Virus Database

CGA.1024

Description CGA.1024

It is a dangerous memory resident encrypted parasitic virus. It copies itself to CGA video memory at the address BF90:0000, hooks INT 21h and writes itself to the end of EXE-files that are executed or opened. The virus does not manifest itself in any way, but can halt the system while switching to different video modes.

Check other viruses! Be aware! Use Antiviral Software

NoSmoking.1000

Description NoSmoking.1000

These are not dangerous nonmemory resident encrypted parasitic viruses. They search for .COM files and write themselves to the end of the file. They contain the string:
Kamchatka

Nosmoking.1000
Depending on its internal counter it disinfects the host file and displays one of the messages:
Water detect in Co-processor !
I am hungry ! Insert hamburger into drive A:
No smoking, please ! Thanks.
Don't beat me!
Attention ! Hard Disk is Radioactive !
I'm so much dirty! Clean me !
Kiss my keyboard !
Keep smiling !
Warning ! In drive A: are two diskettes.
I don't understand you.
Insert tractor toilet paper into printer.
Hard Disk's head has been destroyed. Can you borrow me your one ?
Coca-Cola is it !

Nosmoking.1575
It leaves memory resident program that hooks INT 21h but does not infect the files. If there were no errors during infection, that virus calls trigger routine. As the first, the virus gets server name to which infected computer is connected. The virus performs it by using GET FILE SERVER INFORMATION function (INT 21h, AH=E3, this is one of Novell Netware functions, as well as all function listed below). If there are several servers in net, that function returns the name of server which was used as the first one on login procedure.
Then the virus gets number of users are connected to that server (by using the same GET FILE SERVER INFORMATION function), gets its own computer number (GET CONNECTION NUMBER, INT 21h, AH=DCh), selects two of connected computers (by using its own random generator) and gets names and net addresses of these computers by GET CONNECTION INFORMATION function.
After selecting two computers that are connected to netware, the virus generates the phrase like:
NAME: Text

where "NAME" is netware name of first selected computer, "Text" is one of the strings:
Friday I'm in LOVE !
No smoking, please !
Thanks.

and sends it to another computer. It looks like one of the netware users jokes with another one. On next executions of that virus it sends the message again and again.
This virus also contains the text:
Kamchatka/FRIDAY

Nostardamus family

Description Nostardamus family

These are very dangerous memory resident polymorphic parasitic viruses. They hook 21h and writes itself to the end of COM and EXE files that are accessed.
Depending on the system timer and their internal counters these viruses also hook INT 10h, or INT 16h, or INT 1Ch (depending on the virus version), and manifest themselves by several effects: they corrupt the files, erase the disk sectors, change the keystrokes that are entered, display the message:
HOME RUN !!!

The viruses also display:
"Nostardamus.2247":
The NOSTARDAMUS-Erase (c) v2.1 beta
Formating disk C:
40Mb

"Nostardamus.2500,2560":
The NOSTARDAMUS-Erase (CopyLeft) Version 2.9 beta by Populizer
Formatting disk X: 40Mb

"Nostardamus.5995":
The NOSTARDAMUS.Maverick (CopyLeft) Version 3.2 ultra by Populizer
Formatting disk X: 40M

"Nostardamus.5995" also displays about 100 stupid messages in Russian and English:
Invalid user. Unknown error !
Good user - Dead user !!!
Insert new user and press ESC
I'm big RUSSIAN monstr !!
System error, invalid TC.EXE.
See you later all
Formatting disk C: y/y ?
Press CTRL-ALT-DEL ...
Crazy & Co. ltd.
Insert new baks into drive A:
(C) Porno C++ 3.1
(C) Trubo Pascacal 7.0
Virus detected, system halted

"Nostardamus.3072,3584" use INT 22h hook to wait the host program termination, hook INT 21h and install themselves memory resident. They are stealth viruses, while accessing to an infected file they disinfect it. They check the file name and do not infect several anti-virus programs. "Nostardamus.3072" is a harmless virus. It does not manifest itself.
"Nostardamus.3584" is a very dangerous virus, in some cases it searches for C:*.* files and deletes them. This virus checks the file name by using the strings:
COMEXEOVLOVR
PROSCAEXTWEB
ARJRARLHAZIP
COMWINCHK

and does not infect these files or disables its stealth routines.
These viruses also contain the strings:
"Nostardamus.3072.a": EMME v3.0. KILLER.
"Nostardamus.3072.b": Eternal Maverick Mutation Engine v3.0
Double Dragon !
"Nostardamus.3584": -=Unlimited Grief=-
Kiev'96
EMME 3
Killer
"Nostardamus.RunAway.2560":
Run away train never come back !
(c) Eternal Maverick. Stealth Group.

Home