%%File: VIRS0585.TXT %%Name/Aliases: Nostardamus %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: EXE application., COM application., Program overlay files (OVL). %%Features: Memory resident; TSR., Encrypted, Polymorphic %%Damage: Displays messages, Corrupts boot sector, Corrupts a data file., Corrupts keyboard inputs. %%Size: 2247 byte long. %%See Also: %%Notes: The following notes are extracted from VB, March 1995: This virus has spread in many Russian towns as was reported by Fidonet echo. Nostardamus is a polymorphic file infector. The code has several main instruction which are selected randomly from a list. The virus has several trigging routine, each routine performs a specific task such as displaying messages, overwriting files, changing file attributes, erasing boot sectors, disabling several keys on the keyboard. Furthermore, it has instruction to elude several ' Russian' anti-virus programs. The virus intercepts Int 21h, Int 16h, Int 1Ch, and Int 24h handler and uses their functionality rather well to perform its task smoothly and unobstructively. Upon the execution of an infected file, control is passed to the decryption loop, and the virus body code is restored to the executable form. First, the virus uses Int 21h function to determine weather its memory resident. If its a memory resident, then CL register returns 4Bh. Otherwise, the virus acquires an area of memory for itself. It achieves that by direct manipulation of MCB chain, hooks Int 16h and Int 21h, obtains the original address of Int 21h, then returns control to the host file. When a file is targeted for infection, the routine hooks to Int 24h to suppress any DOS error messages which occurs in write-protected disk, then it disables the Control-Break interruption and checks the extension. If the file extension is *.?YS, the virus aborts the infection routine. If the extension is ?OM or ?XE or ?VL, then infection takes place. For EXE and COM files, the virus checks the name for strings CO*, *EB, *NF, *TI,and AI*. The string CO* identifies the COMMAND.COM and the infection routine is aborted. The other strings are to identify Russian anti-virus programs WEB, ADINF, ANTI,and AIDSTEST in which case the virus turns on a special flag acknowledging that existence of these programs and how to elude them when the infected files are executed. Files with extension EXE, COM , and OVL will be affected by virus. The virus will not infect files shorter than 1500 byte. For COM files longer than 63288, the infection routine will be aborted. When these conditions are met the virus checks the file for ' Identification Bytes' so that multiple infection is avoided. The ID for an infected EXE files is the word at offset 12h being 07B7h. And, the ID for an infected COM file is 4the byte having a value of C3h. If the file is not infected, then an encrypted virus code will be appended to the file end with jump instruction to the virus code. Then, control is returned to the host file. Also, all infected files are marked with a second ID, namely, the seconds filed of the time and date stamp to 20. Nostardamus has several payload. When the 20 th infection occurs, the virus becomes active. First, the date is checked, If the day number equal 2* month number, the following message is display: THE NOSTARDAMUS-Erace (c) v2.1 beta Formatting Disk C: 40 Mb Next it simulated disk formatting ( not actually erasing or formatting). Pressing any key causes a system crash. Another triggering routine is system time counter. If minute vales is less than 4, the 80 th sector of A:drive will be erased. If time is later than 18:00 , the virus hooks Int 1Ch and displays the following message: HOME RUN !! Another triggering routine is placed in virus' Int 16h. The virus checks the keyboard input; It disables F8, Shit-F8, and Ctrl-F8. It Ctrl-F10 key will replace by F8 key. The last triggering routine is placed in the virus' Int 21h handler. If the file attributes is Hidden, then the virus changes its attributes to Read-only/Hidden, and overwrites the first byte with the virus name.first byte (excludes EXE, COM, SYS, and OVL files).