Virus Database

Win95.Regix.4096.a

Description Win95.Regix.4096.a

It is not a dangerous nonmemory resident parasitic Windows virus. It replicates under Win9x and infects PE EXE files. Because of bugs in its infection routine the virus does not work under WinNT.
This virus version is "debug" one, and while infecting and installing it displays debug MessageBox-es:
Infecting: file name to be infected;
Infecting: name of file section to write the virus code to;
Installing: "Write File Sucess GoodBye" message after successful
installing the virus dropper to the system.

When an infected file is run, the virus extracts its own pure code, copies it to Windows directory with the REGIKX.EXE name and registers this copy (virus dropper) in system registry:
HKCRexefileshell estcommand = "ReGIkX.exe" %1 %*

As a result the virus dropper gets control when any EXE file is accessed with the "test" command and receives file name as argument. The virus opens this file, checks its internal structure and infects. While infecting a file the virus increases the size of last file section, writes itself to there and modifies necessary PE header fields.
The "test" command that is affected by the virus in the system registry is not used by common software, and seems to be also "debugging" one.
If the virus dropper is executed with no EXE file name in command line, it displays the MessageBox:
Stoddart, And It Never Comes Again
There are gains for all our losses,
There are balms for all our pain,
But when youth, the dream, departs
It takes something from our hearts,
and it never comes again
Murkry/IkX
Making life fun through 'tronic life
RegIkx.ExE

Check other viruses! Be aware! Use Antiviral Software

N_Xeram.1664

Description N_Xeram.1664

It is a dangerous nonmemory resident encrypted parasitic virus. It searches for COM and EXE files and writes itself to the end of the file. The virus deletes the NAV_._NO, CHKLIST.MS, SCANVAL.VAL files. Depending on the system date and time the virus erases the disk sectors, or manifests itself with some video effect. The virus contains the text strings:
N-XERAM
NAV_._NO CHKLIST.MS SCANVAL.VAL

Nado family

Description Nado family
It is a very dangerous encrypted virus. It hooks INT 21h and writes itself to the end of EXE files that are executed. The virus has a bug, and may corrupt the files while infecting them. On GetDiskSpace DOS call (AH=36h) the virus creates the APRIL1ST.BAT file and writes the string to there:
@echo April Fool - 1996 - if u run this batch file your HDD will burn!

On SelectDisk DOS call (AH=0Eh) if the disk to set is A:, the virus checks the system time, and if the value of minutes is greater than 54, the virus displays the message:
April 1stall....i will now kill your HardDisk

and tries to create 100 subdirectories with the names like C:9<IJKHLN, but fails.
The virus also contains the text string:
[ APRIL-1 (c) made by TorNado/[DC] in Denmark '96 ]

Nado.CyberBug,Fatill
These are very dangerous encrypted viruses, "Nado.Fatill" is a polymorphic variant. They infect COM files that are executed. On GetDiskSize calls (INT 21h, AH=36h, "Nado.Fatill"), or while installing ("Nado.CyberBug") these viruses create files in the current directory:
"Nado.CyberBug": CYBERBUG.BAT
"Nado.Fatill": FATILL10.BAT

and writes the string into that file by:
echo > clock$

The viruses contain the text strings:
"Nado.CyberBug":
echo > clock
[ CyberBug v. 1.00 ][ made by TorNado DK ]
Cyberbug.bat

"Nado.Fatill":
[ Fatal-Illusion (c) made by TorNado in Denmark '95 ]
[NaE]
echo > clock$
fatill10.bat

On GetDiskSize calls "Nado.CyberBug" depending on the system timer, erases disk sectors.
When some anti-virus scanners (SCAN, F-PROT, VSHIELD, TBAV, and so on) are executed, "Nado.Fatill" deletes them.
Nado.Lover
These are encrypted viruses. They hook INT 21h and infect COM files that are executed. "Lover.531" is a harmless virus, it does not manifest itself in any way.
"Lover.602" is a very dangerous virus. It hooks INT 9 (keyboard), and when the DEL key is pressed, the virus overwrites the boot sector of the current disk with the string:
[Undying Lover v1.01][by WarBlaDE/DC '96]

and reboots the computer.
Nado.Rabin
It is a very dangerous encrypted virus. It infects COM files that are executed, or while writing new file attributes. The virus deletes the ANTI-VIR.DAT file if it exists.
Depending on the system time the virus hooks either INT 9 or INT 26h. The virus checks the system date in INT 26h handler, and on 3rd of any month erases the MBR of the hard drive by direct INT 13h call. The code of virus INT 9 handler overwrites the boot sector of default drive with the string:
[ Yitzhak-Rabin 1.00 (c) made by TorNado in Denmark '96 ]

when DEL key is pressed.
Nado.RedViper
These are dangerous viruses. They infect EXE files that are executed, or while writing new file attributes. The viruses do not manifest themselves, but may corrupt the files while infecting them. The viruses contain the text strings:
"RedViper.584": [ RedViper (c) made by TorNado in Denmark '95 ]
"RedViper.602": [ RedViper 1.5 (c) made by TorNado/[DC] in Denmark '95 ]

Nado.RedZar
It is a harmless encrypted virus, it infects COM and EXE files that are executed. It contains the text:
[ Red-Zar v. 2.00 (c) made by TorNado/DC in Denmark 1996 ]

Home