The Nice virus was found for the first time in Hong Kong in January, 1994. Two weeks later a minor variant of this virus was found in completely different part of the world, in the most northern part of the Scandinavian Lapland. This variant was named Nice.B, and it had arrived to Lapland with a set of video driver diskettes provided with new video cards.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
F-Secure Ltd. located the manufacturer of the video cards in question in Hong Kong. However, the original diskettes were found to be clean. Obviously the virus had infected the driver diskettes on the way from Hong Kong to Lapland. So far, this infection case seems to be of global scale.
The Nice virus will first infect three COM and EXE files in the current directory. After that, it will do the same in C:\DOS directory. Nice will not infect files that have the read-only attribute set.
Nice overwrites the 277 bytes of the victim files with its own code. This means that the infected files are irreparably damaged, and the only way to fix them is to reinstall or to restore from backups.
After finishing its infection routine, the virus will display the text "Bad Command or file name", and finish its execution. The virus probably does this in order to conceal its presence a little bit, as the user might just think the he made a mistake while typing the programs name.
The size of the infected files will change only if the original length is smaller than 277 bytes. The timestamp of the infected files will be updated to infection time - this makes it easier to spot the infected files.
The virus does not stay resident in memory and is very simple in operation. It does not encrypt its code and does not contain any activation mechanism.
The only way to disinfect the files is to replace them with clean originals.