The Natas Virus
 
What is the Natas Virus?

The Natas virus is a multipartite virus, which means it infects program files
and the DOS boot sector on floppies and the master boot record (MBR) on hard
drives. It is a polymorphic, multipartite, stealth virus. The word Natas is
Satan spelled backwards.

The virus code is two sectors in length and it reserves 6k of memory by
modifying the available-memory word at 40:13. Thus, on a 640k machine, MEM
would report 634k and CHKDSK would report 649216 bytes of free memory. 

The Natas virus will stealth the infected MBR if it is in memory. The virus
name "Natas" can be seen near the end of the last virus sector using a disk
editor. Infected files grow by 4744 bytes, but the change in size is
stealthed if the virus is in memory. The name "Natas" is in the encrypted
portion of the virus body and is thus not visible. The virus decryptor is
extremely polymorphic. The virus contains no intentionally damaging routines
and does not affect data files.  The virus appears to be incompatible with
some memory managers, problems have been reported when QEMM386 and DOS EMM386
become infected. The virus was evidently programmed by the programmer of the
Sat_Bug (Satan Bug, or Satan) virus.

The Natas virus has been distributed as commented source code. It is widely
reported in Mexico and has appeared in Los Angeles, New York, and Virginia.

How does the Natas Virus Spread?

Since this is a multipartite (infects both the boot record and program files)
virus, you can get infected by two methods. 

Method 1: Activating a program file.

Activating a program that is infected with the Natas virus. An example of
this method would be typing GAME.EXE  from a command line (if this was an
infected program). The program will start to run, come across the viral code,
load itself into memory, and infect the Boot Record of the hard drive. 

The next time the computer is rebooted the Natas virus will be loaded into
memory because the virus is part of the Master Boot Record of the hard drive.
Now that the memory is infected with the Natas virus, its purpose is to
infect any files that you launch or execute and attach itself to these
programs.

Along with infecting all program files, the Natas virus will also infect the
boot record of any diskettes that are accessed. All  floppies have a boot
sector, even if they are non-system (non-bootable) diskettes. 

The Natas virus will infect *.COM's , *.EXE's, *.OVL's, and COMMAND.COM files.



Method 2: Booting from an infected diskette.

Any time  you start or reset your computer with a system (bootable) or
non-system (non-bootable) diskette, the computer will read the boot sector of
the diskette.  Since the Natas virus is contained in the Boot Sector, the
virus will activate, move into memory and then infect your hard drive. You
will not see this activity at all.  This happens so quickly that you will
receive either an error message such as non-system disk or disk error
replace and press enter or the computer system will boot up to the A: Drive. 

Regardless, if you attempt to boot from an infected diskette, your hard
drive will be infected with the Natas virus. As in the first method, the
Natas virus, once booted up into memory will infect both program files and
floppy boot records.



How to repair the Natas Virus:

If Hard Drive is Infected with the Natas Virus:

To repair the Natas virus, first power off the system, and then reboot from
drive A: with a write-protected system (bootable) diskette that has the same
version of DOS that is installed on the hard drive. 

Use the  following repair procedure:

Boot from a non-infected MSDOS system (bootable) diskette on drive A:
	
 	Run the Norton AntiVirus DOS Clinic (NAV.EXE) from either the
        original installation diskettes or from your hard drive.
	
 	Select All Local Hard Drives and press Enter.
	
 	Once the Natas virus is detected (but not in memory), choose the
        Repair  option and press Enter. The boot Record and most, if not all,
        program files will be infected on the hard drive. Make sure that you
        select REPAIR ALL.
	
 	Rescan all hard drives.
	
 	If the Natas virus is detected in memory, than the system (bootable)
        diskette is also infected.
	

Note: You must scan all your diskettes for the Natas virus.



If Floppy Diskette is Infected with the Natas Virus:

Make sure you do not try to reboot with this diskette, if you do, you will
infect your hard drive.

Scan your floppies, if either the boot record or files are infected, choose
Repair and Repair All.

If Norton AntiVirus does not repair this virus its  because either you do
not have Norton Antivirus 3.0 and/or you do not have the latest definitions
file for your version of Norton AntiVirus.  If this is the case, you can
always reformat your diskette that is infected with the Natas virus.

Virus Library Description Information
Virus Information:
Virus Names and Aliases:  The most common names by which the virus is known.
Infects: Defines where the virus attacks or infects
 (Boot Records or File Infector).
Likelihood: Options are: Common and Rare.
Length: Length, in bytes, of the virus code.

Characteristics:
Memory Resident: Stays in memory after it activates.
Size Stealth: Tries to conceal itself from detection by disguising its size.
Full Stealth: Tries to conceal itself from detection by disguising its size and attributes.
Triggered Event: Performs some action based on certain criteria
        (for example a date on the computer's system clock).
Encrypting: Encrypts its code to make detection more difficult.
Polymorphic: Appears differently in each infected file.

Virus Name:   Natas (1)
Aliases:      
Infects:      .COM and .EXE Files
Likelihood:   Common
Length:       4744 bytes

Characteristics
Memory Resident
Yes
Triggered Event
No

Size Stealth
Yes
Encrypting
Yes

Full Stealth
No
Polymorphic
Yes


Comments
No additional information.



