NTit Virus


 Virus Name:  NTit  
 Aliases:     NTit.1254 
 V Status:    Rare 
 Discovered:  December, 1994 
 Symptoms:    .COM file growth; file date/time changes; system hangs 
 Origin:      Unknown 
 Eff Length:  1,254 Bytes 
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, Sweep, ViruScan, NAV, NAVDX, 
                    VAlert, PCScan, ChAV, 
                    AVTK/N, Sweep/N, IBMAV/N, NShld, Innoc, NAV/N, LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The NTit or NTit.1254 virus was received in December, 1994.  Its 
       origin or point of isolation is unknown.  NTit is a non-resident, 
       direct action infector of .COM files, including COMMAND.COM. 
 
       When a program infected with the NTit virus is executed, this virus 
       will infect one .COM file located in the current directory, though 
       it will not infect a file if the first four .COM files in the 
       current directory are already infected with the virus.  Programs 
       infected with the NTit virus will have a file length increase of 
       1,254 bytes with the virus being located at the beginning of the 
       file.  The program's date and time in the DOS disk directory 
       listing will have been updated to the current system date and time 
       when infection occurred.  The following text strings are visible 
       within the viral code in all infected programs: 
 
               "NTIT-4IM2h" 
               "????????COM" 
               "*.COM" 
 
       System hangs may occur when the boot copy of COMMAND.COM becomes 
       infected. 
 
       Known variant(s) of NTit are: 
       NTit.1578: A 1,578 byte variant of the NTit virus described 
           above, this variant infects one .COM file in the current 
           directory each time an infected program is executed.  Infected 
           programs increase in size by 1,578 bytes with the virus being 
           located at the beginning of the file.  The file's date and time 
           in the DOS disk directory listing will have been updated to the 
           current system date and time when infection occurred.  The 
           following text strings are visible within the viral code in all 
           infected programs: 
               "NTIT-4IM2h" 
               "????????COM" 
               "*.COM" 
               "xxxxxxxx.vir" 
               "A-T-T-E-N-T-I-O-N: VIRUS FOR RESEARCH ONLY !" 
               "(C)1994 By Lin Tzuoh-yi, 
                National Taiwan Inst. of Tech.,Dept. of Information 
                Management,e-mail:b8109006@cs.ntit.edu.tw" 
               "xxxxxxxxvir" 
           This virus contains a mechanism to prevent it from infecting 
           systems accidently.  The first time an infected program is 
           executed in a directory, the virus will write a file to the 
           disk with the file name of "xxxxxxxx.vir".  If this file is 
           on the disk, later executions of the infected virus will not 
           result in the virus infecting files.  Once the file is deleted, 
           the virus will infect .COM files located on the disk. 
           Origin: Unknown  December, 1994.

Show viruses from discovered during that infect .

Main Page