|Creator||Little Loc (AKA Priest)|
|Place of Origin||United States|
|File type(s)||.com, .exe, .ovl|
|Infection Length||4,746 Bytes|
When a file infected with Natas is executed, it becomes memory resident, taking up 5,664 bytes in memory and infects the master boot record and COMMAND.COM. The virus infects files when they are executed, opened or copied, appending its 4,746 bytes to .com, .exe and .ovl files.
There is a 1 in 512 possibility Natas will destroy data on a portion of the hard disk every time an infected file is executed, the master boot record is accessed or an infected file is disassembled. It contains the text "Natas" in its encrypted code.
The virus has interesting stealth capabilities. When an archiver is run, it turns its stealth off, so it has more chances to spread. If the user tries to look at the master boot record through a binary editor, SatanBug will show a clean version.
All variants seem to add 100 years to the infected files date, where the original leaves it alone. Otherwise they are mostly similar.
- Natas.4774- contains text: "Time has come to pay (c)1994 NEVER-1 3"
- Natas.4988- contains a very long text, including some "Rage against the machine" lyrics:
Time has come to pay (c)1994 NEVER-1 SANDRINE B." Yes I know my enemies They're the teatchers who taught me to fight me Compromise, conformity, assimilation, submission Ignorance, hypocrisy, brutality, the elite All of whitch are American dreams (c) 1994 by Never-1(Belgium Most Hated) Sandrine B."
While created in the United States, it become very prevalent in Mexico. It was first discovered in Mexico City in May of 1994. It was brought there from Southern California by a consultant offering antivirus services. The consultant frequented message boards based in Santa Clarita, which contained many viruses, including Natas. Antivirus researcher speculation is that Natas was accidentally executed, and after turning it up in a scan, looked for it on other computers, possibly transporting the antivirus program on a disk. The stealth capabilities of the virus would sometimes allow it to be found on a file, but not on a disk sector, so he probably ended up infecting many other computers.
Norman Data Defense Systems offered Little Loc a job when he finished highschool that summer. When asked what he would work on there, he said he would work on a cure for Natas.
Name and OriginEdit
McAfee Antivirus, Natas. 1994.06.15
Patricia Hoffman. Online VSUM, Natas virus.
F-Secure Antivirus, F-Secure Virus Descriptions : Natas.
George Smith. The Virus Creation Labs: A Journey into the Underground, A Priest Deploys his Satanic Minions. American Eagle Publications, 1994.12. ISBN 978-1441411389