McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• 1024-B

• Nomenclature

• Nomenklatura

• Nomenklatura.A

Characteristics

Nomen is an overwriting, memory resident, file infecting virus. Nomen infects .EXE and .COM files, including COMMAND.COM.

Upon infection, Nomen becomes memory resident at the top of available system memory, but below the 640K DOS boundary. The virus hooks interrupt 21h/4Bh and 21h/3Dh.

Once the virus is memory resident, any .COM or .EXE file (greater in length then approximately 1,023 bytes) that is executed or opened, is infected by the Nomen virus.

Nomen is destructive to the contents of diskettes exposed to infected systems. File corruption occurs randomly, with increasing frequency as the disk becomes more filled with data.

File corruption occurs when the virus swaps a pair of words in the sector buffer. It may also do this to critical system areas such as the File Allocation Table (FAT), boot sector, or directories since it may occur on clusters on the disk. If a file or critical system areas was residing in a corrupted cluster, it also becomes corrupted. Therefore, systems which have been exposed to the Nomen virus must be carefully checked for the integrity of non-infected files and any data files should be considered suspect.

Additional Comments:
The Nomenklatura virus was isolated in August, 1990 in the Netherlands. This virus is a memory resident infector of .COM and .EXE files, including COMMAND.COM. It is not related to the V1024 virus, though it is the same length. The first time a program infected with the Nomenklatura virus is executed on a system, the virus installs itself memory resident at the top of available system memory, but below the 640K DOS boundary. Available system memory will decrease by 1,024 bytes, and interrupt 21 will be hooked by the virus. When the virus is memory resident, any .COM or .EXE program greater in length then approximately 1,023 bytes that is executed or opened for any reason will be infected by the Nomenklatura virus. Infected files will have their file lengths increased by 1,024 bytes. The virus does not hide the increase in file length when the disk directory is displayed. Attempts to execute uninfected programs from a write-protected diskette with the virus in memory will result in a "Sector not found error" message being displayed, and the program not being executed. The Nomenklatura virus is destructive to the contents of diskettes exposed to infected systems. File corruption will randomly occur, with the frequency increasing as the disk becomes more filled with data. The file errors may occur on data files as well program files. This file corruption occurs due to the virus occasionally swapping a pair of words in the sector buffer. It may also do this to critical system areas such as the FAT, boot sector, or directories since it may occur to any clusters on the disk. If a file or critical system area was residing in a corrupted cluster, it will be corrupted. As such, systems which has been exposed to the Nomenklatura virus must be carefully checked as the integrity of non-infected programs and any data files should be considered suspect. The virus has been named Nomenklatura as this text string appears in all programs infected with this virus.

Symptoms

"Nomenklatura" is found as a text string in all infected files.

Attempts to execute uninfected files from a write-protected diskette with the virus in memory results in a "Sector not found error" message being displayed, and the file is not executed.

File errors may occur on data files as well as file files.

Available system memory decreases by 1,024 bytes. Infected files have their file lengths increased by 1,024 bytes.

Method of Infection

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• 1024-B

• Nomenclature

• Nomenklatura

• Nomenklatura.A

Characteristics

Characteristics -

Nomen is an overwriting, memory resident, file infecting virus. Nomen infects .EXE and .COM files, including COMMAND.COM.

Upon infection, Nomen becomes memory resident at the top of available system memory, but below the 640K DOS boundary. The virus hooks interrupt 21h/4Bh and 21h/3Dh.

Once the virus is memory resident, any .COM or .EXE file (greater in length then approximately 1,023 bytes) that is executed or opened, is infected by the Nomen virus.

Nomen is destructive to the contents of diskettes exposed to infected systems. File corruption occurs randomly, with increasing frequency as the disk becomes more filled with data.

File corruption occurs when the virus swaps a pair of words in the sector buffer. It may also do this to critical system areas such as the File Allocation Table (FAT), boot sector, or directories since it may occur on clusters on the disk. If a file or critical system areas was residing in a corrupted cluster, it also becomes corrupted. Therefore, systems which have been exposed to the Nomen virus must be carefully checked for the integrity of non-infected files and any data files should be considered suspect.

Additional Comments:
The Nomenklatura virus was isolated in August, 1990 in the Netherlands. This virus is a memory resident infector of .COM and .EXE files, including COMMAND.COM. It is not related to the V1024 virus, though it is the same length. The first time a program infected with the Nomenklatura virus is executed on a system, the virus installs itself memory resident at the top of available system memory, but below the 640K DOS boundary. Available system memory will decrease by 1,024 bytes, and interrupt 21 will be hooked by the virus. When the virus is memory resident, any .COM or .EXE program greater in length then approximately 1,023 bytes that is executed or opened for any reason will be infected by the Nomenklatura virus. Infected files will have their file lengths increased by 1,024 bytes. The virus does not hide the increase in file length when the disk directory is displayed. Attempts to execute uninfected programs from a write-protected diskette with the virus in memory will result in a "Sector not found error" message being displayed, and the program not being executed. The Nomenklatura virus is destructive to the contents of diskettes exposed to infected systems. File corruption will randomly occur, with the frequency increasing as the disk becomes more filled with data. The file errors may occur on data files as well program files. This file corruption occurs due to the virus occasionally swapping a pair of words in the sector buffer. It may also do this to critical system areas such as the FAT, boot sector, or directories since it may occur to any clusters on the disk. If a file or critical system area was residing in a corrupted cluster, it will be corrupted. As such, systems which has been exposed to the Nomenklatura virus must be carefully checked as the integrity of non-infected programs and any data files should be considered suspect. The virus has been named Nomenklatura as this text string appears in all programs infected with this virus.

Symptoms

Symptoms -

"Nomenklatura" is found as a text string in all infected files.

Attempts to execute uninfected files from a write-protected diskette with the virus in memory results in a "Sector not found error" message being displayed, and the file is not executed.

File errors may occur on data files as well as file files.

Available system memory decreases by 1,024 bytes. Infected files have their file lengths increased by 1,024 bytes.

Method of Infection

Method of Infection -

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

N/A