Nutcracker Virus

Virus Name: Nutcracker Aliases: Nutcracker.2293 V Status: New Discovered: January, 1996 Symptoms: .COM & .EXE growth; DOS CHKDSK file allocation errors; decrease in total system & available free memory Origin: Unknown Eff Length: 2,293 Bytes Type Code: PRtAK - Parasitic Resident .COM & .EXE Infector Detection Method: ChAV, AVTK, IBMAV, ViruScan, NAV 3.10 9612+, NAVBoot 2.0 9612+, ChAV, AVTK/N, IBMAV/N, NShld, NAV/N 2.0 9612+ Removal Instructions: Delete infected files General Comments: The Nutcracker or Nutcracker.2293 virus was received in January, 1996, along with several variants. This virus is a memory resident stealth type fast infector which infects .COM and .EXE files, including COMMAND.COM. When the first Nutcracker infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program from DOS 5.0, will have decreased by 3,072 bytes. Interrupts 10 and 21 will be hooked by the virus in memory. Once the Nutcracker virus is memory resident, it will infect .COM and .EXE files, including COMMAND.COM, when they are executed. Infected files will have a file length increase of 2,293 bytes, though this file length increase will be hidden by the virus when it is memory resident. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text string is visible within the viral code when the virus is not memory resident: "Nutcracker(AB3)" This virus will disinfect files as they are read into memory, so file viewing utilities and anti-viral scanners will not find the virus in files in memory when it is memory resident. The DOS CHKDSK program will indicate file allocation errors on all infected files when the virus is memory resident. Known variant(s) of Nutcracker are: Nutcracker.2900: Also received in January, 1996, this is a 2,900 byte variant of the Nutcracker virus described above. Its size in memory is 3,456 bytes, hooking interrupt 21. It does not move interrupt 12's return. This variant infects .COM and .EXE files, including COMMAND.COM, when they are executed or opened, but not on copy. Infected files will have a file length increase of 2,900 bytes, though this file length increase will be hidden when the virus is memory resident. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "60". The following text string is visible within infected files when the virus is not memory resident: "Only the Hope dies last!" This variant also infects the system hard disk master boot sector. It is a full stealth, fast infector like the original virus. Origin: Unknown January, 1996. Nutcracker.3100: Also received in January, 1996, this is a 3,100 byte variant of the Nutcracker virus described above. Its size in memory is 4,096 bytes, hooking interrupt 21. It infects .COM and .EXE files, including COMMAND.COM, when they are executed or opened, but not on copy. Infected files will have a file length increase of 3,100 bytes, though this file length increase will be hidden when the virus is memory resident. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "60". The following text string is visible within infected files when the virus is not memory resident: "Sombre Nutcracker(AB4)" This variant also infects the system hard disk master boot sector. It is a full stealth, fast infector like the original virus. Origin: Unknown January, 1996. Nutcracker.3500.A: Also received in January, 1996, this is a 3,500 byte variant of the Nutcracker virus described above. Its size in memory is 4,096 bytes, hooking interrupts 13, 17, and 21. It does not move interrupt 12's return. This variant infects .COM and .EXE files, including COMMAND.COM, when they are executed or opened, but not on copy. Infected files will have a file length increase of 3,500 bytes, though this file length increase will be hidden when the virus is memory resident. The virus will be located at the end of the file. The program's date and time in the DOS disk directory listing will not appear to be altered, though the seconds field will have been set to "60". The following text string is encrypted within the viral code: "Dreary Nutcracker(AB6) Lives Again" This variant also infects the system hard disk master boot sector. It is a full stealth, fast infector like the original virus. Origin: Unknown January, 1996. Nutcracker.3500.B: Also received in January, 1996, this is a minor variant of Nutcracker.3500.A, and is functionally similar. Origin: Unknown January, 1996. Nutcracker.3500.C: Also received in January, 1996, this is a minor variant of Nutcracker.3500.C, and is functionally similar. Origin: Unknown January, 1996.