%%File: VIRS0571.TXT %%Name/Aliases: N8FALL %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application., EXE application., COMMAND.COM %%Features: Memory resident; TSR., Stealth %%Damage: Sometime displays message., May drop a 'CHILD' non- polymorphic companion virus., May cause software problems ( false free memory available ) . %%Size: About 5800 byte long., Polymorphic: each infection different %%See Also: %%Notes: The following notes are extracted from VB, May 1995: N8FALL is about 5800 byte long; It is quite complex and stealth, and employs DOS commands and functionality to its own advantage. When an infected file is executed, the virus checks for itself in memory by finding the value at 000:05E0h. If the returned value is JMP VIRUS instruction, then N8FALL follows the instruction and determines that its indeed a memory resident. If the virus is memory resident, control is returned to the host program. Otherwise, It attempts to install itself in system memory. First, N8FALL calls Int 13h, Int 21h, and Int 2Ah vectors to check to anti-virus program as well as using them for its own installation, infection, etc. If any found, then they are disabled for salve preservation. Second, It looks for HIMEM.SYS. It uses Int 21h handler to determine the residence of DOS interrupt handler. If interrupt handler is in high-memory, then the area next to it will be over written with JMP VIRUS instruction. If interrupt handler is in low-memory, then it will be overwritten with JMP VIRUS instruction. Next, it opens COMMAND.COM files and closes the file, now COMMAND.COM is infected. Finally, N8FALL decrypts the string 'C:\NCDTREE\NAVINFO.DAT' which is name used by Norton Anti-Virus program. Control now is returned to the host program. The virus infects COM and EXE files. Before infecting any file, it conducts checks so that 1) anti-virus program are exclude. 2) floppy disk are not write-protected. 3) DOS error messages, VSAFE, and Microsoft's TSR are disabled. When all these conditions are satisfied, the virus examines the lower five bits of the file, if they are all set to 1, then it becomes a candidate for infection. Next, the last 24 bytes are read and decoded. The virus look for its ID in this area. If the file is already infected, then control is given to a routine that runs the virus. If the file is clean, then it appends itself at end of the file and the beginning will be modified according to file type. For EXE file, the IP field are modified to point to the virus. In COM files, JMP VIRUS instruction will written into first 3 bytes. Sometime, N8FALL instead of infecting an EXE file, it drops a companion virus which is 527 byte long, then it prints the following message: Any means necessary for survival _N8FALL/2XS_ By the perception of illusion we experience reality Art & Strategy by Neurobasher 1994 - Germany I don't think that the real violence has even started yet Then, it waits for a key to press and it continues. The companion is fully function and completely independent of the ' parent'. It identified itself in memory ( memory word at 0000:052D2 has a value of 5832h). Then, Int 21h performs checks to avoid derives A: or B: and F-PORT.EXE. Later, it creates a matching COM file to which it writes itself setting the date/time to 11:55:00, 01 January 1994. In addition, the COM file has the attributes of System/Hidden/Read-only. No other attempts are being make to hide its presence. The recommended method for disinfection is to use clean system conditions, then identify and replace the infected files.