McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Natas.4746

Characteristics

Natas (Satan spelled backwards) is a memory resident stealth virus which infects the system hard disk's Master Boot Record (MBR), diskette Boot Sectors, .COM, .EXE, and .OVL files, including COMMAND.COM. This virus is also highly polymorphic.

When the first Natas infected program is executed, this virus infects the hard disk MBR (the sector containing the hard disk partition table), as well as the boot copy of COMMAND.COM. Once the Natas virus is memory resident, it will infect .COM, .EXE and .OVL files as they are accessed. The virus will be located at the end of all infected files, although it will not be visible when the virus is memory resident as Natas hides the infection (Stealth technique). The program's date and time in the DOS Disk Directory listing is not altered.

The Natas virus can cause destruction of hard disk information. The virus string contains an algorithm that holds a 1-in-512 probability of rewriting sections of the hard disk whenever a file or boot sector infected with the virus is accessed. This event may also be triggered by attempting to use a debugger to disassemble the virus. Once the virus is removed, there may also be damage to the partition table.

Additional Comments:
The Natas or Natas.4746 virus was received in June, 1994. It's source code is rumored to have been distributed late last year in an issue of 40-Hex magazine. Natas is a memory resident stealth virus which infects the system hard disk's Master Boot Record, diskette boot sectors, .COM, .EXE, and overlay files, including COMMAND.COM. This virus is also highly polymorphic. When the first Natas infected program is executed, this virus will infect the hard disk master boot record (the sector containing the hard disk partition table), as well the boot copy of COMMAND.COM. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 5,664 bytes. Once the Natas virus is memory resident, it will infect .COM, .EXE, and overlay files when they are executed, opened, or copied. Infected programs will have a file length increase of 4,746 bytes, though the file length increase will not be visible with the virus memory resident. The virus will be located at the end of all infected files, although it will not be visible when the virus is memory resident as Natas hides the infection. The program's date and time in the DOS disk directory listing will not be altered. The following text string is encrypted within the viral code in all Natas infected programs: "Natas" The DOS CHKDSK program will indicate Allocation Errors on all infected files when the virus is memory resident. System hangs may occur when infected programs are executed. The Natas virus is a destructive virus. Each time an infected program is executed, or the system is booted from an infected disk, the virus has a 1-in-512 probability of overwriting a large portion of the first system hard disk. This event may also be triggered by attempting to use a debugger to disassemble the virus. Known variant(s) of Natas are:

Symptoms

The following text string is encrypted within the viral code in all Natas infected programs:

"Natas"

Total system memory and free memory decreases by 5,664 bytes. The DOS CHKDSK program will also indicate Allocation Errors on all infected files when the virus is memory resident. Infected files will have a file length increase of 4,746 bytes. The file length increase is not visible with the virus memory resident.

Natas also may cause the system to hang, when an infected file is accessed.

Method of Infection

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal

-

Variants

Variants

• Natas.4740
• Natas.4744
• Natas.4774
• Natas.4988

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Natas.4746

Characteristics

Characteristics -

Natas (Satan spelled backwards) is a memory resident stealth virus which infects the system hard disk's Master Boot Record (MBR), diskette Boot Sectors, .COM, .EXE, and .OVL files, including COMMAND.COM. This virus is also highly polymorphic.

When the first Natas infected program is executed, this virus infects the hard disk MBR (the sector containing the hard disk partition table), as well as the boot copy of COMMAND.COM. Once the Natas virus is memory resident, it will infect .COM, .EXE and .OVL files as they are accessed. The virus will be located at the end of all infected files, although it will not be visible when the virus is memory resident as Natas hides the infection (Stealth technique). The program's date and time in the DOS Disk Directory listing is not altered.

The Natas virus can cause destruction of hard disk information. The virus string contains an algorithm that holds a 1-in-512 probability of rewriting sections of the hard disk whenever a file or boot sector infected with the virus is accessed. This event may also be triggered by attempting to use a debugger to disassemble the virus. Once the virus is removed, there may also be damage to the partition table.

Additional Comments:
The Natas or Natas.4746 virus was received in June, 1994. It's source code is rumored to have been distributed late last year in an issue of 40-Hex magazine. Natas is a memory resident stealth virus which infects the system hard disk's Master Boot Record, diskette boot sectors, .COM, .EXE, and overlay files, including COMMAND.COM. This virus is also highly polymorphic. When the first Natas infected program is executed, this virus will infect the hard disk master boot record (the sector containing the hard disk partition table), as well the boot copy of COMMAND.COM. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 5,664 bytes. Once the Natas virus is memory resident, it will infect .COM, .EXE, and overlay files when they are executed, opened, or copied. Infected programs will have a file length increase of 4,746 bytes, though the file length increase will not be visible with the virus memory resident. The virus will be located at the end of all infected files, although it will not be visible when the virus is memory resident as Natas hides the infection. The program's date and time in the DOS disk directory listing will not be altered. The following text string is encrypted within the viral code in all Natas infected programs: "Natas" The DOS CHKDSK program will indicate Allocation Errors on all infected files when the virus is memory resident. System hangs may occur when infected programs are executed. The Natas virus is a destructive virus. Each time an infected program is executed, or the system is booted from an infected disk, the virus has a 1-in-512 probability of overwriting a large portion of the first system hard disk. This event may also be triggered by attempting to use a debugger to disassemble the virus. Known variant(s) of Natas are:

Symptoms

Symptoms -

The following text string is encrypted within the viral code in all Natas infected programs:

"Natas"

Total system memory and free memory decreases by 5,664 bytes. The DOS CHKDSK program will also indicate Allocation Errors on all infected files when the virus is memory resident. Infected files will have a file length increase of 4,746 bytes. The file length increase is not visible with the virus memory resident.

Natas also may cause the system to hang, when an infected file is accessed.

Method of Infection

Method of Infection -

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Removal -

Removal -

-

Variants

Variants -

• Natas.4740
• Natas.4744
• Natas.4774
• Natas.4988