Virus Database

Win32.Andras

Description Win32.Andras

This is a direct action (non-memory resident) parasitic polymorphic Win32 virus. It searches for PE EXE files with .EXE and .SCR extensions in a current directory, then in Windows, Windows system directories, then in all subdirectories on all available local drives, and infects them. While infecting, the virus writes itself to the end of the file. The file searching and infection goes on in the background, so an infected application run doesn't slow down too much.
The virus checks file names and does not infect the following files:
AP*, PA*, F-*, AV*, SC*, VS*, IV*, DR*.
The virus corrupts the following anti-virus data files:
ANTI-VIR.DAT CHKLIST.MS CHKLIST.DAT CHKLIST.TAV CHKLIST.CPS AVP.CRC IVB.NTZ SMARTCHK.MS SMARTCHK.CPS
Starting from 2001 on the second of each month, the virus randomly increases the size of randomly selected files. File size is increased up to 1Mb.
The virus contains the "copyright" string:
*ANDRAS* by Pointer=&Hell

Check other viruses! Be aware! Use Antiviral Software

N_Xeram.1664

Description N_Xeram.1664

It is a dangerous nonmemory resident encrypted parasitic virus. It searches for COM and EXE files and writes itself to the end of the file. The virus deletes the NAV_._NO, CHKLIST.MS, SCANVAL.VAL files. Depending on the system date and time the virus erases the disk sectors, or manifests itself with some video effect. The virus contains the text strings:
N-XERAM
NAV_._NO CHKLIST.MS SCANVAL.VAL

Nado family

Description Nado family
It is a very dangerous encrypted virus. It hooks INT 21h and writes itself to the end of EXE files that are executed. The virus has a bug, and may corrupt the files while infecting them. On GetDiskSpace DOS call (AH=36h) the virus creates the APRIL1ST.BAT file and writes the string to there:
@echo April Fool - 1996 - if u run this batch file your HDD will burn!

On SelectDisk DOS call (AH=0Eh) if the disk to set is A:, the virus checks the system time, and if the value of minutes is greater than 54, the virus displays the message:
April 1stall....i will now kill your HardDisk

and tries to create 100 subdirectories with the names like C:9<IJKHLN, but fails.
The virus also contains the text string:
[ APRIL-1 (c) made by TorNado/[DC] in Denmark '96 ]

Nado.CyberBug,Fatill
These are very dangerous encrypted viruses, "Nado.Fatill" is a polymorphic variant. They infect COM files that are executed. On GetDiskSize calls (INT 21h, AH=36h, "Nado.Fatill"), or while installing ("Nado.CyberBug") these viruses create files in the current directory:
"Nado.CyberBug": CYBERBUG.BAT
"Nado.Fatill": FATILL10.BAT

and writes the string into that file by:
echo > clock$

The viruses contain the text strings:
"Nado.CyberBug":
echo > clock
[ CyberBug v. 1.00 ][ made by TorNado DK ]
Cyberbug.bat

"Nado.Fatill":
[ Fatal-Illusion (c) made by TorNado in Denmark '95 ]
[NaE]
echo > clock$
fatill10.bat

On GetDiskSize calls "Nado.CyberBug" depending on the system timer, erases disk sectors.
When some anti-virus scanners (SCAN, F-PROT, VSHIELD, TBAV, and so on) are executed, "Nado.Fatill" deletes them.
Nado.Lover
These are encrypted viruses. They hook INT 21h and infect COM files that are executed. "Lover.531" is a harmless virus, it does not manifest itself in any way.
"Lover.602" is a very dangerous virus. It hooks INT 9 (keyboard), and when the DEL key is pressed, the virus overwrites the boot sector of the current disk with the string:
[Undying Lover v1.01][by WarBlaDE/DC '96]

and reboots the computer.
Nado.Rabin
It is a very dangerous encrypted virus. It infects COM files that are executed, or while writing new file attributes. The virus deletes the ANTI-VIR.DAT file if it exists.
Depending on the system time the virus hooks either INT 9 or INT 26h. The virus checks the system date in INT 26h handler, and on 3rd of any month erases the MBR of the hard drive by direct INT 13h call. The code of virus INT 9 handler overwrites the boot sector of default drive with the string:
[ Yitzhak-Rabin 1.00 (c) made by TorNado in Denmark '96 ]

when DEL key is pressed.
Nado.RedViper
These are dangerous viruses. They infect EXE files that are executed, or while writing new file attributes. The viruses do not manifest themselves, but may corrupt the files while infecting them. The viruses contain the text strings:
"RedViper.584": [ RedViper (c) made by TorNado in Denmark '95 ]
"RedViper.602": [ RedViper 1.5 (c) made by TorNado/[DC] in Denmark '95 ]

Nado.RedZar
It is a harmless encrypted virus, it infects COM and EXE files that are executed. It contains the text:
[ Red-Zar v. 2.00 (c) made by TorNado/DC in Denmark 1996 ]

Home