%%File: VIRS0572.TXT %%Name/Aliases: Natas %%Platform: PC/MS-DOS %%Type: Multipartite., %%Disk Location: Floppy disk boot sector., Hard disk partition table., EXE application., COM application. %%Features: Memory resident; TSR., Stealth, Polymorphic %%Damage: No damage, only replicates. %%Size: 4744 for file infections, Overlays boot sector, no increase, Variants as 4744, 4746, 4774,4988 bytes are known %%See Also: Satan Bug %%Notes: WildList TechNotes: The Natas Virus The Natas virus infects program files, the DOS boot sector on floppies and the master boot record (MBR) on the first physical hard disk (drive 80h, the C: drive). It is a polymorphic, multipartite, stealth virus. The virus code is two sectors in length and it reserves 6k of memory by modifying the available-memory word at 40:13. Thus, on a 640k machine, mem would report 634k and chkdsk would report 649216 bytes of free memory. Examining memory with debug, the two bytes at 0040:0013 would be 7A 02, and the virus's name "Natas" would be visible in memory at 9F9D:0003. The virus body is stored, unencrypted, on 9 sectors near the end of track 0, head 0, on the hard drive. The virus stealths the infected MBR if it is in memory, but not these extended sectors. The virus name "Natas" can be seen near the end of the last virus sector using a disk editor. Infected files grow by 4744 bytes, but the change in size is stealthed if the virus is in memory. The name "Natas" is in the encrypted portion of the virus body and is thus not visible. The virus's decryptor is extremely polymorphic. The virus contains no intentionally damaging routines and does not affect data files. The virus appears to be incompatible with some memory managers. Problems have been reported when QEMM386 and DOS EMM386 become infected. The virus was evidently programmed by Little Loc, the programmer of the Sat_Bug (Satan Bug, or Satan) virus. The Natas virus has been distributed as commented source code. It is widely reported in Mexico and has appeared in Los Angeles, New York, and Virginia. ------------------------------------------------------------------------ ----- WildList TechNotes - (C) 1994 by Joe Wells (CARO) - jwells@symantec.com ------------------------------------------------------------------------ ----- According to Microsoft, NATAS is often the cause of "Driver Error 01" from EMM386. Additional notes from VB Dec. 1994: The virus is triggered when it detects the debugger or on the (1/512) chance of loading from and infected disk. The trigger routine formats the entire hard disk. The 4744 byte contains two text strings: " Natas " and " BLACK MODEM ". The 4774 byte contains the string " Time has come to pay (c) 1994 NEVER- 1". The 4988 byte contains the string the following string: " Yes I know my enemies. They're the teachers who taught me to me compromise, conformity, assimilation, submission, ignorance, hypocrisy, the elite all of whitch are American dreams (c) 1994 by Never-1 (Belgium Most Hates) Sandrine B. ".