NGV Virus
Virus Name: NGV
Aliases: Genvir, GV
V Status: Rare
Discovered: January, 1993
Symptoms: .COM file growth; .COM file corruption; TSR; system hangs;
unexpected system reboots
Origin: Unknown
Eff Length: Varies, depending on virus present
Type Code: PORsCK - Parasitic & Overwriting Resident .COM Infectors
Detection Method: F-Prot, ViruScan, Sweep, AVTK, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, AVTK/N, NProt, IBMAV/N, Innoc, NAV/N,
LProt
Removal Instructions: Delete infected files
General Comments:
NGV is not a single virus, but rather a group of viruses which
appear to have been generated with a virus generation utility
called Nuke GenVirus 1.51.
These viruses are either overwriting or parasitic direct action
infectors of .COM programs, and may infect COMMAND.COM. The viruses
typically install a memory resident TSR, though the memory resident
portion is not used for replication, the viruses are direct action
infectors.
The viruses indicated below are members of the NGV group. Eight of
the viruses are sometimes referred to as the "Adams Family" viruses,
and contain the names of eight characters from the Adams Family
television program from the 1960s, and the 1993 movie.
Known NGV generated viruses are:
NGV-1376: Received in January, 1994, NGV-1376 is a direct
action overwriting virus. It overwrites the first 1,376
bytes of one .COM file in the current directory each time
an infected program is executed. NGV-1376 infected files
will contain the following text strings within the viral
code:
"*.COM COMMANDE"
"Virus Created by NuKE - GenVirus V1.51 License n"
"id# [NuKE]-93"
NGV-1376's memory resident TSR is 1,632 bytes in size,
hooking interrupt 09.
Origin: Unknown January, 1994.
NGV-Cousin It: Received in January, 1994, NGV-Cousin It is a
direct action parasitic virus which infects one .COM file
in the current directory each time an infected program is
executed. Infected programs which were originally larger
than 1,681 bytes in length will increase in size by 1,680
bytes upon infection. Programs which were originally
smaller than 1,681 bytes will become 3,361 bytes upon
infection. In both cases, the virus will be located at the
beginning of the file, and the program's date and time in
the DOS disk directory listing will not be altered. The
following text strings are visible within the viral code:
"*.COM -=Adams=-"
"Part of the Adams Family [Cousin-It]DA & NwM KiCk"
"ASS"
NGV-Cousin It's memory resident TSR is 1,968 bytes,
hooking interrupt 08.
Origin: Unknown January, 1994.
NGV-Gomez: Received in January, 1994, NGV-Gomez is a direct
action parasitic virus which infects one .COM file in the
current directory each time an infected program is
executed. Infected programs which were originally larger
than 1,649 bytes in length will increase in size by 1,648
bytes upon infection. Programs which were originally
smaller than 1,649 bytes will become 3,297 bytes upon
infection. In both cases, the virus will be located at the
beginning of the file, and the program's date and time in
the DOS disk directory listing will not be altered. The
following text strings are visible within the viral code:
"*.COM -=Adams=-"
"Gomez Adams/ [NuKE] RoCks DeathBoy
Learns Daily from DA & NwM"
NGV-Gomez's memory resident TSR is 1,936 bytes, hooking
interrupt 08 and 22. The virus installs a copy of the TSR
into memory each time an infected program is executed.
System hangs may occur when infected programs are executed.
Origin: Unknown January, 1994.
NGV-Lurch: Received in January, 1994, NGV-Lurch is a direct
action parasitic virus which infects one .COM file in the
current directory each time an infected program is
executed. Infected programs which were originally larger
than 1,649 bytes in length will increase in size by 1,648
bytes upon infection. Programs which were originally
smaller than 1,649 bytes will become 3,297 bytes upon
infection. In both cases, the virus will be located at the
beginning of the file, and the program's date and time in
the DOS disk directory listing will not be altered. The
following text strings are visible within the viral code:
"*.COM -=Adams=-?"
"Lurch Part of the Adams Family from -=DeathBoy KoASP=
[NuKE]RoCks"
NGV-Lurch's memory resident TSR is 1,936 bytes, hooking
interrupt 08.
Origin: Unknown January, 1994.
NGV-Morticia: Received in January, 1994, NGV-Morticia is a direct
action parasitic virus which infects one .COM file in the
current directory each time an infected program is
executed. Infected programs which were originally larger
than 1,793 bytes in length will increase in size by 1,792
bytes upon infection. Programs which were originally
smaller than 1,793 bytes will become 3,585 bytes upon
infection. In both cases, the virus will be located at the
beginning of the file, and the program's date and time in
the DOS disk directory listing will not be altered. The
following text strings are visible within the viral code:
"*.COM -=
"Morticia Adams Greets to Pure Energy,S.Radish,FireCracker,
NuKE3"
NGV-Morticia's memory resident TSR is 2,000 bytes, hooking
interrupt 08. System hangs frequently occur when infected
programs are executed.
Origin: Unknown January, 1994.
NGV-Pugsley: Received in January, 1994, NGV-Pugsley is a direct
action parasitic virus which infects one .COM file in the
current directory each time an infected program is
executed. Infected programs which were originally larger
than 1,601 bytes in length will increase in size by 1,600
bytes upon infection. Programs which were originally
smaller than 1,601 bytes will become 3,201 bytes upon
infection. In both cases, the virus will be located at the
beginning of the file, and the program's date and time in
the DOS disk directory listing will not be altered. The
following text strings are visible within the viral code:
"*.COM -=Adams=-"
"Pugsley Adams;Greets to Nowhere Man,Dark Angel,Rock,Savage,
NuKE"
NGV-Pugsley does not install a memory resident TSR.
Origin: Unknown January, 1994.
NGV-Thing: Received in January, 1994, NGV-Thing is a direct
action parasitic virus which infects one .COM file in the
current directory each time an infected program is
executed. Infected programs which were originally larger
than 1,649 bytes in length will increase in size by 1,648
bytes upon infection. Programs which were originally
smaller than 1,649 bytes will become 3,297 bytes upon
infection. In both cases, the virus will be located at the
beginning of the file, and the program's date and time in
the DOS disk directory listing will not be altered. The
following text strings are visible within the viral code:
"*.COM -=Adams=-?"
"Thing Adams? Part of the Adams Viri Family. [NuKE]"
"RoCks Loser"
NGV-Thing's memory resident TSR is 1,936 bytes, hooking
interrupts 08 and 22. System hangs and/or unexpected
system reboots may occur when infected programs are
executed.
Origin: Unknown January, 1994.
NGV-Uncle Fester: Received in January, 1994, NGV-Uncle Fester is a
direct action parasitic virus which infects one .COM file in
the current directory each time an infected program is
executed. Infected programs which were originally larger
than 1,777 bytes in length will increase in size by 1,776
bytes upon infection. Programs which were originally
smaller than 1,777 bytes will become 3,553 bytes upon
infection. In both cases, the virus will be located at the
beginning of the file, and the program's date and time in
the DOS disk directory listing will not be altered. The
following text strings are visible within the viral code:
"*.COM -=Adams =-"
"Uncle Fester Adams. [NuKe] RoCks. Part of the Adams
Family Vir93"
"PEN ZIP"
NGV-Uncle Fester's memory resident TSR is 2,064 bytes,
hooking interrupt 09. System hangs frequently occur when
infected programs are executed.
Origin: Unknown January, 1994.
NGV-Wednesday: Received in January, 1994, NGV-Wednesday is a
direct action overwriting virus. It overwrites the first
1,312 bytes of one .COM file in the current directory each
time an infected program is executed. NGV-Wednesday
infected files will contain the following text strings
within the viral code:
"*.COM McAsshole"
"(c) Wednesday's NuKE part of the Adam's Family n"
"id# [NuKE]-93"
"Parity Error SYSTEM HALT"
"Please REBOOT"
NGV-Wednesday's memory resident TSR is 1,568 bytes in size,
hooking interrupt 09.
Origin: Unknown January, 1994.