Virus.Win9x.Atom.4790 or Atom is a non-destructive memory resident parasitic Win9x virus.


When the virus is run, it displays a fake calculator program, and by using a programming trick it runs on the same level as Windows device drivers. It stays memory resident as a Windows VxD driver, hooks Windows IFS API (file access) functions, and infects PE EXE files that are opened. In each infected executable, the virus creates a new file section at the end of the file named "ATOMIC99", writes its code there and modifies program's startup address.

Atom's payload activates after the computer is restarted. It drops an image of Bill Gates to the C:\ drive called "FILE.CUR". It registers this as the "arrow" state of the cursor in the Windows registry, with this key:

HKEY_USERS\.Default\Control Panel\Cursors: Arrow = C:\FILE.CUR

As one might expect, this changes the mouse cursor to a picture of Bill Gates. The virus also has the text string:

[Windows Forever,Windows Voor Altijd 199x-199x]


Atom is also known as:

  • Win9x.Atom.4790 (Kaspersky Lab)
  • Win95.Atom.4790 (Kaspersky Lab)
  • Virus: W32/NGVCK.d.gen (McAfee)
  • W95/Atomic-4790 (Sophos)
  • W32.Atom (ClamAV)
  • W95/Atom.4790 (Panda)
  • W32/Atom.4790 (FPROT)
  • Virus:Win95/Atom.4790 (MS(OneCare))
  • Win95.Atomic.4790 (DrWeb)
  • Win95/Atom.4790 virus (Nod32)
  • Win95.Atom.4790.A (BitDef7)
  • Win95.Atom.4790 (VirusBuster)
  • Win95:Atomic (AVAST)
  • Virus.Win9x.Atom (Ikarus)
  • W95/Atom (AVG)
  • W32/Atom (AVIRA)
  • W95.Atom.a (NAV)
  • W32/Atom.4790 (Norman)
  • W95/Atom (NAI)
  • PE_ATOM.4790 (PCCIL)
  • Win32.Atom (Rising)
  • Virus.Win9x.Atom.4790 [AVP] (FSecure)
  • PE_ATOM.4790 (TrendMicro)
  • Win95.Atom.4790 (VirusBusterBeta)




Virus.Win9x.Atom.4790 by Alles


SecureList, Virus.Win9x.Atom.4790

Ad blocker interference detected!

Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.