Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: I caught the Neuroquila virus


01 Aug 2010   #1
whs
Microsoft MVP

Vista, Windows7, Mint Mate, Zorin, Windows 8
 
 
I caught the Neuroquila virus

Norton alerted me of this bugger whilst I was browsing the forum. Norton has quarantined it. But I wonder whether anybody ever saw this bugger and whether it could have further consequences. It seems to originate from my home country Germany - which does not make it more likeable.




Attached Images
 
My System SpecsSystem Spec
.

01 Aug 2010   #2

 
 

that's interesting you were browsing the forum when you caught it? hope i dont get it
My System SpecsSystem Spec
01 Aug 2010   #3

Windows® 8 Pro (64-bit)
 
 

Norton and F-Secure definitions are capable of removing this virus completely. Good to know that you're using Norton.
My System SpecsSystem Spec
.


01 Aug 2010   #4

64-bit Windows 8.1 Pro
 
 

Quote:
This complex virus infects EXE files, hard disk MBRs and diskette boot sectors. On hard disks, the virus encrypts the original MBR and moves it to a different part of the disk, writing its own code in its place. Since the new MBR of an infected hard disk does not contain partition data, the hard disk cannot be seen after a clean diskette boot, and FDISK /MBR will make the machine unbootable.
source

Wolfgang.... This looks like a really nasty virus .. I wouldnt take any chances with this one. Do you have a system image that you can restore??
My System SpecsSystem Spec
01 Aug 2010   #5

windows 7 ultimate 64 bit,Windows 7 ultimate 32 bit,Windows XP sp3 home
 
 

Quote   Quote: Originally Posted by whs View Post
Norton alerted me of this bugger whilst I was browsing the forum.


Quote:
Neuroquila
NAME: Neuroquila
ALIAS: Wedding, Havoc, Neurobasher
TYPE: Stealth EXE-files MBR
SIZE: 4644-4675
ORIGIN: Germany
REPAIR: No


This complex virus infects EXE files, hard disk MBRs and diskette boot sectors. On hard disks, the virus encrypts the original MBR and moves it to a different part of the disk, writing its own code in its place. Since the new MBR of an infected hard disk does not contain partition data, the hard disk cannot be seen after a clean diskette boot, and FDISK /MBR will make the machine unbootable.

Neuroquila also encrypts the DOS boot sector on hard drives, making recovery even more difficult. On diskettes, the virus formats an additional track on which its stores its code.

Neuroquila, which is also known by the names Neuro.Havoc and Wedding, tries to load its code to the upper memory area. If there is no upper memory area available, the virus enlarges the stack memory area (STACKS) and places its code there. Neuroquila uses tunneling techniques to by-pass anti-virus programs

Neuroquila is a polymorphic virus. It contains a complex polymorphic engine which is capable of creating several different decryption modules. The variation of the decryption routines is based on the system's clock. While in memory, the virus employs versatile stealth virus techniques to hide the changes it has made to the boot sectors and files. When infected files are examined in a clean environment, they can be seen to have grown by 4644-4675 bytes.

Neuroquila is also a retrovirus. It mounts attacks against several anti-virus programs. If VIRSTOP or DOSDATA.SYS (a QEMM utility program) are loaded from CONFIG.SYS, the virus prevents them from being started. Neuroquila tries to modify the programs TBDRIVER, TBDISK, VSAFE and -D while they are in memory, and alters the partition protection created by the TBUTIL program. In addition to this, the virus is able to by-pass the error message Windows gives of a 32-bit disk operation mode, a stumbling block of many other boot sector viruses.

After Neuroquila has resided in a computer for some months, it displays the message:

HAVOC by Neurobasher'93/Germany
-GRIPPED-BY-FEAR-UNTIL-DEATH-US-DO-PART-

See: Tremor, Alphastrike, Nightfall

[Based on analysis by Stefan Kurtzhals]
My System SpecsSystem Spec
01 Aug 2010   #6
whs
Microsoft MVP

Vista, Windows7, Mint Mate, Zorin, Windows 8
 
 

Quote   Quote: Originally Posted by Tews View Post
Quote:
This complex virus infects EXE files, hard disk MBRs and diskette boot sectors. On hard disks, the virus encrypts the original MBR and moves it to a different part of the disk, writing its own code in its place. Since the new MBR of an infected hard disk does not contain partition data, the hard disk cannot be seen after a clean diskette boot, and FDISK /MBR will make the machine unbootable.
source

Wolfgang.... This looks like a really nasty virus .. I wouldnt take any chances with this one. Do you have a system image that you can restore??
I have system images. I make one every morning. But since Norton quarantined it and the system seems to work normally, I will still watch it for a while. But this may be a long term threat. I have sent a PM to Corinne to get her opinion on it.
My System SpecsSystem Spec
01 Aug 2010   #7

64-bit Windows 8.1 Pro
 
 

More than likely, you will be ok... Im just anal about stuff like that, once infected, I always restore to my latest backup image... better safe than sorry..
My System SpecsSystem Spec
01 Aug 2010   #8
whs
Microsoft MVP

Vista, Windows7, Mint Mate, Zorin, Windows 8
 
 

Quote   Quote: Originally Posted by Tews View Post
More than likely, you will be ok... Im just anal about stuff like that, once infected, I always restore to my latest backup image... better safe than sorry..
You have a good point. Especially as this bugger seems to linger around dormant for a few weeks befor it starts it's act. I will wait for Corinne's opinion - she is the expert.
My System SpecsSystem Spec
01 Aug 2010   #9
Microsoft MVP

Windows 7 Ultimate 32bit SP1
 
 

edb.chk is a checkpoint file InformIT: Understanding Active Directory Services > Active Directory Support Files
This may be a false/positive on Norton's part
My System SpecsSystem Spec
01 Aug 2010   #10
whs
Microsoft MVP

Vista, Windows7, Mint Mate, Zorin, Windows 8
 
 

Quote   Quote: Originally Posted by Jacee View Post
edb.chk is a checkpoint file InformIT: Understanding Active Directory Services > Active Directory Support Files
This may be a false/positive on Norton's part
Yeah I saw that too. But I am just a little leary about the thing. Are you sure it is harmless?
My System SpecsSystem Spec
Reply

 I caught the Neuroquila virus




Thread Tools



Similar help and support threads for2: I caught the Neuroquila virus
Thread Forum
Dead bug caught in my laptop screen! Hardware & Devices
My hardware caught a virus, need to re-install Microsoft Microsoft Office
Solved Caught a fakerean virus... System Security
Ghost caught on film Chillout Room
Chupacabra caught Chillout Room
Product's That Never Caught On Chillout Room
COD5 Unhandled exception caught Gaming

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 12:43 PM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33