NPox Virus
Virus Name: NPox
Aliases: Evil Genius
V Status: Common
Discovered: July, 1992
Symptoms: .COM & .EXE growth; decrease in total system & available free
memory; file time seconds = 58; overwrites sectors on hard
disk; trashes hard disk on 18th of month
Origin: Canada
Eff Length: 963 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, IBMAV, F-Prot, Sweep, ChAV,
AVTK, NAV, NAVDX, VAlert, PCScan,
NShld, Sweep/N, Innoc, NProt, AVTK/N, LProt,
NAV/N, IBMAV/N
Removal Instructions: Delete infected files
General Comments:
The NPox, or Evil Genius, virus was simultaneously isolated in the
Eastern United States and Montreal, Canada in late July, 1992.
This virus is a memory resident stealth virus which infects .COM and
.EXE programs, including COMMAND.COM. It is extremely destructive.
When the first NPox virus infected program is executed, this virus
will install itself memory resident at the top of system memory but
below the 640K DOS boundary. Total system and available free memory,
as indicated by the DOS CHKDSK program, will have decreased by 1,024
bytes. Interrupt 12's return will not be moved. Interrupts 09 and
21 will be hooked by NPox in memory. The copy of COMMAND.COM located
in the C: drive root directory will also become infected at this time
if it was not previously infected.
Once memory resident, NPox will infect .COM and .EXE programs,
including COMMAND.COM, when they are executed. Infected programs
will have a file length increase of 963 bytes with the virus being
located at the end of the file. The file length increase, however,
will not be visible in the DOS disk directory listing when NPox
is resident. Infected programs will also have the seconds field
of the file time in the DOS disk directory set to '58'. This is the
infection marker for the virus.
The following text strings can be found within the viral code in
all NPox infected programs:
"Evil Genius V2.0 - R.S/NuKE"
"C:\COMMAND.COM"
Systems infected with NPox will not experience file allocation
errors on infected programs when the DOS CHKDSK program is executed
with the virus memory resident. They may, however, find that random
sectors on the system hard disk have been overwritten, or that the
system hard disk is corrupted on the 18th of any month.
Known variant(s) of NPox are:
Evil Genius 2B: Functionally equivalent to the original virus,
this variant has two bytes which differ.
Origin: Montreal, Canada July, 1992.
Evil Genius 2C: Functionally equivalent to the original virus,
this variant has seven bytes which differ.
Origin: Eastern United States July, 1992.
NPox 2.0: Received in September, 1992, NPox 2.0 is based on the
NPox virus described above. It's size in memory is 1,856
bytes, hooking interrupts 21 and 22. NPox 2.0 infects
.COM and .EXE programs when they are closed, and disinfects
them as they are read into memory. Infected files on disk
will not appear to have any file length increase when
NPox 2.0 is memory resident, though they have increased in
size by 2,048 bytes. The virus is located at the end of
infected programs. The seconds in the file date in the DOS
disk directory will be set to 60 on all infected programs.
Two text strings can be found in all infected programs:
"NuKE PoX V2.0 - Rock Steady"
"C:\COMMAND.COM"
Origin: Montreal, Canada September, 1992.
NPox 2.1: Received in October, 1992, NPox 2.1 is based on the
NPox 2.0 variant described above. It's size in memory
is 1,744 bytes, hooking interrupts 21 and 22. NPox 2.1
infects .COM and .EXE programs when they are closed, and
disinfects them as they are read into memory. Infected
files on disk will not appear to have any file length
increase when NPox 2.1 is memory resident, though they have
increased in size by 1,686 bytes. The virus is located at
the end of infected programs. The seconds in the file date
in the DOS disk directory will be set to 60 on all infected
programs. Three text strings can be found in all infected
programs:
"Death to Separatist"
"C:\COMMAND.COM"
"NuKE PoX V2.1 - Rock Steady"
NPox 2.1 activates on the 13th day of any month, at which
time it will overwrite the system hard disk, rendering it
inaccessible. It will also occassionally hang the system
when it infects programs.
Origin: Montreal, Canada September, 1992.
NPox.372: Received in July, 1994, NPox.372 or Lord Zero, is a 372
byte variant of the NPox virus. It's size in memory is 432
bytes, hooking interrupt 21. NPox.372 infects .COM files,
including COMMAND.COM, when they are executed. Infected
files will have a file length increase of 372 bytes with the
virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will not be
altered. The following text string can be found within the
viral code in all infected programs:
"Swedish Warrior v1.0 by Lord Zer0."
Origin: Sweden July, 1994.
NPox.630: Received in January, 1996, NPox.630 is a 630 byte
variant of the NPox virus. It's size in memory is 688
bytes, hooking interrupt 21. NPox.630 infects .COM files,
including COMMAND.COM, when they are executed. Infected
files will have a file length increase of 630 bytes with the
virus being located at the end of the file. The program's
date and time in the DOS disk directory listing will not
appear to be altered, though the seconds field will have
been set to "58". No text strings are visible within the
viral code.
Origin: Unknown January, 1996.
NPox.1487: Received in January, 1996, this is a 1,487 byte
variant of the NPox virus described above. Its size in
memory is 1,536 bytes, hooking interrupts 1C, 13, 21, and
22. Once resident, it infects .COM and .EXE files,
including COMMAND.COM, when they are executed, opened, or
copied. Infected files will have a file length increase of
1,487 bytes, though this file length increase will be
hidden when the virus is memory resident. The virus will
be located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered.
No text strings are visible within the viral code.
Origin: Unknown January, 1996.
NPox.1726: Received in January, 1996, this is a 1,726 byte
variant of the NPox virus described above. Its size in
memory is 1,984 bytes, hooking interrupts 1C, 13, 21, and
22. Once resident, it infects .COM and .EXE files,
including COMMAND.COM, when they are executed, opened, or
copied. Infected files will have a file length increase of
1,726 bytes, though this file length increase will be
hidden when the virus is memory resident. The virus will
be located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered.
No text strings are visible within the viral code.
Origin: Unknown January, 1996.