Neuroquila

Classification

Category :

Malware

Type :

-

Aliases :

Neuroquila, Wedding, Havoc, Neurobasher

Summary

This complex virus infects EXE files, hard disk MBRs and diskette boot sectors. On hard disks, the virus encrypts the original MBR and moves it to a different part of the disk, writing its own code in its place. Since the new MBR of an infected hard disk does not contain partition data, the hard disk cannot be seen after a clean diskette boot, and FDISK /MBR will make the machine unbootable.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Neuroquila also encrypts the DOS boot sector on hard drives, making recovery even more difficult. On diskettes, the virus formats an additional track on which its stores its code.

Neuroquila, which is also known by the names Neuro.Havoc and Wedding, tries to load its code to the upper memory area. If there is no upper memory area available, the virus enlarges the stack memory area (STACKS) and places its code there. Neuroquila uses tunneling techniques to by-pass anti-virus programs

Neuroquila is a polymorphic virus. It contains a complex polymorphic engine which is capable of creating several different decryption modules. The variation of the decryption routines is based on the system's clock. While in memory, the virus employs versatile stealth virus techniques to hide the changes it has made to the boot sectors and files. When infected files are examined in a clean environment, they can be seen to have grown by 4644-4675 bytes.

Neuroquila is also a retrovirus. It mounts attacks against several anti-virus programs. If VIRSTOP or DOSDATA.SYS (a QEMM utility program) are loaded from CONFIG.SYS, the virus prevents them from being started. Neuroquila tries to modify the programs TBDRIVER, TBDISK, VSAFE and -D while they are in memory, and alters the partition protection created by the TBUTIL program. In addition to this, the virus is able to by-pass the error message Windows gives of a 32-bit disk operation mode, a stumbling block of many other boot sector viruses.

After Neuroquila has resided in a computer for some months, it displays the message:

HAVOC by Neurobasher'93/Germany
 -GRIPPED-BY-FEAR-UNTIL-DEATH-US-DO-PART-

See: Tremor, Alphastrike, Nightfall