Necro Shadow Virus


 Virus Name:  Necro Shadow 
 Aliases: 
 V Status:    Rare 
 Discovered:  November, 1992 
 Symptoms:    .COM & .EXE growth; decrease in total system & available free 
              memory; system hangs; disruption of screen contents, including 
              "blue snow" 
 Origin:      United States 
 Eff Length:  1,200 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, Sweep, IBMAV, ChAV, 
                    NAV, NAVDX, VAlert, PCScan, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, LProt, NAV/N, 
                    IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Necro Shadow virus was submitted in November, 1992.  It is from 
       the United States.  Necro Shadow is a memory resident infector of 
       .COM and .EXE programs, including COMMAND.COM. 
 
       When the first Necro Shadow infected program is executed, the Necro 
       Shadow virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary, hooking interrupt 21.  Total 
       system and available free memory will have decreased by approximately 
       3K. 
 
       Once the Necro Shadow virus is memory resident, it will infect .COM 
       and .EXE programs, including COMMAND.COM, when they are executed. 
       Infected programs will have a file length increase of 1,200 bytes 
       with the virus being located at the end of the file.  The program's 
       date and time in the DOS disk directory listing will not be altered. 
       The following text strings are encrypted within the viral code: 
 
               "[Shadow] NecroSoft Enterprises-a division of BCA" 
               "Greets to SKISM" 
 
       Infected systems will experience frequent system hangs when the 
       user attempts to execute programs.  Boot failures will occur once 
       the boot copy of COMMAND.COM becomes infected.  Screen disruptions 
       will also frequently occur.  On monochrome systems, these appear 
       as a couple of characters being altered on the screen.  On VGA 
       systems, a bunch of blue squares or blue snow will appear.  In 
       both cases, a system hang will accompany the screen disruption. 
 
       Known variant(s) of Necro Shadow are: 
       Necro Shadow.1185: Received in January, 1996, this is a 1,185 
           byte variant of the Necro Shadow virus described above.  Its 
           size in memory is 2,400 bytes, hooking interrupt 21.  Once 
           resident, it infects .COM and .EXE files, but not COMMAND.COM, 
           when they are executed.  Infected programs will have a file 
           length increase of 1,185 bytes with the virus being located at 
           the end of the file.  The file's date and time in the DOS disk 
           directory listing will not be altered.  The following text 
           strings are encrypted within the viral code: 
           "[Shadow] Necrosoft Enterprises-a dividsion of BCA" 
           "Greets to SKISM" 
           System hangs and unexpected system reboots may occur on infected 
           systems. 
           Origin:  Unknown  January, 1996. 
       Necro Shadow.1702: Received in January, 1996, this is a minor 
           variant of the Necro Shadow-B variant.  Its size in memory 
           is 3,600 bytes, hooking interrupt 21.  It infects .COM and 
           .EXE programs, including COMMAND.COM, when they are executed, 
           opened, or a DOS DIR command is performed.  Infected programs 
           will have a file length increase of 1,702 bytes, though the 
           file length increase will be hidden when it is memory resident. 
           The virus will be located at the end of the file.  The program's 
           date and time in the DOS disk directory listing will not be 
           altered.  The following text strings are encrypted within the 
           viral code: 
           "[Shadow-B/2] NecroSoft Enterprises-a division of BCA" 
           "Greets to SKISM" 
           System hangs and unexpected system reboots may occur on infected 
           systems. 
           Origin:  Unknown  January, 1996. 
       Necro Shadow-B: Based on the Necro Shadow virus described above, 
           this variant employs stealth techniques to avoid detection 
           and quickly spread on infected systems.  Its size in memory 
           is 3,504 bytes, hooking interrupt 21.  It infects .COM and 
           .EXE programs, including COMMAND.COM, when they are executed, 
           opened, or a DOS DIR command is performed.  Infected programs 
           will have a file length increase of 1,700 bytes, though the 
           file length increase will be hidden when Necro Shadow-B is 
           memory resident.  The virus will be located at the end of the 
           file.  The program's date and time in the DOS disk directory 
           listing will not be altered.  The following text strings are 
           encrypted within the viral code: 
           "[Shadow-B] NecroSoft Enterprises - a division of BCA" 
           "Greets to SKISM" 
           Systems infected with Necro Shadow-B will experience boot 
           failures once the boot copy of COMMAND.COM becomes infected. 
           Attempts to execute programs on write protected diskettes 
           will result in a write protect error.  The DOS CHKDSK program 
           will return file allocation errors on all infected programs 
           when the virus is memory resident. 
           Origin:  United States  November, 1992.

Show viruses from discovered during that infect .

Main Page