Virus Database

DSU.1422

Description DSU.1422

This is a benign memory resident stealth encrypted parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are executed or closed. On infected file opening they disinfect it.
This virus contains the internal text strings:
= DSU RFF =
= Dark Angel =

Check other viruses! Be aware! Use Antiviral Software

Nutcracker.AB0.a

Description Nutcracker.AB0.a

This family contains different types of viruses written by the same author living in Brest, Belorussia. There are several sub-families - "Nutcracker.AB", "Nutcracker.Boot", "Nutcracker.Punisher" and "Nutcracker.SnowFall".
Nutcracker.AB#
This is a family of quite complex parasitic and multipartite viruses. These viruses use several ways of infection and hiding in the system memory. All these viruses are memory resident. They are dangerous (except "Nutcracker.AB1"), and use several ways to corrupt data.
Infecting to the file middle
Some of these viruses ("Nutcracker.AB1,Antarex,AB2") use quite an unusual way of infecting the executable files. The viruses read a part of the file from the file middle, encrypt it, and save the encrypted data to the file end. Several "Nutcracker.AB2" viruses compress this data before encrypting. Then the viruses encrypt themselves by using a polymorphic routine, save the encrypted code to the file middle, and write the decryption loops to the end of the file. There may be several (from 1 to 23) decryption loops that decrypt the code loop-by-loop. "Nutcracker.AB1" uses only one loop to decrypt itself.
The file before The infected
infection file
+----------+ +----------+
| | |jmp |---+
| | | | |
|----------| |----------| |
| |----+ |virus | | encrypted virus body
|----------| | |----------| |
| | | | | |
| | | | | |
+----------+ | |----------| |
+-->|host code | | saved code of the host program
|----------|<-+|
|last loop | || polymorphic decryption loops
|----------| ||
|all....... --+|
|----------|<-+|
|2nd loop | ||
|----------|<--+
|1st loop | |
+----------+--+

Trojanized and Infecting SYS Files
"Nutcracker.AB1.Antarex.2620" and "Nutcracker.AB2.2890", while infecting the SYS files, write the Trojan code to the end of the file. That code does not spread the virus, but checks the system date, erases CMOS and reboots the computer:
"Antarex.2620": on the 12th of any month,
"AB2.2890": depending on the system timer and if
the memory is not infected

Other "Nutcracker.AB2" infect SYS files. These viruses write the complete virus code (not encrypted) that may spread the virus to the SYS file end. Major versions of "Nutcracker.AB2" infect and encrypt SYS files as well as COM and EXE.
Corrupting EXE files and Encrypting Directories
"Nutcracker.AB1.Antarex.2620" and "Nutcracker.AB2" corrupt the EXE files that are 64K or more in length. These viruses hook INT 13h, and check the sectors for EXE stamp ('MZ') while reading and writing. Then the virus calculates the EXE file size, and if it is 64K or more, the virus encrypts that sector, replaces the 'MZ' stamp with 'AB', and saves the sector on the disk.
As a result, the first sectors of large EXE files are encrypted, and these files halt the system while executing under clean system conditions. Under an infected system, the viruses decrypt the corrupted sectors "on the fly" while reading, and DOS executes the corrupted files without any problems.
Major "Nutcracker.AB2" viruses encrypt sectors that contain directory entries in the same way as minor versions encrypt EXE files.
While disinfecting the system memory, the AVP patches the virus code in such manner that the virus starts to decrypt the encrypted sectors. So, to recover all corrupted sectors, one should scan all files in all directories under disinfected TSR virus.
Text Strings
The viruses contain the text strings:
"Nutcracker.AB1": Dedicated to N.L.A. - my little baby.
(c) by Kind Nutcracker(AB1)
"Nutcracker.AB1.Antarex.a": ANTAREX C:*.* Run me, pleace!
(c) by Nutcracker(AB1)
"Nutcracker.AB1.Antarex.b": ANTAREX C:*.*
(c) by Kind Nutcracker(AB1)
"Nutcracker.AB2.2890": Nutcracker(AB2)
"Nutcracker.AB2.3472": Universal Pathologic Device by Nutcracker(AB2)
"Nutcracker.AB2.4540": Universal Pathologic Device by Nutcracker(AB2)
the Sun is gone but I have a light...
"Nutcracker.AB2.5375,5440":
This Universal Pathologic Device dedicated to ï í"ó ì.
I hate the envy, the meanness, the riches, the trea, the bluntness,
the ignorance, the lie, the servility, the mistrust and the hatred.
Nutcracker(AB2)
"Nutcracker.AB2", major versions: Nutcracker(AB2): Welcome to the Hell
"Nutcracker.AB2.6996": Nutcracker(AB2): lives forewer!
"Nutcracker.AB3": Nutcracker(AB3)
"Nutcracker.AB4": Sombre Nutcracker(AB4)
"Nutcracker.AB5": Gloomy Nutcracker(AB5)
from the city of Brest(BY) with best wishes!
Only the Hope dies last!..
"Nutcracker.AB6.a": Dreary Nutcracker(AB6) Lives
C:*.*
ï í"ó ì.
"Nutcracker.AB6.b": Dreary Nutcracker(AB6) Lives Again
C:*.*
ï í"ó ì.
"Nutcracker.AB6.c": Dreary Nutcracker(AB6)
C:*.*
ï í"ó ì.
"Nutcracker.AB6.d": Dreary Nutcracker(AB6) lives forewer !
C:*.*
ï í"ó ì.
"Nutcracker.AB7": I'm Nutcracker(AB7)!

Nutcracker.AB0
These are very dangerous memory resident stealth boot viruses. They hook INT 8, 15h, and 40h, and write themselves to the MBR of the hard drive and to the boot sectors of the floppy disks. The MBR is infected while loading from an infected floppy disk, the viruses redirect the active boot sector pointer to a new address on the disk, and write their code there. The floppy disks are infected while accessing them. While infecting a disk, the viruses write the original boot/MBR sector and the rest of the virus code to the extra sectors on the hard drive (LandZone?), or format extra track on the floppy disk. While infecting the MBR, the viruses use direct I/O calls to the hard drive's ports.
While loading from the infected disk, these viruses hook INT 8, 15h, and 40h, wait for the DOS loading process, temporarily hook INT 21h, wait for the execution of any program, and move the virus code to UMB (if it exists) or to the conventional memory block. To hook INT 15h, the viruses patch the DOS kernel, write a INT 7Eh call there, and hook INT 7Eh (i.e., INT 15h). By hooking INT 15h, the viruses intercept the internal system BIOS calls while accessing the keyboard (to detect Alt-Ctrl-Del), and to the floppy and hard drives (to run the stealth routine).
These viruses manifest themselves in several ways. When Alt-Ctrl-Del keys are pressed, the viruses, depending on their internal flags and the system timer, erase the hard drive sectors. Depending on the system timer, they launch a ball running on the screen (see Ping_Pong virus). If an error occurs while loading from an infected disk, the virus decrypts and displays the message that looks as the standard DOS error message:
Non-system disk or disk error.
Replace, and press strike any key when ready.

On April 7, the viruses decrypt and display:
*S*U*P*E*R*U*N*K*N*O*W*N* was done by Lord Nutcracker(AB0).

Nutcracker.AB1
This is a polymorphic parasitic virus that traces and hooks INT 21h, and infects COM and EXE files that are executed, opened, or renamed. The virus also intercepts Get/Set File Attributes DOS call, and infects the file that is accessed.
While infecting the file, the virus checks the file name extension, and infects only .COM and .EXE files. The virus converts EXE files to COM format while infecting them.
While installing, the virus also checks the video card, and if video refresh supported, the virus hooks INT 8 (timer), and runs itself with a video effect: the virus enables/disables the video refresh upon each INT 8 call.
Nutcracker.AB1.Antarex
These are polymorphic parasitic viruses. They trace INT 21h and 2Fh, and hook INT 8 and 21h, and infect COM and EXE files that are accessed. If an error occurs during installation, the viruses erase CMOS and reboot the computer. Before returning to the host program, the viruses search for the files of the current C: drive directory, access the file attribute, and force infection in this way.
While infecting the file, the viruses check the file name extension, and infect only .COM and .EXE files; "Antarex.2620" also infects .BIN and .SYS files. The viruses convert EXE files to COM format while infecting them.
By hooking INT 8, the viruses run themselves with a sound effect, and depending on the system timer, the viruses play a tune from a popular Russian cartoon.
"Antarex.2620" also corrupts EXE files, and drops the Trojan program to the end of SYS files (see above).
Nutcracker.AB2
There are about 30 known viruses in this sub-family. The actual lengths of these viruses are: 2890, 2990, 3021, 3472, 4540, 5375, 5413, 5440, 5589, 6082, 6100, 6425, 6500, 6727, 6996, 7008, 7033, and 7034 bytes. They are very dangerous multipartite viruses. They infect COM and EXE files, the MBR of the hard drive and boot sectors of the floppy disks.
While executing an infected file or loading from an infected floppy, the virus infects the MBR of the hard drive, then the virus returns to the host file (in case of infected file), or performs the installation routine (as well as while loading from an infected MBR).
While installing, the virus reads its body to the address 7C00:0000, hooks INT 1Ch and returns control to the host boot sector or MBR. The INT 1Ch handler intercepts DOS installation, and hooks INT 13h and 21h plus to INT 1Ch. While executing a first file, the virus "appends" its code to the end of the last memory block occupied by programs, or moves its copy to UMB. As a result, the virus code does not occupy an individual block of the system memory, but uses a "parasitic" way to infect the conventional memory, or is hidden in UMB.
By hooking INT 21h, the virus intercepts the file accessing calls, and infects COM and EXE and/or SYS files to the file middle or to the end, and writes the Trojan to the end of SYS files (see above).
A INT 13h hook is used by the virus to infect boot sectors of the floppy disks, implement stealth routines, corrupt EXE files and directory entries depending on the virus version.
INT 1Ch is used to play the same tune as "Nutcracker.AB1.Antarex" viruses do.
The minor virus versions use several anti-debugger tricks, and halt under debugger or on Pentium PC.
The major virus versions starting from "Nutcracker.AB2.5375" also hook INT 28h, and, depending on their counters, search for the files in the current directory and infect them.
"Nutcracker.AB2.5413, 5440, 5589, 6082, and 6100" infect the active boot sector of the C: drive as well as the MBR. As a result, there are two infected sectors of the same hard drive - the MBR and the active boot sector (disk C: boot sector, as a rule).
Starting from "Nutcracker.AB2.5375", they do not encrypt EXE headers.
Starting from "Nutcracker.AB2.6082", they are polymorphic in boot sectors and in the MBR as well as in files.
"Nutcracker.AB2.6082, 6100, and 6500" compress the block of a host file before encrypting it. As a result, while infecting, the length of the file can be increased less than the virus length.
Starting from "Nutcracker.AB2.6425", they encrypt (corrupt) the directory entries, encrypt SYS files as well as COM and EXE, trace INT 13h to obtain its original address, check the file names and do not infect anti-virus programs, several utilities and delete anti-virus databases. The list of the file names appears as follow:
SCAN CLEAN VSAFE NAV AVP AIDS GUARD NOD F-PROT DESINF VIRSTOP VSHIELD
FINDVIRU VIVERIFY TB RKSD COMMAND SETVER CHKLIST ADINF SMARTCHK ANTI-VIR
CHKDSK PKZIP PKLITE WEB DRWEB

Nutcracker.AB3, AB4, and AB5
While executing, these viruses hook INT 21h, and write themselves to the end of COM and EXE files that are executed, opened or renamed. While file creating, the viruses store the file handle, and infect that file while closing. While reading from the file, FindFirst/Next, and LseekEnd calls, the viruses perform a stealth routine.
"Nutcracker.AB4" disinfects the files under debugger.
"Nutcracker.AB5" traces INT 21h during installation. It also uses anti-debugger tricks, and as a result, does not replicate on Pentium PC.
While opening *.?AS files (.PAS, .BAS), the viruses, with a probability of 1/9 (11% - depending on the system timer) delete these files. These viruses delete some files with specific names (ADINF integrity checker databases?).
"Nutcracker.AB5" also deletes *.MS files.
"Nutcracker.AB3" on January 12th and July 23rd, erases the sectors of the C: drive. During infection, this virus stores the current date, and upon being executed 23 days after infection, the virus hooks INT 10h (video), and slows down the PC (the virus performs delay loop on each INT 10h call).
"Nutcracker.AB4" overwrites the MBR of the hard drive with a Trojan program. On January 12th and July 23rd, this Trojan formats hard drive sectors, and on other days, the Trojan returns control to the original MBR code. That virus also creates the counters in disk boot sectors, and increases that counter when any program is executed. When that counter reaches 40h, the virus resets it, and marks a randomly selected cluster of the current drive as a bad one (pseudo-bad cluster).
"Nutcracker.AB5" also overwrites MBR with a Trojan program, and this program increases the internal counter upon each booting from the hard drive, and on the 511 booting, the Trojan formats hard drive sectors, erases CMOS, and displays the following message:
Gloomy Nutcracker(AB5) from the city of Brest(BY) with best wishes!

Nutcracker.AB6
These are multipartite stealth viruses. While executing an infected file, they infect the hard drive MBR, hook INT 13h, 17h, and 21h, and search and infect COM and EXE files of the C: drive, and stay memory resident. Then the viruses write themselves to the end of COM and EXE files that are accessed.
While loading from an infected MBR, the viruses hook INT 17h, and 1Ch, and wait for DOS loading, and hook INT 13h and 21h. The viruses do not change the size of available RAM (the word at address 0000:0413), but correct the MCB sequence to allocate the memory for a TSR copy.
INT 13h is used only to hide infected sectors (stealth routine). By hooking INT 17h, the viruses sometime change the symbols while printing.
The viruses pay special attention for CHKDSK utility execution, and temporarily disable some branches in stealth routine.
The viruses also delete *.FW* and *.?AS files, and try deleting files with an .MS extension, but fail.
On January 12th, while loading from an infected MBR, the viruses format hard drive sectors, erase CMOS, and display the following messages:
"Nutcracker.AB6.a": Dreary Nutcracker(AB6) Lives
"Nutcracker.AB6.b": Dreary Nutcracker(AB6) Lives Again
"Nutcracker.AB6.c": Dreary Nutcracker(AB6)
"Nutcracker.AB6.d": Dreary Nutcracker(AB6) lives forewer !

Nutcracker.AB7
This is multipartite stealth virus. It infects EXE files, the hard drive MBR, and boot sectors of the floppy disks. While executing an infected file, the virus infects the hard drive MBR, and returns to the host program.
The virus stays memory resident while loading from an infected sector (boot or MBR). While loading from a floppy disk, the virus also infects the MBR. To install itself into the system memory, the virus copies itself to the address 7C00:0000, hooks INT 1Ch, waits for DOS loading, and hooks INT 21h. Upon the execution any program, the virus completes the installation procedure: it allocates the block of system memory (UMB or conventional), copies itself there, and hooks INT 9, 13h, 15h, 21h, 2Fh, and 40h.
INT 9 (keyboard) : the virus intercepts Alt-Ctrl-Del, and infects the MBR of the hard drive before rebooting. As a result, the virus may infect the MBR after the disinfection procedure - at the moment, the user presses Alt-Ctrl-Del, and to disinfect the virus in memory, it is necessary to disinfect the INT 9 handler as well as INT 13h and INT 21h.
INT 13h : this handler contains only the stealth routine. The virus hides infected hard drive sectors.
INT 15h : the virus intercepts some system calls (to perform the infection routine PCMCIA-compatible?).
INT 21h : the virus intercepts DOS calls Execute, Create, Close, and FindFirst/Next ASCII. Upon file execution, the virus infects MBR, and upon file creation, the virus stores a file handle to infect that file upon closing. FindFirst/Next calls are used by the virus to hide the length of infected files.
The virus infects only a EXE file with the file length of 64K or less. The virus converts the EXE files to COM format while infecting them.
INT 2Fh : the virus hooks the GetDiskInterrupt call (AH=13h), and disinfects the hared drive MBR. This trick hides the virus while executing the disk checking and anti-virus integrity checkers - the virus removes itself from the infected MBR, and then infects it again while executing any program (see INT 21h), or while rebooting (see INT 9).
INT 40h : this handler is used to infect floppy disks, and perform a stealth routine while accessing to them.
While loading from an infected disk, the virus checks the system date, and on January 12th, displays the following message:
I'm Nutcracker(AB7)!

Nutcracker.Boot
This is a very dangerous memory resident boot virus. It hooks INT 13h, and writes itself to the boot sector of the C: drive, and boot sectors of the floppy disks. While reading/writing a sector, the virus encrypts "on the fly" sectors containing subdirectory entries. As a result, when the system is booted from a clean disk, the subdirectories are inaccessible. The virus contains the ID-byte ABh.
Nutcracker.Punisher
These are very dangerous memory resident boot and stealth viruses. They infect the hard drive MBR and boot sectors of the floppy disks. These viruses are minor variants of the "Nutcracker.AB7" virus - they hook the same set of the interrupt vectors, and they use the same methods and tricks to install themselves memory resident, and to infect the disk, and except the file infection routine.
On 12th of January, the viruses erase the disk sectors and display the following messages:
"Punisher.a": The Punisher in award for your self-confidence!
"Punisher.b": The Punisher II in award for your self-confidence again!

The viruses also contain the text string:
(c) 1994 by Dismal Nutcracker

Nutcracker.SnowFall
These are benign memory resident parasitic viruses. They hook INT 8 and 21h, and write themselves to the end of COM and EXE files that are accessed. Depending on the internal counter, these viruses run themselves with "snow" falling on the screen, and if at that moment any infected file is executed, the virus decrypts and displays the following message:
Given program was generated in BrPI (c) 1994 The Snowfall.

Nutmeg.4096

Description Nutmeg.4096

It is a harmless memory resident multipartite virus. It infects EXE files and the MBR of the hard drive. The most interesting feature of this virus is the fact that it is mostly written in Pascal (high level language), except the virus loader's code that is executed on booting from infected disk. The main virus code is also compressed by LzExe utility - the result virus is just 4Kb of length, but the unpacked EXE virus image is about 10Kb.
When an infected file is executed, the virus drops its code to the hard drive: it saves a loading program to the MBR of the hard drive and the complete virus body to the followed disk sectors. The virus then temporary disinfects and executed the host file, hooks INT 28h and stays memory resident. On each INT 28h call (DOS idle) the virus gets the active program name and infects it. While infecting the virus shifts the file down by 4096 bytes and writes its code to the top of the file.
On loading from infected MBR the virus hooks INT 1Ch (timer), waits for DOS loading process, then hooks INT 21h and releases INT 1Ch. On executing first program the virus creates on C: disk randomly named file, writes to there 4Kb of complete virus code (compressed EXE file) and adds reference for this file to the end of C:AUTOEXEC.BAT file. When this virus dropper is executed from the AUTOEXEC.BAT when DOS continues its loading, the virus runs as being executed from infected EXE files (installs memory resident etc), but also removes the reference from AUTOEXEC.BAT and deletes its host file.
The virus contains the text strings:
AUTOEXEC.BAT
[NUTMEG2] by Vecna/29A
This virus was written in Brasil, in 1998
QUEREMOS ROMARIO DE VOLTA NA SELECAO, ZAGALLO BURRO

Home