Sat_Bug.Natas

SUMMARY

Sat_Bug.Natas is a virus that infects program files, the DOS boot sector on floppy disks, and the master boot record (MBR) on the first physical hard disk (drive 80h, drive C).

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low

Distribution

• Distribution Level: Low

TECHNICAL DETAILS

The virus code reserves 6 KB of memory and is two sectors in length. Thus, on a computer with 640 KB of memory, the MEM command would report 634 KB of memory, and CHKDSK would report 649,216 bytes of free memory.

The virus body is stored, unencrypted, on nine sectors near the end of side 0, track 0, of the hard disk. Sat_Bug.Natas stealths the infected MBR if it is in memory, but does not stealth the extended sectors. Using a disk editor, the virus name is visible near the end of the last virus sector.

Infected files grow by 4744 bytes, but the change in size is stealthed if Sat_Bug.Natas is in memory. The name, Natas, is in the encrypted portion of the virus body and is not visible. The virus decryptor is extremely polymorphic. Sat_Bug.Natas contains no intentionally damaging routines and does not affect data files. The virus appears to be incompatible with some memory managers. Problems have been reported when QEMM386 and DOS EMM386 become infected.

Sat_Bug.Natas was evidently programmed by Little Loc, the programmer of the Sat_Bug (Satan Bug, or Satan) virus from San Diego, California. Sat_Bug.Natas has been distributed as commented source code.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

To remove this virus, you need a Rescue Disk set or a Norton AntiVirus Emergency Disk.

To remove the virus using the Rescue Disk set:
If you do not have a current Rescue Disk set, you must create one on an uninfected computer.

CAUTION: If the infected computer uses a drive compression utility or Dynamic Drive Overlay (DDO), see the document How to repair a virus when using a dynamic drive overlay or a disk compression utility before continuing.

1. Close all programs on the infected computer, and then turn off the power. You must turn off the power to clear memory.
2. Wait at least 30 seconds, and then:
   • If you have a current set of Rescue Disks that you created before the infection occurred, skip to step 7.
   • If you do not have a current Rescue Disk set, go on to step 3.
3. On an uninfected computer, install Norton AntiVirus (if it is not already installed).
4. Run LiveUpdate, and then run a full system scan.
5. On the NAV toolbar, click Rescue.
6. Follow the prompts to create a Basic Rescue set. For additional information, see the document How to create or update a Norton AntiVirus rescue disk set when Norton AntiVirus is already installed.
7. Take the completed Basic Rescue set to the infected computer, and insert the "Basic Rescue Boot Disk" into the floppy disk drive. Restart the computer.
8. When the Rescue Disk window appears, use the arrow keys on the keyboard to select Norton AntiVirus.
   
   CAUTION: Make sure that you select Norton AntiVirus when using a Rescue Disk that was created on another computer. Failure to do so could overwrite critical files and cause the computer to fail to start.
   
9. On the command line at the bottom of the window, edit the line to read
   
   navdx /cfg:a /a /doallfiles /repair
   
   and then press Enter.
   
   NOTE: This will cause NAV to repair the infected files without prompting. If you want to be prompted when an infected files is found, use the command
   
   navdx /cfg:a /a /doallfiles /prompt
   
10. Follow the prompts, and remove and insert disks as needed. You may need to do this several times. Press Enter after inserting each disk.
11. When the scan has finished--this could take several hours--the removal process is complete. Remove all disks from the disk drives, and turn off the computer. Wait at least 30 seconds before restarting the computer.

To remove the virus using the Norton AntiVirus Emergency Disk:
The Norton AntiVirus Emergency Disk can either be created from the Norton AntiVirus (NAV) 2001 CD or downloaded from the Symantec FTP site. If you have an Emergency Disk that came supplied with an older version of NAV, we recommend that you create new disks.

1. Close all programs on the infected computer, and then turn off the power. You must turn off the power to clear memory.
2. Create a new Emergency Disk. For instructions on how to do this, see the document How to create Norton AntiVirus Emergency Disks.
3. Take the completed Emergency Disk to the infected computer, and insert it into the floppy disk drive. Restart the computer.
4. Press any key when prompted, and then follow the prompts.
5. When the scan has finished--this could take some time--the removal process is complete. Remove all disks from the disk drives, and turn off the computer. Wait at least 30 seconds before restarting.