Neuroquila also encrypts the DOS boot sector on hard drives, making recovery even more difficult. On diskettes, the virus formats an additional track on which its stores its code.
Neuroquila, which is also known by the names Neuro.Havoc and Wedding, tries to load its code to the upper memory area. If there is no upper memory area available, the virus enlarges the stack memory area (STACKS) and places its code there. Neuroquila uses tunneling techniques to by-pass anti-virus programs
Neuroquila is a polymorphic virus. It contains a complex polymorphic engine which is capable of creating several different decryption modules. The variation of the decryption routines is based on the system's clock. While in memory, the virus employs versatile stealth virus techniques to hide the changes it has made to the boot sectors and files. When infected files are examined in a clean environment, they can be seen to have grown by 4644-4675 bytes.
Neuroquila is also a retrovirus. It mounts attacks against several anti-virus programs. If VIRSTOP or DOSDATA.SYS (a QEMM utility program) are loaded from CONFIG.SYS, the virus prevents them from being started. Neuroquila tries to modify the programs TBDRIVER, TBDISK, VSAFE and -D while they are in memory, and alters the partition protection created by the TBUTIL program. In addition to this, the virus is able to by-pass the error message Windows gives of a 32-bit disk operation mode, a stumbling block of many other boot sector viruses.
After Neuroquila has resided in a computer for some months, it displays the message:
HAVOC by Neurobasher'93/Germany
See: Tremor, Alphastrike, Nightfall
[Based on analysis by Stefan Kurtzhals]