Narcosis Virus


 Virus Name:  Narcosis 
 Aliases:    
 V Status:    New 
 Discovered:  July, 1994 
 Symptoms:    .COM & .EXE file growth; MBR and diskette boot sector altered; 
              decrease in total system & available free memory; system hangs; 
              beeping; unexpected system reboots 
 Origin:      Unknown 
 Eff Length:  1,431 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM .EXE MBR & Boot Sector Infector 
 Detection Method:  IBMAV, AVTK, Sweep, VAlert, PCScan, ViruScan, 
                    PCScan, ChAV, NAV, NAVDX, 
                    IBMAV/N, AVTK/N, Sweep/N, LProt, NShld, NAV/N, Innoc 
 Removal Instructions:  Delete infected files, Replace MBR, DOS SYS diskettes 
 
 General Comments: 
       The Narcosis virus was received in July, 1994.  Its origin or point of 
       isolation is unknown.  Narcosis is a memory resident multi-partite 
       infector of the system hard disk master boot sector, diskette boot 
       sectors, .COM and .EXE files, including COMMAND.COM. 
 
       When the first Narcosis infected program is executed, this virus will 
       infect the system hard disk master boot sector.  The virus keeps a 
       copy of the master boot sector at Side 0, Cylinder 0, Sector 2, and 
       a copy of its viral code starting a Side 0, Cylinder 0, Sector 3 for 
       three sectors.  The virus becomes memory resident at the top of system 
       memory but below the 640K DOS boundary, hooking interrupts 13 and 21. 
 
       Once memory resident, the Narcosis virus will infect .COM and .EXE 
       programs when they are executed.  Infected programs will have a file 
       length increase of 1,431 bytes, though the file length increase will 
       be hidden by the virus when it is memory resident.  The virus will 
       be located at the end of the file.  The program's date and time in the 
       DOS disk directory listing will not appear to be altered, though the 
       file date's year will have had 100 years added to it.  The following 
       text strings are visible within the viral code in all Narcosis 
       infected files: 
 
               "MSDOS3.3" 
               "*.*" 
               "[Narcosis] (c) 1994 Evil Avatar" 
 
       The Narcosis virus infects .EXE files as though they are .COM files, 
       as a result, execution of programs over 64K in size will result in 
       the following message being displayed and the user being returned to 
       the DOS prompt: 
 
               "Program too big to fit in memory" 
 
       Unexpected system hangs, system reboots, or a loud, continuous 
       beeping may occur when infected programs are executed.

Show viruses from discovered during that infect .

Main Page