This complex virus infects EXE files, hard disk MBRs and diskette boot sectors. On hard disks, the virus encrypts the original MBR and moves it to a different part of the disk, writing its own code in its place. Since the new MBR of an infected hard disk does not contain partition data, the hard disk cannot be seen after a clean diskette boot, and FDISK /MBR will make the machine unbootable.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.
You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.
Neuroquila also encrypts the DOS boot sector on hard drives, making recovery even more difficult. On diskettes, the virus formats an additional track on which its stores its code.
Neuroquila, which is also known by the names Neuro.Havoc and Wedding, tries to load its code to the upper memory area. If there is no upper memory area available, the virus enlarges the stack memory area (STACKS) and places its code there. Neuroquila uses tunneling techniques to by-pass anti-virus programs
Neuroquila is a polymorphic virus. It contains a complex polymorphic engine which is capable of creating several different decryption modules. The variation of the decryption routines is based on the system's clock. While in memory, the virus employs versatile stealth virus techniques to hide the changes it has made to the boot sectors and files. When infected files are examined in a clean environment, they can be seen to have grown by 4644-4675 bytes.
Neuroquila is also a retrovirus. It mounts attacks against several anti-virus programs. If VIRSTOP or DOSDATA.SYS (a QEMM utility program) are loaded from CONFIG.SYS, the virus prevents them from being started. Neuroquila tries to modify the programs TBDRIVER, TBDISK, VSAFE and -D while they are in memory, and alters the partition protection created by the TBUTIL program. In addition to this, the virus is able to by-pass the error message Windows gives of a 32-bit disk operation mode, a stumbling block of many other boot sector viruses.
After Neuroquila has resided in a computer for some months, it displays the message:
HAVOC by Neurobasher'93/Germany -GRIPPED-BY-FEAR-UNTIL-DEATH-US-DO-PART-
See: Tremor, Alphastrike, Nightfall
[Based on analysis by Stefan Kurtzhals]