Nutcracker
Nutcracker
Type Multipartite virus
Creator
Date Discovered 1994 -1996
Place of Origin Brest, Belarus
Source Language
Platform DOS
File Type(s) .com, .exe
Infection Length 1,924 bytes
Reported Costs

Nutcracker is a large family of memory resident DOS viruses, appearing in the mid-1990s. They appear to be totally or mostly from the same coder. Many are destructive, erasing hard drives or hanging systems. Aside from their more destructive features, they also introduce some fascinating encryption and stealth implementations.

Behavior

When a file infected with Nutcracker is executed, the virus installs itself at the top of system memory below the 640K DOS boundary. It then begins its unique infection routine, infecting .com and .exe files as they are executed, including COMMAND.COM and converting .exe files to .com in the process.

The virus reads a block of data from the middle of the file, encrypts it and writes it to the end of the file. Some variants compress this block of data before encrypting it. The virus then encrypts itself using a polymorphic algorithm, writes itself to the middle of the file, and the decryption procedure to the end of the file. The original variant uses only one cycle to decrypt itself, but some variants use as many as 23.

Nutcracker intercepts INT 8h, and prevents a refresh of the screen.

The following text can be found in the virus body:

Dedicated to N.L.A. - my little baby.
        (c) by Kind Nutcracker(AB1)

Variants

The Nutcracker family has over 40 variants, a few of which introduce new and interesting features, such as new stealth abilities or damage routines.

Nutcracker.AB0

This variant intercepts INT 8, 15h, 40h and writes itself to the Master Boot Record of hard drives and boot sectors of floppy disks. It infects the Master Boot Record when booting from an infected floppy disk, and overrides the address of the active boot sector of the disk, writing its code to this address. Floppy disks get infected when they are accessed. While infecting sectors, it writes the original sector to the hard drive or formats an additional sector on the floppy. While infecting the MBR the virus uses direct calls to the hard drive ports.

When booting from an infected disk, the virus intercepts INT 8, 15h, 40h, waits for DOS to boot, temporarily intercepts INT 21h, waits for any program to run, and then copies its code to UMB (if such memory is present) or adds to the last block of normal DOS memory. In order to intercept INT 15h, the virus edits the DOS kernel code, writing a call to INT 7Eh there and intercepts INT 7Eh (i.e. INT 15h). Intercepting INT 15h, the virus monitors internal BIOS calls when accessing the keyboard (waiting for pressing Ctrl-Alt-Del) and to the disks, generating a stealth program.

This variant has payloads that range from amusing to dangerous. Depending on the system time, a bouncing ball, similar to Pingpong will appear on the screen. When the user presses Ctrl-Alt-Del, the virus will erase sectors pseudo-randomly, depending on its flags and the system timer. On April 7, it decrypts and displays the message "0S0U0P0E0R0U0N0K0N0O0W0N0 was done by Lord Nutcracker(AB0)." If an error occurs when booting from an infected disk, it decrypts and displays a standard DOS message:

    Non-system disk or disk error.

    Replace and press strike any key when ready.

Nutcracker.AB1 Variants

Nutcracker.AB1.Antarex.2620

This variant encrypts the headers of EXE-files. If the file is longer than 64 kilobytes, it will become corrupted. If the system has been disinfected but the files have not been replaced, it may cause system hangs. If the virus is in memory, they will run like normal, since the virus decrypts encrypted sectors on the fly.

It also implements trojan code in SYS and BIN files, which on the 12th of the month destroys the contents of CMOS-memory. It containst the following text in its body:

        ANTAREX, and 
        Run me, pleace!
        (c) by Nutcracker(AB1)

Nutcracker.AB1.Antarex.2244

If it can't obtain sufficient free memory using memory management functions, it will destroy the contents of the CMOS memory. This variant sometimes plays songs from Russian children's shows. It contains the text:

        ANTEREX
        (c) by Kind Nutcracker(AB1)

Nutcracker.AB1.2722

Very similar to Nutcracker.AB1.2620, except with the text:

        Nomina sunt odiosa
        (c) by Nutcracker(AB1)

Nutcracker.AB2 Variants

All Nutcracker.AB2 variants are capable of infecting the Master Boot Record as well as .com, .exe, .sys, and .bin files. The AB2 variants of Nutcracker have a powerful polymorphic mechanism where .com, .exe, and .sys files (provided these .sys files are over 6,425 bytes long) have multiple decryptors that decrypt other decryptors. They hook INT 21h to infect files, INT 13h to infect floppy disks, and 1Ch to play sounds. If viewed with a debugger, it may hang the system.

Variants with lengths of 2,890, 2,990, 3,021, 3,427, 5,375, 5,413, 5,440, 5,589, 6,082 and 6,100 bytes cannot spread under a Pentium processor. Files of type .exe that are less than 64 kilobytes are converted to .com files. For both .com and .exe files, the virus transfers the middle section of the original program code to the end of the file and writes its own viral code in that middle section. When infecting .bin and.sys files, the viral code is appended to the files unencrypted.

When an infected file is executed, the virus infects the master boot record of the hard drive and then returns control to the carrier program. When a disk boots from an infected drive, it intercepts INT 1Ch, waits for DOS to boot and then intercepts INT 13h, INT 21h, INT 28h. Sometimes the viruses will play the melody "Я на солнышке лежу…" (Ja na solnyshke lezhu, I'm lying in the sun) from the Soviet/Russian cartoon show Весёлая карусель (Velsiolaja Karusel', Happy Carousel). The virus uses INT 13h to infect floppy disks as well as to encrypt information on the disks.

Variants AB2.2890, 2990, 3021, 3427, and 4540 check for the string "MZ" at the beginning (a signature of .exe files). If it finds MZ, it checks or the next two words to verify it is truly an .exe file and that it is over 65024 bytes. If this condition is met, it encrypts this sector, changes the "MZ" or "AB" and writes it to the disk.

Variants AB2.6425, 6500, 6727, 6982, 6996, 7008, 7033, and 7640 bytes are polymorphic even in boot sectors. Instead of the header of the .exe files, they encrypt the first sector of the subdirectories by using the address of INT vector 00 in the ROM BIOS.

Variants AB2.6082, 6100, 6500, and 6727 pack the block of the infected file, so the length of the file after infection with these viruses can be smaller than the length of the virus code. These variants contain some errors that may result in the system message "Divide overflow "after the launch of some files, as well as a possible hang of the system after the start of infected programs.

When the master boot record MBR of the hard disk is infected, after the first reboot of the system from it, variants AB2.2990, 3021, 3427, 4540 encrypt part of the boot loader-47 bytes with the first byte of the vector INT 00, located in the ROM BIOS.

AB2 Variant Details

Nutcracker.AB2.2990, 3021, 3427 : These variants avoid inecting files whose names include NF and ADINF, which may be associated with some antivirus programs.

Nutcracker.AB2.3427,4540: Contains the line of text "Universal Pathologic Device by Nutcracker(AB2)"

Nutcracker.AB2.4540: on April 7 this variant displays the text "the Sun is gone but I have a light…"

Nutcracker.AB2.5375, 5413, 5440, 5589: These variants contain the text:

        This Universal Pathologic Device dedicated to Любовь Н.
        I hate the envy, the meanness, the riches, the trea, the bluntness,
        the ignorance, the lie, the servility, the mistrust and the hatred.
        Nutcracker(AB2)

Nutcracker.AB2.5413, 5440, 5589, 6082, 6100: these variants infect not only the Master Boot Record of the hard drive, but also the active boot sector (typically, this sector is the boot sector of disk C:).

Nutcracker.AB2.6425, 6500, 6727: Contains the line of text "Nutcracker(AB2): Welcome to the Hell"

Nutcracker.AB2.6996**: on January 12 displays the text "Nutcracker (AB2): lives forever!"

Nutcracker.AB2.6982: on January 12 this variant tries to format the first hard disk.

Nutcracker.AB2.7033: this variant on January 12 "hangs" the system.

Nutcracker.AB2.7008: on the 12th of the month this variant tries to destroy the information on the hard disk.

Nutcracker.AB2.7640: on January 12 this variant prints its contents to the printer. While memory resident, running a certain program (which is uncertain at this point) will trigger a hard disk format.

Nutcracker.AB2.2890: this variant drops in SYS and BIN trojan files that can destroy the contents of CMOS memory.

Nutcracker.AB2.6100: after being booted 555 times from the hard drive, this variant destroys the contents of CMOS-memory and the first 100 sectors of the first two hard drives.

Nutcracker.AB3 Variants

These variants erase sectors of drive C: on January 12 and July 23. When infecting files, it remembers the current date and after 23 days intercepts INT 10h, slowing down the computer with an empty loop calling the INT.

Nutcracker.AB3.2293

This variant is 2,293 bytes long on the disk and takes up 3,072 bytes long in memory. While the virus is memory resident, the file size increase will be hidden and the whole file itself will be temporarily disinfected as long as it stays resident. The text "Nutcracker(AB3)" can be seen in the file when the virus is not resident. CHKDSK will file allocation errors on infected files while the virus is resident.

Nutcracker.AB3.2900

This 2,900 byte variant takes up 3,456 bytes in memory. It is capable of infecting the system hard disk master boot sector. It sets the seconds field on the file's time and date to "60", but otherwise leaves it unaltered. Inside the virus body, they text "Only the Hope dies last!" can be found when the virus is not resident in memory.

Nutcracker.AB4

This dangerous variant contains the text "Sombre Nutcracker(AB4)". Files will appear normal under a debugger when infected with this variant. It writes a trojan to the Master Boot Record, which on January 12 and July 23, will format the first tracks of the first and second hard drives. At the start of any program, the virus increases the counter located in the boot sector of the current disk by an offset of 10. When the counter reaches 40h, the virus zeroes it and creates a pseudo-cluster on this logical disk. There is a 1 in 9 probability it will destroy .PAS .BAS as they are opened.

Nutcracker.AB5

These variants destroy one random sector on the current disk with every 16 system boots. They avoid files with names starting with IB and CO. They write trojan code to the MBR of the hard drive, which destroys information on the hard disk and CMOS memory every 512 boots and displays the message: "Gloomy Nutcracker(AB5) from the city of Brest(BY) with best wishes!" They also conatain the text "Only the Hope dies last!".

Nutcracker.AB6

When a file infected with an AB6 variant is executed, the virus becomes memory resident and intercepts INT 13h, 17h, 21h. It infects the Master Boot Record, and any .com or .exe files as they are accessed. When booting from an infected Master Boot Record, the virus intercepts INT 17h, 1Ch, waits for DOS boot and intercepts INT 13h, 21h. The virus does not reduce the size of DOS-memory, and independently corrects the Memory Control Block chain.

The variants use INT 13h to mask the infected Master Boot Record. Intercepting INT 17h allows it to periodically change characters when they are printed. Viruses pay special attention to the CHKDSK utility and disable some branches of the stealth procedure when it starts.

On January 12, these variants format the first hard drive and display text. There are four versions of this text depending on the variant, "Dreary Nutcracker(AB6)", "Dreary Nutcracker(AB6) Lives", "Dreary Nutcracker(AB6) Lives Again", and "Dreary Nutcracker(AB6) lives forever !". Sometimes it sends strange characters to the printer, or blocks output to the printer. They delete files with exensions, FW, ?AS, and MS. They contain the text "Любовь Н.".

Nutcracker.AB7

The two AB7 variants are relatively non-dangerous. The virus remains resident in memory only when booting from an infected floppy or Master Boot Record. They infect the Master Boot Record of the hard drive, boot sectors of the floppy disks, and .exe files. They avoid files with longer than 64 kilobytes. Infected .exes are converted to .com files, introducing a jump to the beginning of the header, then configuring the the addresses of the table of moved characters.

AB7 variants intercept INT 9h to intercept Ctrl-Alt-Del. When Ctrl-Alt-Del is pressed, the viruses check the Master Boot Record to see if it has already been infected and infects it if it's not already there. It also intercepts INT 2Fh which allows it to remove itself from the Master Boot Record when an antivirus program is run on the disk, then reinfect it when the danger is gone.

It also intercepts 13h (for stealth procedure to mask infected sectors), 15h (to handle multiple PCMCIA system calls), INT 21h (to intercept DOS-Execute, Create, Close, and FindFirst/Next ASCII for file infection) and 40h (used to infect floppy disks and implement a stealth mechanism).

When booting from an infected disk, the virus becomes memory resident in the upper memory boundary if possible. On the 12th of an odd month, they display the message "I'm Nutcracker(AB7)!", waits for the user to press a key and reboots the system.

Nutcracker.Info

The Nutcracker.Info variants are relatively non-dangerous. Their main effect is displaying text.

Nutcracker.Info.2133, as the program starts this variant displays the text:

        Nutcracker.Info.2133:

        InfoSystem  version1.02
        Reading System Information...
        Computer type: IBM PC

Nutcracker.Info.2142 Displays the text:

[[code]]
-*- INFOSYSTEM -*-
version 1.04
(C) 1995 by Ziff Co.
Reading System Information…
Computer type: IBM PC
[[/code]]

Nutcracker.Info.2259: This variant displays the following text:

        Reading System Information...
        Computer type: IBM PC

It then checks the type of computer it's running on and displays one of the following lines, "Original", "XT", "AT", "Convertible", "PS/2","Junior" or "Unknown". Then this text is displayed:

        Checking HDD controller...
        SCSI controller type: Unknown (Error14)

The virus creates a directory that is marked through the variable "PATH", file INFO.COM (or INFOSYS.COM) that contains the viral code. Then the virus searches for .bat files and writes in the beginning of the command (FILENAME is either INFO or INFOSYS, depending on the name of the file dropped):

[[/code]]
@if not exist FILENAME.com goto noinfo
FILENAME>nul
:noinfo
[[/code]]

When you run the .bat file, INFO.COM (or INFOSYS.COM) runs and therefore the control goes to the virus code. This virus code places its copy in memory and intercepts INT 1Ch and INT 21h. When trying to access the modified .bat file, the viruses include their stealth procedures. When the user runs the program CHKDSK, WEB DRWEB the viruses disable their stealth routines.

Nutcracker.Snowfall.945, 1015

These two variants are relatively non-dangerous. They intercept INT 8h, and 21h, and append themselves to the file. They sometimes cause a falling snow effect on the screen. When infected programs are run, they display the text: "Given program was generated in BrPI (c) 1994 The Snowfall.".

Nutcracker.Punisher

These two variants are truncated versions of Nutcracker.AB7. On January 12, they display the text (depending on variant) "Punisher.a: The Punisher in award for your self-confidence!" or "Punisher.b: The Punisher II in award for your self-confidence again!". It also contains the text "(c) 1994 by Dismal Nutcracker".

Origin

Researchers suspect all or most Nutcracker variants came from the same creator. If so, then the virus likely originates from the city of Brest in Belarus. They were first known to antivirus companies in 1996, but some other strings suggest they could have actually originated two years earlier than that.

Other Facts

The date of January 12 is a common payload trigger for many variants of Nutcracker. It is unclear what the significance of this date is, but a few major events occuring on this date include the beginning of the USSR's Wisla-Odra offensive in 1945, a 1990 pogrom against Armenians in Azerbaijan, and authorization of force being authorized by the US Congress in Iraq.

The line "the Sun is gone but I have a light…" printed by one of the AB2 variants comes from the Nirvana song "Dumb".

Sources

Patricia Hoffman. Online VSUM, Nutcracker Virus.

Каталог вирусов, определяемых и обезвреживаемых Dr. Web 4.00

AntiViral Toolkit Pro Вирусная Энциклопедия.

Gizzing H. Khanaka, William J. Orvis. CIAC, US Department of Energy, Virus Information Update CIAC-2301. 1998.05.21
https://apps.dtic.mil/dtic/tr/fulltext/u2/a394231.pdf

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License