virus Name: NATAS

Virus Type: Infects .COM, .EXE files, Boot record. Memory resident.

Virus Length: 4744 bytes.

Interrupt Vectors Hooked: INT 21h.

Infection Process: This virus can be spread by executing an infected program or from booting the
system with an infected disk. There are several methods of infection:

1. Infection of a clean system by an infected program.

When an infected program is executed in a clean system, and the DOS version is greater than 3.0, the virus first uses a single step (INT 1h) to get the original entry of int 13h, int 15h, int 21h and int 40h, then the virus can use the original int 13h to copy itself to the first 9 sectors of sector 1 on the last side of the last cylinder (on floppy diskettes). or the last 9 sectors of side 0 on cyclinder 0 (for Hard disks).

These sectors are not marked as "bad sectors" and get overwritten by the virus, with no regard for their previous contents.

The virus will move itself to the top of the MCB (memory control block), and decrease available memory from the MCB by 5664 bytes. It will hook Int 13h and Int 21h and then run the original program.

Damage:
1) This virus formats the hard disk.
2) Infected files will increase in length by 4744 bytes.

Symptoms:
1) Loss of 9 sectors of data stored in the disk/diskette, file allocation errors, and increased file lengths.
2) Decreased available memory. If a PC is booted from an infected disk, the spreading of the infection is perfected. The boot code, previously overwritten by the virus on the disk boot sector, reads the main core of the virus from the last 9 sectors of side 0, cyclinder 0 (if read from HD), and loads it as a TSR in RAM, occupying 6Kb of the higher part of system memory


NOV-17-768

Virus Name: NOV-17-768

Virus Type: Infects .COM files shorter than 59920 bytes and infects .EXE files.

Virus Length: 768 bytes in file and 800 bytes in memory.

Interrupt Vectors Hooked: INT 21h.

Infection Process: This virus is a variant of the November-17th virus:

The November 17th virus was received in January, 1992. Its origin or point of original isolation was originally unknown, but it has since been reported as being widespread in Rome, Italy, during the month of December, 1991. November 17th is a memory resident infector of .COM and .EXE programs, including COMMAND.COM.

The first time a program infected with November 17th is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary.

Damage: Destroys the current disk from sector 1 to sector 8. Total system and available free memory, as indicated by the DOS CHKDSK program, will decrease by 896 bytes. Interrupt 12's return will not have been moved. Interrupts 09 and 21 will be hooked.

Symptoms: Infected programs will have a file length increase of 855 bytes with the virus located at the end of the infected file. There will be no visible change to the file's date and time in a DOS disk directory listing.


NOV-17-800

Virus Name: NOV-17-800

Virus Type: Infects .COM and .EXE files, memory block resident. Does not infect. "SCAN", "CLEAN."

Virus Length: 800 bytes in files and 832 bytes in memory.

Interrupt Vectors Hooked: INT 09h and 21h.

Infection Process: The first time a program infected with November 17th is executed, the virus will install itself memory resident at the top of system memory but below the 640K DOS boundary.

Damage: Destroys the hard disk FAT. When the value of [00:46E] is changed and the month = 1, the virus will then write garbage to the current disk from sectors 1 to 8.

Symptoms: File sizes increase by 800 bytes. Available memory decreased by 800 bytes.


Not-586

Virus Name: Not-586

Virus Type: COM File infector

Virus Length: 586 bytes

Executing Procedure:
1) Virus checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file, the virus proceeds to infect it.

Damage: None

Detecting Method: Infected file sizes increase by 586 bytes.


Number 6

Virus Name: Number6

Virus Type: COM File infector

Virus Length: 631 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) First, it will hang INT 24h to prevent divulging its trace when writing. If the program to be executed is an uninfected COM file,virus proceeds to infect it.

Damage: None

Detecting Method: Infected file sizes increase by 631 bytes.


Nines

Virus Name: Nines

Virus Type: COM File infector

Virus Length: 706 or 776 bytes

Executing Procedure:
1) Checks whether it has stayed resident in memory. If not, it will stay resident in high memory.
2) Then it hooks INT 21h and goes back to the original routine.

Vectors hooked:
1) Hooks INT 21H(AH=4Bh) to infect files.
2) If the program to be executed is an uninfected COM file, virus proceeds to infect it.

Damage: None

Note: You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 706 or 776 bytes.


Nazgul

Virus Name: Nazgul

Virus Type: COM File infector

Virus Length: 266 bytes

Executing Procedure: Searches for all uninfected COM files in the current directory and infects them.

Damage: None

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method:
1) Infected file sizes increase by 266 bytes.


Napc

Virus Name: Napc

Virus Type: COM & EXE File infector

Virus Length: 729 bytes

Executing Procedure:
1) Searches for all uninfected COM & EXE files in the current directory and infects them.

Damage: None

Note:
1) It does not stay resident in memory.
2) You will see an error message when writing because INT 24h has not been hanged.

Detecting Method: Infected file sizes increase by 729 bytes.

 


Nightfall.4518

Virus Status:

Discovered :

Isolated :

Symptoms :

Origin :

Eff Length :

Type Code : File Virus

General Comments:

This virus first decrypts a part of its code with a size of 4526 bytes and then decrypts it again. Then it checks if it is already loaded in memory by checking the interrupt vectors of INT 13, INT 21 and INT 2A. Then it allocates 5680 bytes in the High Memory Area.

After loading itself resident in the High Memory Area, the virus seems to be doing nothing. It is possible that the virus has some bugs.

 


Nov_17

Alias: November-17th.800

Origin :

Eff Length : 800

Type Code : File Virus;

Symptoms :

Will increase .COM and .EXE files by 800 bytes and will allocate 832 bytes in the High Memory Area.

General Comments:

The November-17th virus on the first infection will first check if a file carrier is .EXE. It will infect .COM and .EXE differently because of the difference of the structure of the two. Then it allocates 832 bytes in the High Memory Area and then moves its virus code to the High Memory Area. Then it will hook INT 21, with points to services 3D (Open File Handle), 43 (Get/Set File Attributes) and 4B00 (Execute Child Process). After this, it will give back the control to the carrier program.

This virus will change the attributes of files opened or executed, in addition to infecting them, once the virus is in memory.

Upon loading, NO-17-800 will check if the system date is between November 17 and November 30, if it is then the virus will save the system time's hour of day and will always check it until it has changed; this is when it will write 8 sectors starting at the 1st sector of the default drive. This will destroy the Boot Record and files located in the first 8 sectors of floppy disks while it will destroy the Boot Record and the File Allocation Tables of the hard disk depending on which is the default drive of the system.

This string is found in the virus code:

"SCAN.CLEAN.COMEXE"

 


Nov_17th.855.A

Alias: NOVEMBER 17-855

Origin :

Eff Length : 855

Type Code : File Virus;

Symptoms :

Will increase .COM and .EXE files by 855 bytes and will allocate 896 bytes in the High Memory Area.

General Comments:

The November-17th virus on the first infection will first check if a file carrier is .EXE. It will infect .COM and .EXE differently because of the difference of the structure of the two. Then it allocates 896 bytes in the High Memory Area and then moves its virus code to the High Memory Area. Then it will hook INT 9 INT 21, with points to services 3D (Open File Handle), 43 (Get/Set File Attributes) and 4B00 (Execute Child Process). After this it will give back the control to the carrier program.

This virus will change the attributes of files opened or executed, in addition to infecting them, once the virus is in memory.

This is a variant of the NO17-800 virus but the difference is that this virus is triggered by the keys pressed and not by time as that of NO17-800 virus. When a certain number of keys are pressed and if the system date is between November 17-30, this is when it will write 8 sectors starting at the 1st sector of the default drive. This will destroy the Boot Record and files located in the first 8 sectors of floppy disks while it will destroy the Boot Record and the File Allocation Tables of the Hard Disk depending on which is the default drive of the system.

This string is found in the virus code:

"SCAN.CLEAN.COMEXE"

 


No_Frills.Dudley

Virus Status:

Origin :

Eff Length : 1215

Type Code : File Virus; Encryption Virus

Symptoms :

Will increase .COM and .EXE files by 1215 bytes and will allocate 4624 bytes in the High Memory Area.

General Comments:

On the first time it is loaded, NOFDUDLY will first decrypt 1153 bytesof its code. Then it will check if it is already loaded in memory. If it is not yet loaded then it will allocate 4624 bytes in the High Memory Area. Then it will transfer all of its 1215 bytes code to the High Memory Area. It will then hook INT 21, adding extra codes to services 54 (Get Verify Flag), 4B00 (Execute Program), 3D (Open File Handle), 56 (Rename File), and 6C (Extended Open/Create). Then it will transfer its control back to the carrier program.

When in memory, NOFDUDLY will temporarily hook INT 24 (Critical Error Handler) so that it can readily troubleshoot problems if errors occurred and then unhook it again. Then it will infect the command interpreter (COMMAND.COM) of the default drive.

This virus is an enhanced variant of the NOFRILLS virus with an additional encryption enhancement to the older variant.

Text message found in the virus code:

"[Oi Dudley] [PuKE]"

 


No_Frills.843

Alias: NO FRILLS

Origin :

Eff Length : 843

Type Code : File Virus;

Symptoms :

Will increase .COM and .EXE files by 843 bytes and will allocate 1536 bytes in the High Memory Area.

General Comments:

This virus will first check if the carrier file is .COM or .EXE. It will do so to know which code will be transferred to the High Memory Area. It will then allocate 1536 bytes of High Memory Area and transfer 400h of its virus code to it. It will then hook INT 21 adding extra codes to services 54 (Get Verify Flag), 4B00 (Execute Program), 3D (Open File Handle), 43 (Get/Set File Attributes), and 6C (Extended Open/Create). Then it will transfer its control back to the carrier program.

When in memory, NOFRILLS will temporarily hook INT 24 (Critical Error Handler) so that it can readily troubleshoot problems if errors occurred and then unhook it again. Then it will infect the command interpreter (COMMAND.COM) of the default drive.

This message is found in the virus code:

"+-No Frills 2.0 by Harry McBungus-+"

 


Nomenklatura

Virus Status:

Origin :

Eff Length : 1024 bytes

Type Code :

Symptoms :

Increase of 1024 bytes in sizes of EXE and COM files and decrease of 1072 in the available memory. Usually displays disk read/write errors like "Sector not found", "Invalid Media Type" and other disk related errors.

General Comments:

The NOMENKLATURA virus is almost similar to common viruses to date. The difference is that it uses INT 2F service 13 (Set Disk Interrupt Handler) which is more like an error-trapping procedure for the virus when infection of other files are impossible. It is common to other viruses because it will first allocate in the High Memory Area with a size of 1072 bytes and then transfer 1055 bytes of it to high memory. The extra bytes loaded by the virus are the addresses of specific locations in the Operating System in memory so it can directly access it and also the interrupt vectors of INT 21 and INT 13. It also has checking procedures if an executed file is infected or not, if it is COM or EXE. Executable files that are opened and/or executed will be infected immediately by this virus.

This virus was named as such because of the text string found in the virus code : "NOMENKLATURA"

 


Npox.963.A

Alias: EVIL GENIUS 2.0

Origin :

Eff Length : 963 bytes

Type Code :

Symptoms :

Increase of 963 bytes in sizes of EXE and COM files and decrease of 1024 in the available memory. When in a write-protected floppy, it usually displays a "Write Protect Error" message when you try to read from it.

General Comments:

The N-Pox virus on first infection, will first allocate 1024 bytes in the High Memory Area and then it will transfer its code to the HMA. After that, it will hook INT 21 and INT 9 and then returns back the control to the original program.

This text string can be found in the virus code:

"Evil Genius V2.0 - RS/NuKE"
"C:\COMMAND.COM"

It will infect COM and EXE files that are loaded, executed or opened by other files. During infection, the file's time and date will not be modified except for the seconds count which will be set to :58. This is also the virus' signature if a file is already infected. But before infecting files, it checks whether the file is executed by another program (i.e., debuggers, anti-virus). If it is being executed by another file then it will check if the file loader has the following criteria:

1.) ****prot.*** (i.e. f-prot, nprot, lprot)
2.) ****scan.*** (i.e. pcscan, scan, viruscan)
3.) ****lean.*** (i.e. clean)

If the above characteristics are not satisfied then it will infect the executed program.

Once resident, the N-Pox virus will hide the increase in the size of infected programs when the user tries to view it (i.e., DIR). It will also modify loaded infected files in memory so as to hide them from anti-virus software.

The damage that N-Pox does is that if the system date is the 24th of any month and if a key is pressed, it will format the first 32 tracks of the hard disk, starting from track 0. This will damage the Boot Record, File Allocation Tables (FAT) and the system files on the hard disk.

 


Natas-1

Alias: NEVER-1

Origin :

Eff Length : 1788 bytes

Type Code : File Virus; Encryption Virus; .COM files only

Symptoms :

It will increase com files by 4744 bytes, decrease in available memory by 6144 bytes. Program execution slows down.

General Comments:

The virus first decrypts 2300 bytes of its code and then allocates 6144 bytes into the high Memory Area. It will then copy a part of its code to the area where INT 1 Vector is pointing to thus replacing it. Then it will move 5111 bytes to the High Memory Area. It will then hook INT 10, 13, 15 and 21.

Further analysis of the virus was not possible because it has replaced the code for INT 1 which is the Single Step Interrupt which is used by debuggers like DEBUG and S-ICE. NATA4744 will format a track of the Hard Disk every time INT 1 is used, and it will continue to do so until all local fixed drives are formatted.

This message is found in the virus code:

"Time has come to pay (c) 1994 NEVER-1"

 


Necros

Origin : Tralee, Co. Kerry, Ireland

Eff Length : 1164 bytes

Type Code : File Virus; Encryption Virus; .COM files

Symptoms :

It will increase com files by 1164 bytes, decrease in available memory by 2624 bytes. Execution of running programs slows down. A write protect error occurs when a program is opened and the disk is write protected.

General Comments:

This virus will first decrypt its code with a size of 1142 bytes and then will hook INT 3, INT 21 and INT 1C. Then it will allocate 2624 bytes in memory. This virus will be MCB resident after executing the carrier program because it will execute a TSR command.

It will immediately infect .COM files that are executed. When .EXE files are run, Necros will create a hidden .COM file of the same name and will also increase the file size to 1164 bytes.

The Necros virus will check if the system date is November 21. If this condition is satisfied then it will start to produce a countdown like sound 2 minutes after the virus has been loaded. This will go on for 15 seconds before this message is displayed on the screen:

"Virus V2.0 (c) 1991 Necros the Hacker."
"Written on 29,30 June in Tralee, Co. Kerry, Ireland"
"Happy Birthday, Necros!"

 


N-Xeram

Other Name: XERAM

Virus Type: File Type Virus

Virus Length: Approximately 1667-1678 bytes

Virus Re-infect: Does not re-infect, infected file size is consistent. If the file is already corrupted it skips, and looks for another EXE file.

Virus Memory Type: Non Resident, Direct Infector

INT Vectors hooked: Int 21

Trigger Condition:

Checks for system date. If the day is the 13th of any month, it will name itself N-XERAM. Otherwise, it will name itself plainly as XERAM.

Infection Procedure:

Directly infects *.EXE files if source virus file is executed. Copies virus code to host program, adding approximately 648 bytes. Loads first the virus before running the host program.

Special note: The virus initially searches for *.COM files. It picks COMMAND.COM first, and infects it. After infecting COMMAND.COM, the virus searches for *.EXE files. It does not search for *.COM files again. It only searches for *.EXE.

The virus first task is to get the system date to compare the day (to establish what name it wants it to be), then sets DTA. The virus then searches for *.EXE files within the directory using Int 21 (4E). When the search is successful, the virus gets the file's attribute using Int 21 (43). It changes its attribute to enable itself to write on it, (especially for the COMMAND.COM). It takes note of the file time and date using Int 21 (51) so that when it accomplishes its task of altering the code, it can save it using the original file time and date. This therefore deceives the user that the file was never been changed.

After the alteration, the virus then protects itself from the following anti-virus programs, by deleting it using Int 21 (41):

1. /NCDTREE/NAV_._NO
2. /CHKLIST.MS
3. /SCANVAL.VAL

These files are virus information or data files used by the respective anti-virus programs. We can classify this virus as an anti-anti-virus virus.

*Every time an infected file is executed, one EXE file is infected within the same directory.

Damage:

Increase in file size. Adds approximately 1667-1678 bytes. Corrupts COMMAND.COM, making it unusable. Adds 1674 bytes. Infected EXE files run normally.

Symptom:

Delay in program execution due to virus activity.

 


Neuroquila

Alias:

Place of Origin :

Eff Length : 4622 bytes

Type Code : File Virus, Encryption Virus

General Comments:

The NEUROQUI virus will decrypt a part of its code at the beginning of its execution and will decrypt 4622 bytes. Then it will copy this to the OS area 0000:7C00. Then it will hook INT 1.