Nygus Virus


 Virus Name:  Nygus 
 Aliases:    
 V Status:    Rare 
 Discovered:  August, 1992 
 Symptoms:    .COM & .EXE file growth; file date/time changes; decrease in 
              total system & available free memory 
 Origin:      Poland 
 Eff Length:  757 Bytes 
 Type Code:   PRhA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, IBMAV, Sweep, AVTK, F-Prot, VAlert, 
                    NAV, NAVDX, PCScan, ChAV, 
                    NShld, Sweep/N, Innoc, AVTK/N, NAV/N, IBMAV/N, LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Nygus virus was received from Poland in August, 1992.  This 
       virus is a memory resident infector of .COM and .EXE programs, but 
       not COMMAND.COM. 
 
       When the first Nygus infected program is executed, the Nygus virus 
       will install itself memory resident at the top of system memory but 
       below the 640K DOS boundary.  Total system and available free 
       memory, as indicated by the DOS CHKDSK program, will have decreased 
       by 1,024 bytes.  Interrupt 21 will be hooked by the virus in 
       memory. 
 
       Once the Nygus virus is memory resident, it will infect .COM and 
       .EXE programs when they are executed.  Infected programs will 
       increase in size by 757 bytes with the virus being located at the 
       end of the file.  The program's date and time in the DOS disk 
       directory listing will be updated to the system date and time 
       when infection occurred. 
 
       It is unknown what Nygus does besides replicate. 
 
       Known variant(s) of Nygus are: 
       Nygus.278: Received in July, 1995, Nygus.278 is a non-resident 
           direct action version of the Nygus virus described above.  It 
           infects all of the .COM files, including COMMAND.COM, located 
           in the current directory when an infected program is executed. 
           Infected programs will have a file length increase of 278 bytes 
           with the virus being located at the end of the file.  The file's 
           date and time in the DOS disk directory listing will have been 
           updated to the current system date and time when infection 
           occurred.  The following text string is visible within the viral 
           code in all infected files: 
           "(c)Nygus v1.1" 
           Origin:  Unknown  July, 1995. 
       Nygus-Klaw: Received in October, 1992, Nygus-Klaw is originally 
                   from Poland.  Its size in memory is 1,024 bytes, hooking 
                   interrupt 21.  Once it is memory resident, Nygus-Klaw 
                   infects .COM and .EXE programs when they are executed. 
                   Infected programs will have a file length increase of 
                   752 bytes with the virus being located at the end of the 
                   file.  The file's date and time in the DOS disk directory 
                   listing will have been updated to the system date and 
                   time when infection occurred.  No text strings are 
                   visible in the viral code.  Systems infected with 
                   Nygus-Klaw may experience system hangs when some infected 
                   programs are executed, or the user may be returned to the 
                   DOS prompt unexpectedly. 
                   Origin:  Poland  October, 1992.

Show viruses from discovered during that infect .

Main Page