Name: Nutmeg.409 Category: Viruses Description: Details Nutmeg.4096 It is a harmless memory resident multipartite virus. It infects EXE files and the MBR of the hard drive. The most interesting feature of this virus is the fact that it is mostly written in Pascal (high level language), except the virus loader's code that is executed on booting from infected disk. The main virus code is also compressed by LzExe utility - the result virus is just 4Kb of length, but the unpacked EXE virus image is about 10Kb. When an infected file is executed, the virus drops its code to the hard drive: it saves a loading program to the MBR of the hard drive and the complete virus body to the followed disk sectors. The virus then temporary disinfects and executed the host file, hooks INT 28h and stays memory resident. On each INT 28h call (DOS idle) the virus gets the active program name and infects it. While infecting the virus shifts the file down by 4096 bytes and writes its code to the top of the file. On loading from infected MBR the virus hooks INT 1Ch (timer), waits for DOS loading process, then hooks INT 21h and releases INT 1Ch. On executing first program the virus creates on C: disk randomly named file, writes to there 4Kb of complete virus code (compressed EXE file) and adds reference for this file to the end of C:AUTOEXEC.BAT file. When this virus dropper is executed from the AUTOEXEC.BAT when DOS continues its loading, the virus runs as being executed from infected EXE files (installs memory resident etc), but also removes the reference from AUTOEXEC.BAT and deletes its host file. The virus contains the text strings: AUTOEXEC.BAT [NUTMEG2] by Vecna/29A This virus was written in Brasil, in 1998 QUEREMOS ROMARIO DE VOLTA NA SELECAO, ZAGALLO BURRO