| Alias: | |
| Strain: | - |
| detected when: | |
| where: | |
| Classification: | COM and EXE infector, resident |
| Length: | 43 paragraph(s) |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | None |
| Computer model(s): | PC's |
| Caroname: | Nomenklatura |
Attributes | |
| Easy identification: | |
Type of Infection: | Appending, uses DOS file length to position virus. Selfrec in memory: INT 21h/AX=4BAAH -> CF = 0 Selfrec on disk: file[0..2] = JMP filesize-403h (COM),file[14h..17h] = filesize-400h (EXE) {InitCS:InitIP} |
| Infection Technique: | |
| Infection Trigger: | Exec, OpenHandleINFECTION_CRIT: EXElength >= 1024,COMlength >= 1024 and COMlength < 64000,FileExtension = "COM" or "EXE" during OpenHandle |
| Storage Media affected: | |
| Interrupts hooked: | 21h/4Bh, 21h/3Dh,24h (during infection),13h/02h (during infection),13h/03h (during infection) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Transient: None Permanent: Gradual data corruption (see comments) |
| Damage Trigger: | Transient: n/a Permanent: During infection routine |
| Particularities: | only shrinks the current MCB if it is a 'Z' block. (Only leaves a mess if there is another chain of MCBs, eg for UMBs). Gradual data corruption (see comments) Not displayed text: "Nomenklatura" During infection attempts, Nomenklatura hooks INT 13hand examines the I/O buffer during reads and writes.The first sector of the buffer is scanned, 16 bits ata time, with a check made for lengthy word sequencesin which adjacent words differ numerically by 1.If such a word chain is found, two of the entries in thechain are sometimes swapped around. Since chains of wordsdiffering by 1 are most likely to occur in the FAT, theresult is gradual corruption of the FAT.Note that there is nothing distinctive written intocorrupted regions -- all that happens is that thingsare swapped about. The effect of swapping two wordsin FAT is to swap the order of two *clusters* in afile, so from small beginnings do nasty changes come!Whether to damage is decided by a counter, which permitsthe damage to occur each time it passes through zero.The cycle time of the counter is diminished with eachgeneration of the virus, so that damage tends to occurfaster and faster as the virus spreads. |
| Similarities: | |
Agents | |
| Countermeasures: | |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Paul Ducklin |
| Documentation by: | Paul Ducklin |
| Date: | |
| Information Source: | Caroentry (autom.converter by S.Freitag) |
(c) 1996 Virus-Test-Center, University of Hamburg