Nowhere Man Virus

Virus Name: Nowhere Man Aliases: CVirus, VMessiah V Status: Viron Discovered: December, 1991 Symptoms: .COM & .EXE programs overwritten; message; long program load followed by program not executing; programs truncated Origin: Unknown Eff Length: 6,286 Bytes Type Code: ONAK - Overwriting Non-Resident .COM & .EXE Infector Detection Method: ViruScan, AVTK, F-Prot, Sweep, NAV, ChAV, IBMAV, NAVDX, VAlert, NShld, AVTK/N, Sweep/N, NAV/N, NProt, IBMAV/N, Innoc 4.0+ Removal Instructions: Delete infected files General Comments: The Nowhere Man virus was received in December, 1991, complete with source code in C. Its origin is unknown. Nowhere Man is a non- resident infector of .COM and .EXE programs over 6,300 bytes in length. When a program infected with Nowhere Man is executed, the virus will search the current directory for a .COM or .EXE program over 6,300 bytes in length to infect. Once a candidate file has been found, the virus will overwrite the first 6,286 bytes of the file with its viral code. The remainder of the file will be overwritten with binary 00 characters. There will be no change to the file's length, or date and time, in the DOS disk directory. The following text strings can be found within infected files: "NMAN" "BMAN" "*.EXE" Once the Nowhere Man has successfully infected a file, it will display the following message, and the user will be returned to the DOS prompt: "Out of memory" If the virus did not find a file to infect, it will display the following message and return the user to the DOS prompt: "All files infected. Mission complete." Both messages are not visible in infected files. The Nowhere Man virus will occassionally truncate files it attempts to infect so that their length is zero bytes. Known variant(s) of Nowhere Man are: J Virus: Functionally very similar to the Nowhere Man virus described above, this variant also completely overwrites the .COM and .EXE programs it infects. After all .COM and .EXE programs located in the current directory of over approximately 4.5K have become infected, it will trash the C: drive of the system hard disk, overwriting the boot sector, file allocation table, and root directory sectors. The text strings "NMAN" and "J-VIRUS!" can be seen in all infected files. Origin: Canada Montreal, Canada Nowhere Man 1.9: Similar to the Nowhere Man virus described above, this variant is also 6,286 bytes in length. It displays the message: "Out of memory" when infected programs are executed. Origin: Unknown December, 1992. Nowhere Man 2.0: Similar to the Nowhere Man virus described above, this variant is 4,828 bytes in length. Infected files will have had their file date and time updated to the system date and time when infection occurred. While Nowhere Man 2.0 only infects .EXE files, it may truncate both .COM and .EXE files located in the current directory when an infected program is executed. Origin: Unknown December, 1992. VMessiah: A 702 byte variant of the Nowhere Man virus, this variant infects all .COM and .EXE programs whose size is at least 702 bytes located in the current directory when an infected program is executed. Infected programs will have the first 702 bytes of the host program overwritten with the VMessiah viral code. The program's date and time in the DOS disk directory listing will not be altered. The following text string is encrypted within replicated samples so it is not visible in infected programs: "I am your VIRAL MESSIAH Follow me and be redeemed Your data doth exist no more The FAT holds ashes of your dreams" "[VCL] [Viral Messiah] Nowhere Man, [NuKE] '92" The first quote above, comprising four lines, is displayed when an infected program is executed. Origin: United States July, 1992. See: Code Zero