NRLG Virus


 Virus Name:  NRLG 
 Aliases:     NRLG.755 
 V Status:    New 
 Discovered:  May, 1995 
 Symptoms:    .COM file growth; file & disk corruption; system hangs; 
              decrease in total system memory; 
              date/time seconds = "60" or "62" 
 Origin:      Unknown 
 Eff Length:  755 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  ViruScan, F-Prot, NAV, AVTK, Sweep, IBMAV, NAVDX, 
                    ChAV, PCScan, 
                    Sweep/N, AVTK/N, IBMAV/N, NShld, NAV/N, NProt, Innoc 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The NRLG or NRLG.755 virus was received in May, 1995.  Its origin or 
       point of isolation is unknown.  NRLG is a memory resident infector 
       of .COM files, including COMMAND.COM.  It frequently corrupts the 
       files and diskettes it infects. 
 
       When the first NRLG infected program is executed, this virus will 
       install itself memory resident at the top of system memory but below 
       the 640K DOS boundary, not moving interrupt 12's return.  Total 
       system memory, as indicated by the DOS 5.0 CHKDSK program, will have 
       decreased by approximately 16K or 17,200 bytes.  Interrupt 21 will 
       be hooked by the virus in memory. 
 
       Once the NRLG virus is memory resident, it will infect .COM files, 
       including COMMAND.COM, when they are executed.  Infected files will 
       have a file length increase of 755 bytes with the virus being located 
       at the end of the file.  The program's date and time in the DOS disk 
       directory listing will not appear to be altered, thought the seconds 
       field will have been set to "60" or "62".  The following text string 
       is encrypted within the viral code: 
 
               "[MuTaTiON INTERRUPT] 1994 - Thanks to N.R.L.G. - 800 
                LIMO 1-800-972-7117" 
 
       This text string is displayed when the virus becomes memory resident. 
 
       Programs infected with the NRLG virus, as well as .BAT files and 
       system files on infected disks, may be corrupted by this virus, 
       resulting in frequent system hangs. 
 
       Known variant(s) of NRLG are: 
       NRLG.575: Received in January, 1996, NRLG.575 is a 575 byte 
           variant of the NRLG virus described above.  Its size in memory is 
           14,128 bytes, hooking interrupt 21.  It infects .COM files when 
           they are executed.  Infected files will have a file length 
           increase of 575 bytes with the virus being located at the 
           end of the file.  The program's date and time in the DOS disk 
           directory listing will not appear to be altered, though the 
           seconds value will be changed.  The following text string is 
           encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           This variant will also alter the seconds field on .EXE files 
           which are executed with the virus memory resident, though it 
           does not infect these files. 
           Origin:  Unknown  January, 1996. 
       NRLG.587: Received in January, 1996, NRLG.587 is a 587 byte 
           variant of the NRLG virus described above.  Its size in memory is 
           14,336 bytes, hooking interrupt 21.  It infects .COM files when 
           they are executed.  Infected files will have a file length 
           increase of 587 bytes with the virus being located at the 
           end of the file.  The program's date and time in the DOS disk 
           directory listing will not appear to be altered, though the 
           seconds value will be changed.  The following text string is 
           encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           This variant will also alter the seconds field on .EXE files 
           which are executed with the virus memory resident, though it 
           does not infect these files. 
           Origin:  Unknown  January, 1996. 
       NRLG.624: Received in January, 1996, NRLG.624 is a 624 byte 
           variant of the NRLG virus described above.  Its size in memory is 
           14,960 bytes, hooking interrupt 21.  It infects .COM files when 
           they are executed.  Infected files will have a file length 
           increase of 624 bytes with the virus being located at the 
           end of the file.  The program's date and time in the DOS disk 
           directory listing will not appear to be altered, though the 
           seconds value will be changed.  The following text string is 
           encrypted within the viral code: 
           "[DELTA V2.6]" 
           This text string may be displayed with a beep and other 
           characters from memory when the virus becomes memory resident. 
           This variant will also alter the seconds field on .EXE files 
           which are executed with the virus memory resident, though it 
           does not infect these files. 
           Origin:  Unknown  January, 1996. 
       NRLG.655: Received in January, 1996, NRLG.655 is a 655 byte 
           variant of the NRLG virus described above.  Its size in memory is 
           15,488 bytes, hooking interrupt 21.  It infects .COM files when 
           they are executed.  Infected files will have a file length 
           increase of 655 bytes with the virus being located at the 
           end of the file.  The program's date and time in the DOS disk 
           directory listing will not appear to be altered, though the 
           seconds value will be changed.  The following text string is 
           encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           This text string may be displayed with a beep and other 
           characters from memory when the virus becomes memory resident. 
           This variant will also alter the seconds field on .EXE files 
           which are executed with the virus memory resident, though it 
           does not infect these files. 
           Origin:  Unknown  January, 1996. 
       NRLG.666: Received in July, 1995, NRLG.666 is a 666 byte variant 
           of the NRLG virus described above.  Its size in memory is 15,696 
           bytes, hooking interrupt 21.  It infects .COM files from memory 
           when they are executed.  Infected .COM files will have a file 
           length increase of 666 bytes with the virus being located at the 
           end of the file.  The program's date and time in the DOS disk 
           directory listing will be unaltered.  The following text string is 
           encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           Origin:  Unknown  July, 1995. 
       NRLG.678: Received in January, 1996, NRLG.678 is a 678 byte 
           variant of the NRLG virus.  Its size in memory is 15,888 bytes, 
           hooking interrupt 21.  It infects .COM files when they are 
           executed.  Infected programs will have a file length increase of 
           678 bytes with the virus being located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not appear to be altered, though the seconds field will have 
           changed.  No text strings are contained within the viral code. 
           Origin:  Unknown  January, 1996. 
       NRLG.684: Received in January, 1996, NRLG.684 is a 684 byte 
           variant of the NRLG virus.  Its size in memory is 15,984 bytes, 
           hooking interrupt 21.  It infects .COM files when they are 
           executed.  Infected programs will have a file length increase of 
           684 bytes with the virus being located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not appear to be altered, though the seconds field will have 
           changed.  No text strings are contained within the viral code. 
           Origin:  Unknown  January, 1996. 
       NRLG.688: Received in January, 1996, NRLG.688 is a 688 byte 
           variant of the NRLG virus.  Its size in memory is 16,048 bytes, 
           hooking interrupt 21.  It infects .COM files when they are 
           executed.  Infected programs will have a file length increase of 
           688 bytes with the virus being located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not appear to be altered, though the seconds field will have 
           changed.  No text strings are contained within the viral code. 
           Origin:  Unknown  January, 1996. 
       NRLG.692: Received in January, 1996, NRLG.692 is a 692 byte 
           variant of the NRLG virus.  Its size in memory is 16,128 bytes, 
           hooking interrupt 21.  It infects .COM files when they are 
           executed.  Infected programs will have a file length increase of 
           692 bytes with the virus being located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not appear to be altered, though the seconds field will have 
           changed.  No text strings are contained within the viral code. 
           Origin:  Unknown  January, 1996. 
       NRLG.694: Received in January, 1996, NRLG.694 is a 694 byte 
           variant of the NRLG virus.  Its size in memory is 16,160 bytes, 
           hooking interrupt 21.  It infects .COM files when they are 
           executed.  Infected programs will have a file length increase of 
           694 bytes with the virus being located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not appear to be altered, though the seconds field will have 
           changed.  No text strings are contained within the viral code. 
           Origin:  Unknown  January, 1996. 
       NRLG.700: Received in January, 1996, NRLG.700 is a 700 byte 
           variant of the NRLG virus.  Its size in memory is 16,256 bytes, 
           hooking interrupt 21.  It infects .COM files when they are 
           executed.  Infected programs will have a file length increase of 
           700 bytes with the virus being located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not appear to be altered, though the seconds field will have 
           changed.  No text strings are contained within the viral code. 
           Origin:  Unknown  January, 1996. 
       NRLG.713: Received in July, 1995, NRLG.713 is a 713 byte variant 
           of the NRLG virus described above.  Its size in memory is 16,496 
           bytes, hooking interrupt 21.  It infects .COM files from memory 
           when they are executed.  Infected .COM files will have a file 
           length increase of 713 bytes with the virus being located at the 
           end of the file.  The program's date and time in the DOS disk 
           directory listing will appear to be unaltered, though the seconds 
           field will be set to "60" or "62".  The following text string is 
           encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           This variant also alters the seconds field in the file date on 
           executed .EXE files to "60" or "62", though the virus does not 
           infect these files.  It may also display the above text string 
           on the system monitor when an infected program is executed. 
           Origin:  Unknown  July, 1995. 
       NRLG.728: Received in January, 1996, NRLG.728 is a 728 byte 
           variant of the NRLG virus.  Its size in memory is 16,736 bytes, 
           hooking interrupt 21.  It infects .COM files when they are 
           executed.  Infected programs will have a file length increase of 
           728 bytes with the virus being located at the end of the file. 
           The program's date and time in the DOS disk directory listing 
           will not appear to be altered, though the seconds field will have 
           changed.  No text strings are contained within the viral code. 
           Origin:  Unknown  January, 1996. 
       NRLG.750: Received in July, 1995, NRLG.750 is a 750 byte variant 
           of the NRLG virus described above.  Its size in memory is 17,120 
           bytes, hooking interrupt 21.  It infects .COM files from memory 
           when they are executed.  Infected .COM files will have a file 
           length increase of 750 bytes, though this file length increase 
           will be hidden by the virus when it is memory resident.  The 
           virus is located at the end of the file.  The program's date and 
           time in the DOS disk directory listing will appear to be 
           unaltered, though the seconds field will be set to "60" or "62". 
           The following text string is encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           This variant also alters the seconds field in the file date on 
           executed .EXE files to "60" or "62", though the virus does not 
           infect these files.  Once the virus has altered the seconds field, 
           the file's length in the DOS disk directory listing will be 
           indicated as being 750 bytes smaller than the actual file length. 
           It may also display the above text string on the system monitor 
           when an infected program is executed. 
           Origin:  Unknown  July, 1995. 
       NRLG.752: Received in July, 1995, NRLG.752 is a 752 byte variant 
           of the NRLG virus described above.  Its size in memory is 17,152 
           bytes, hooking interrupt 21.  It infects .COM files from memory 
           when they are executed.  Infected .COM files will have a file 
           length increase of 752 bytes, though this file length increase 
           will be hidden by the virus when it is memory resident.  The 
           virus is located at the end of the file.  The program's date and 
           time in the DOS disk directory listing will appear to be 
           unaltered, though the seconds field will be set to "60" or "62". 
           The following text string is encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           This variant also alters the seconds field in the file date on 
           executed .EXE files to "60" or "62", though the virus does not 
           infect these files.  Once the virus has altered the seconds field, 
           the file's length in the DOS disk directory listing will be 
           indicated as being 752 bytes smaller than the actual file length. 
           It may also display the above text string on the system monitor 
           when an infected program is executed. 
           Origin:  Unknown  July, 1995. 
       NRLG.776: Received in January, 1996, NRLG.776 is a 776 byte 
           variant of the NRLG virus.  Its size in memory is 17,552 bytes, 
           hooking interrupt 21.  It infects .COM files when they are 
           executed.  Infected programs will have a file length increase of 
           776 bytes with the virus being located at the end of the file. 
           This variant hides the file length increase on infected files 
           when the virus is memory resident.  The program's date and time 
           in the DOS disk directory listing will not appear to be altered, 
           though the seconds field will have been set to "60" or "62".  It 
           will also change the seconds field on .EXE files executed with 
           the virus memory resident, and as a result these .EXE files will 
           appear to be 776 bytes smaller than their actual length when the 
           virus is memory resident.  The following text string is 
           encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           Origin:  Unknown  January, 1996. 
       NRLG.813: Received in July, 1995, NRLG.813 is an 813 byte variant 
           which is similar to NRLG.750 and NRLG.752.  Its size in memory 
           is 18,192 bytes, hooking interrupt 21.  It adds 813 bytes to 
           the .COM files it infects, though the file length increase is 
           hidden when the virus is memory resident.  It contains the same 
           encrypted text string.  .EXE files may appear to be 813 bytes 
           smaller than their actual size when the virus is memory resident. 
           Origin:  Unknown  July, 1995. 
       NRLG.824: Received in May, 1995, NRLG.824 is an 824 byte variant 
           of the NRLG virus described above.  Its size in memory is 18,368 
           bytes, hooking interrupt 21.  It infects .COM files from memory 
           when they are executed.  Infected .COM files will have a file 
           length increase of 824 bytes with the virus being located at the 
           end of the file.  The program's date and time in the DOS disk 
           directory listing will appear to be unaltered, though the seconds 
           field will be set to "60" or "62".  The following text string is 
           encrypted within the viral code: 
           "[MuTaTiON INTERRUPT] 1994 - Thanks to N.R.L.G. 
            AZRAEL800 JEWELRY 1-800-346-7231" 
           System hangs frequently occur when programs are executed. 
           Origin:  Unknown  May, 1995. 
       NRLG.826: Received in July, 1995, NRLG.826 is an 826 byte variant 
           which is similar to NRLG.750 and NRLG.752.  Its size in memory 
           is 18,416 bytes, hooking interrupt 21.  It adds 826 bytes to 
           the .COM files it infects, though the file length increase is 
           hidden when the virus is memory resident.  It contains the same 
           encrypted text string.  .EXE files may appear to be 826 bytes 
           smaller than their actual size when the virus is memory resident. 
           Origin:  Unknown  July, 1995. 
       NRLG.853: Received in May, 1995, NRLG.853 is an 853 byte variant 
           of the NRLG virus described above.  Its size in memory is 18,864 
           bytes, hooking interrupt 21.  It infects .COM files from memory 
           when they are executed.  Infected .COM files will have a file 
           length increase of 853 bytes with the virus being located at the 
           end of the file.  The program's date and time in the DOS disk 
           directory listing will appear to be unaltered, though the seconds 
           field will be set to "60" or "62".  The following text string is 
           encrypted within the viral code: 
           "[MuTaTiON INTERRUPT] 1994 - Thanks to N.R.L.G. - 800 
            SEAFOOD 1-800-472-0542" 
           System hangs frequently occur when programs are executed. 
           Origin:  Unknown  May, 1995. 
       NRLG.865: Received in May, 1995, NRLG.865 is an 865 byte variant 
           of the NRLG virus described above.  Its size in memory is 19,072 
           bytes, hooking interrupt 21.  It infects .COM files from memory 
           when they are executed.  Infected .COM files will have a file 
           length increase of 865 bytes with the virus being located at the 
           end of the file.  The program's date and time in the DOS disk 
           directory listing will not be altered.  The following text string 
           is encrypted within the viral code: 
           "[MuTaTiON INTERRUPT] 1994 - Thanks to N.R.L.G. - 800 
            ROOMS 1-800-442-6633" 
           System hangs frequently occur when programs are executed. 
           Origin:  Unknown  May, 1995. 
       NRLG.867: Received in January, 1996, NRLG.867 is a 867 byte 
           variant of the NRLG virus.  Its size in memory is 19,104 bytes, 
           hooking interrupt 21.  It infects .COM files when they are 
           executed.  Infected programs will have a file length increase of 
           867 bytes with the virus being located at the end of the file. 
           This variant hides the file length increase on infected files 
           when the virus is memory resident.  The program's date and time 
           in the DOS disk directory listing will not appear to be altered, 
           though the seconds field will have been set to "60" or "62".  It 
           will also change the seconds field on .EXE files executed with 
           the virus memory resident, and as a result these .EXE files will 
           appear to be 867 bytes smaller than their actual length when the 
           virus is memory resident.  The following text string is 
           encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           Origin:  Unknown  January, 1996. 
       NRLG.872: Received in January, 1996, NRLG.872 is an 872 byte 
           variant of the NRLG virus described above.  Its size in memory is 
           19,184 bytes, hooking interrupt 21.  It infects .COM files from 
           memory when they are executed.  Infected .COM files will have a 
           file length increase of 872 bytes with the virus being located at 
           the end of the file.  The program's date and time in the DOS disk 
           directory listing will not appear to be altered, though the 
           seconds field will have been altered.  The following text string 
           is encrypted within the viral code: 
           "Nemesis 1995 gooberish" 
           System hangs frequently occur when programs are executed.  The 
           system may fail to boot once the boot copy of COMMAND.COM becomes 
           infected. 
           Origin:  Unknown  January, 1996. 
       NRLG.899: Received in January, 1996, NRLG.899 is an 899 byte 
           variant of the NRLG virus described above.  Its size in memory is 
           19,648 bytes, hooking interrupt 21.  It infects .COM files from 
           memory when they are executed.  Infected .COM files will have a 
           file length increase of 899 bytes with the virus being located at 
           the end of the file.  The program's date and time in the DOS disk 
           directory listing will not appear to be altered, though the 
           seconds field will have been altered to "60" or "62".  The 
           following text string is encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           This variant attempts to hide the file length increase when the 
           virus is memory resident, and some .EXE files will appear to have 
           decreased in size by 899 bytes.  It also corrupts the system hard 
           disk partition table. 
           Origin:  Unknown  January, 1996. 
       NRLG.901: Received in May, 1995, NRLG.901 is a 901 byte variant 
           of the NRLG virus described above.  Its size in memory is 19,680 
           bytes, hooking interrupt 21.  It infects .COM files from memory 
           when they are executed.  Infected .COM files will have a file 
           length increase of 901 bytes with the virus being located at the 
           end of the file.  The program's date and time in the DOS disk 
           directory listing will appear to be unaltered, though the seconds 
           field will be set to "60" or "62".  The following text strings are 
           encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           "Created by: MuTaTiON iNTERRUPT! This Could Have Formatted Your 
            Hard Disk! See +++rus Goobers! 1994" 
           System hangs frequently occur when programs are executed. 
           Origin:  Unknown  May, 1995. 
       NRLG.930: Received in January, 1996, NRLG.930 is an 930 byte 
           variant of the NRLG virus described above.  Its size in memory is 
           20,176 bytes, hooking interrupt 21.  It infects .COM files from 
           memory when they are executed.  Infected .COM files will have a 
           file length increase of 930 bytes with the virus being located at 
           the end of the file.  The program's date and time in the DOS disk 
           directory listing will not appear to be altered, though the 
           seconds field will have been altered to "60" or "62".  The 
           following text string is encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           This variant attempts to hide the file length increase when the 
           virus is memory resident, and some .EXE files will appear to have 
           decreased in size by 930 bytes.  It also corrupts the system hard 
           disk partition table. 
           Origin:  Unknown  January, 1996. 
       NRLG.955: Received in January, 1996, NRLG.955 is an 955 byte 
           variant of the NRLG virus described above.  Its size in memory is 
           20,592 bytes, hooking interrupt 21.  It infects .COM files from 
           memory when they are executed.  Infected .COM files will have a 
           file length increase of 955 bytes with the virus being located at 
           the end of the file.  The program's date and time in the DOS disk 
           directory listing will not appear to be altered, though the 
           seconds field will have been altered.  No text strings are 
           found within the viral code.  The variant corrupts the system 
           hard disk master boot record resulting in a system hang when the 
           user attempts to boot the system from the hard disk. 
           Origin:  Unknown  January, 1996. 
       NRLG.964: Received in May, 1995, NRLG.964 is a 964 byte variant 
           of the NRLG virus described above.  Its size in memory is 20,752 
           bytes, hooking interrupt 21.  It infects .COM files from memory 
           when they are executed, and will alter the system hard disk 
           master boot sector.  Infected .COM files will have a file length 
           increase of 964 bytes with the virus being located at the end of 
           the file.  The program's date and time in the DOS disk directory 
           listing will appear to be unaltered, though the seconds field 
           will be set to "60" or "62".  The following text string is 
           encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           System hangs frequently occur when programs are executed.  The 
           alteration to the system hard disk master boot sector is not a 
           live copy of the virus. 
           Origin:  Unknown  May, 1995. 
       NRLG.982: Received in January, 1996, NRLG.982 is a 982 byte 
           variant of the NRLG virus described above.  Its size in memory is 
           21,056 bytes, hooking interrupt 21.  It infects .COM files from 
           memory when they are executed.  Infected .COM files will have a 
           file length increase of 982 bytes with the virus being located at 
           the end of the file.  The program's date and time in the DOS disk 
           directory listing will not appear to be altered, though the 
           seconds field will have been altered to "60" or "62".  The 
           following text string is encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           This variant attempts to hide the file length increase when the 
           virus is memory resident, and some .EXE files will appear to have 
           decreased in size by 982 bytes.  It also corrupts the system hard 
           disk partition table. 
           Origin:  Unknown  January, 1996. 
       NRLG.985: Received in May, 1995, NRLG.985 is an 985 byte variant 
           of the NRLG virus described above.  Its size in memory is 21,104 
           bytes, hooking interrupt 21.  It infects .COM files from memory 
           when they are executed.  Infected .COM files will have a file 
           length increase of 985 bytes with the virus being located at the 
           end of the file.  The program's date and time in the DOS disk 
           directory listing will not appear to be altered, though the 
           seconds field will be set to "60" or "62".  The following text 
           string is encrypted within the viral code: 
           "[MuTaTiON INTERRUPT] 1994 - Thanks to N.R.L.G. - 800 
            DRUGS 1-800-872-1626" 
           This variant will also alter the system hard disk master boot 
           sector which will result in the system failing to boot from the 
           system hard disk.  System hangs frequently occur when programs 
           are executed. 
           Origin:  Unknown  May, 1995. 
       NRLG.992: Received in January, 1996, NRLG.992 is a 992 byte 
           variant of the NRLG virus described above.  Its size in memory is 
           21,216 bytes, hooking interrupt 21.  It infects .COM files from 
           memory when they are executed.  Infected .COM files will have a 
           file length increase of 992 bytes with the virus being located at 
           the end of the file.  The program's date and time in the DOS disk 
           directory listing will not appear to be altered, though the 
           seconds field will have been changed to "60" or "62".  The 
           following text string is encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           This variant attempts to hide the file length increase when the 
           virus is memory resident, and some .EXE files will appear to have 
           decreased in size by 992 bytes.  It also corrupts the system hard 
           disk partition table. 
           Origin:  Unknown  January, 1996. 
       NRLG.1001: Received in July, 1995, NRLG.1001 is a 1,001 byte 
           variant of the NRLG virus described above.  Its size in memory is 
           21,392 bytes, hooking interrupt 21.  It infects .COM files from 
           memory when they are executed, and will alter the system hard disk 
           master boot sector.  Infected .COM files will have a file length 
           increase of 1,001 bytes with the virus being located at the end of 
           the file, though the file length increase will be hidden when the 
           virus is memory resident.  The program's date and time in the DOS 
           disk directory listing will appear to be unaltered, though the 
           seconds field will be set to "60" or "62".  The following text 
           string is encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           "You Are FuCKeD!!! GINA ViRuS!!!!!!! PoOFF GoeS YoUR HaRD DiSK!" 
           The first text string above may be displayed when the virus 
           becomes memory resident.  Once the virus has altered the system 
           hard disk master boot sector, or infected the boot copy of 
           COMMAND.COM, the system will not boot from the infected hard 
           disk.  .EXE files may appear to be 1,001 bytes smaller than 
           expected when the virus is memory resident. 
           Origin:  Unknown  July, 1995. 
       NRLG.1007: Received in May, 1995, NRLG.1007 is a 1,007 byte 
           variant of the NRLG virus described above.  Its size in memory is 
           21,472 bytes, hooking interrupt 21.  It infects .COM files from 
           memory when they are executed, and will alter the system hard disk 
           master boot sector.  Infected .COM files will have a file length 
           increase of 1,007 bytes with the virus being located at the end of 
           the file.  The program's date and time in the DOS disk directory 
           listing will appear to be unaltered, though the seconds field 
           will be set to "52", "60" or "62".  The following text string is 
           encrypted within the viral code: 
           "[MuTaTiON INTERRUPT] 1994 - Thanks to N.R.L.G. - 800 
            NANNY 1-800-443-1411" 
           System hangs frequently occur when programs are executed.  Once 
           the virus has altered the system hard disk master boot sector, or 
           infected the boot copy of COMMAND.COM, the system will not boot 
           from the infected hard disk. 
           Origin:  Unknown  May, 1995. 
       NRLG.1026: Received in January, 1996, NRLG.1026 is a 1,026 byte 
           variant of the NRLG virus described above.  Its size in memory is 
           21,808 bytes, hooking interrupt 21.  It infects .COM files from 
           memory when they are executed.  Infected .COM files will have a 
           file length increase of 1,026 bytes with the virus being located 
           at the end of the file.  The program's date and time in the DOS 
           disk directory listing will not appear to be altered, though the 
           seconds field will have been changed to "60" or "62".  No text 
           strings are found within the viral code.  This variant attempts 
           to hide the file length increase when the virus is memory 
           resident, and some .EXE files will appear to have decreased in 
           size by 1,026 bytes.  It also corrupts the system hard disk 
           master boot sector, rendering the system unbootable from the 
           system hard disk. 
           Origin:  Unknown  January, 1996. 
       NRLG.1038: Received in July, 1995, NRLG.1038 is a 1,038 byte 
           variant of the NRLG virus described above.  Its size in memory is 
           22,016 bytes, hooking interrupt 21.  It infects .COM files from 
           memory when they are executed, and will alter the system hard disk 
           master boot sector.  Infected .COM files will have a file length 
           increase of 1,038 bytes with the virus being located at the end of 
           the file, though the file length increase will be hidden when the 
           virus is memory resident.  The program's date and time in the DOS 
           disk directory listing will appear to be unaltered, though the 
           seconds field will be set to "60" or "62".  The following text 
           string is encrypted within the viral code: 
           "[NuKE] N.R.L.G. AZRAEL" 
           This text string may be displayed on the system monitor when the 
           virus becomes memory resident. Once the virus has altered the 
           system hard disk master boot sector, or infected the boot copy of 
           COMMAND.COM, the system will not boot from the infected hard disk. 
           .EXE files may appear to be 1,038 bytes smaller than expected 
           when the virus is memory resident. 
           Origin:  Unknown  July, 1995.

Show viruses from discovered during that infect .

Main Page