Nomenklatura Virus


 Virus Name:  Nomenklatura 
 Aliases:     Nomenclature, 1024-B, Nomen 
 V Status:    Common 
 Discovered:  August, 1990 
 Symptoms:    .EXE, .COM growth; decrease in available free memory; "sector 
              not found" messages on diskettes; 
 Origin:      Netherlands 
 Eff Length:  1,024 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, NAV, AVTK, F-Prot, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Nomenklatura virus was isolated in August, 1990 in the 
       Netherlands.  This virus is a memory resident infector of .COM and 
       .EXE files, including COMMAND.COM.  It is not related to the V1024 
       virus, though it is the same length. 
 
       The first time a program infected with the Nomenklatura virus is 
       executed on a system, the virus installs itself memory resident at 
       the top of available system memory, but below the 640K DOS 
       boundary. Available system memory will decrease by 1,024 bytes, and 
       interrupt 21 will be hooked by the virus. 
 
       When the virus is memory resident, any .COM or .EXE program greater 
       in length then approximately 1,023 bytes that is executed or opened 
       for any reason will be infected by the Nomenklatura virus. 
       Infected files will have their file lengths increased by 1,024 
       bytes.  The virus does not hide the increase in file length when 
       the disk directory is displayed. 
 
       Attempts to execute uninfected programs from a write-protected 
       diskette with the virus in memory will result in a "Sector not 
       found error" message being displayed, and the program not being 
       executed. 
 
       The Nomenklatura virus is destructive to the contents of diskettes 
       exposed to infected systems.  File corruption will randomly occur, 
       with the frequency increasing as the disk becomes more filled with 
       data. The file errors may occur on data files as well program 
       files.  This file corruption occurs due to the virus occasionally 
       swapping a pair of words in the sector buffer.  It may also do this 
       to critical system areas such as the FAT, boot sector, or 
       directories since it may occur to any clusters on the disk.  If a 
       file or critical system area was residing in a corrupted cluster, 
       it will be corrupted.  As such, systems which has been exposed to 
       the Nomenklatura virus must be carefully checked as the integrity 
       of non-infected programs and any data files should be considered 
       suspect. 
 
       The virus has been named Nomenklatura as this text string appears 
       in all programs infected with this virus.

Show viruses from discovered during that infect .

Main Page