Neuroquila

Classification

Malware

-

-

Neuroquila, Wedding, Havoc, Neurobasher

Summary

This complex virus infects EXE files, hard disk MBRs and diskette boot sectors. On hard disks, the virus encrypts the original MBR and moves it to a different part of the disk, writing its own code in its place. Since the new MBR of an infected hard disk does not contain partition data, the hard disk cannot be seen after a clean diskette boot, and FDISK /MBR will make the machine unbootable.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Neuroquila also encrypts the DOS boot sector on hard drives, making recovery even more difficult. On diskettes, the virus formats an additional track on which its stores its code.

Neuroquila, which is also known by the names Neuro.Havoc and Wedding, tries to load its code to the upper memory area. If there is no upper memory area available, the virus enlarges the stack memory area (STACKS) and places its code there. Neuroquila uses tunneling techniques to by-pass anti-virus programs

Neuroquila is a polymorphic virus. It contains a complex polymorphic engine which is capable of creating several different decryption modules. The variation of the decryption routines is based on the system's clock. While in memory, the virus employs versatile stealth virus techniques to hide the changes it has made to the boot sectors and files. When infected files are examined in a clean environment, they can be seen to have grown by 4644-4675 bytes.

Neuroquila is also a retrovirus. It mounts attacks against several anti-virus programs. If VIRSTOP or DOSDATA.SYS (a QEMM utility program) are loaded from CONFIG.SYS, the virus prevents them from being started. Neuroquila tries to modify the programs TBDRIVER, TBDISK, VSAFE and -D while they are in memory, and alters the partition protection created by the TBUTIL program. In addition to this, the virus is able to by-pass the error message Windows gives of a 32-bit disk operation mode, a stumbling block of many other boot sector viruses.

After Neuroquila has resided in a computer for some months, it displays the message:

HAVOC by Neurobasher'93/Germany
 -GRIPPED-BY-FEAR-UNTIL-DEATH-US-DO-PART-

See: Tremor, Alphastrike, Nightfall

[Based on analysis by Stefan Kurtzhals]

Date Created: -

Date Last Modified: -