Details
Realize.498
It is a harmless nonmemory resident parasitic virus. It searches for .COM files and writes itself to the beginning of the file. The virus contains the text string:
WHAT? I gotta die before you [realiZe] I was a nigga with open eyes.Dont
you hear the guns you stupid, dumb,dicksuckin, bum politicians![realiZe] -
THE LOST FREEDOM / SWEDEN
Details
RDA.Fighter
These are dangerous memory resident polymorphic parasitic viruses, “RDA.Fighter.7408″ is multipartite one. They trace and hook INT 21h, and write themselves to the end of COM and EXE files that are executed, opened or renamed. They also encrypt the randomly selected part of the host files.
While executing an infected file, “RDA.Fighter.7408″ infects MBR of the hard drive. On loading from infected disk it hooks INT 8, and when DOS is loaded it hooks INT 21h. That virus uses very polymorphic engine, it allows to generate the sequence of decryption loops (up to 16 ones) - the first decryption loop decrypts the virus body and the code of other loops, and passes the control to the second loop - and so on. So the body of the virus is encrypted several times according to the number of decryption loops.
These viruses use the error correction algorithm to prevent the debugging, and the correction of the virus body. During virus installation procedure if the virus code is traced, the viruses erase the disk sectors.
The viruses contain the text strings:
“RDA.Fighter.5871″: RandomDecodingAlgoritm 1.0
“Stealth Fighter PART I” devoted MSU!
“RDA.Fighter.5969″: RandomDecodingAlgoritm 1.1
“Stealth Fighter PART I (1.1) for ALL.”
“RDA.Fighter.7408″: “RandomDecodingAlgoritm 2.0″
“PhantomPolymorphicMultiLayerEngine 1.2″
“Stealth Fighter 2.0 : New Aggression.”
“RDA.Fighter.7408″ displays the last string.
After installation the viruses restore the code of the host program by using the data (”host data”) has been saved on infection. While restoring of the host program they decrypt the part of the host code has been encrypted on infection, restore the header of COM file and pass the control to the host program. The most interesting feature of these viruses is the fact that after decryption of the virus body the host data is still not decrypted because it is encrypted twice on infection. The algorithm of such additional encryption is selected randomly - the virus selects random number of instructions (up to 16 ones) from 16 variants of encryption commands (XOR, SUB, ADD, ROL, ROR, NEG, e.t.c.). There may be 65535 (FFFFh) variants of such encryptor. On infection the virus encrypts the host data by using that method, but does not save corresponding decryption routine to restore the host data.
To decrypt the host data the virus generates the decryption routine by random selecting from the same 16 encryption commands, and tries to decrypt the host data. If the host data is not decrypted (the virus calculates and checks the CRC sum) the virus generates the next decryptor, decrypts the host data, calculates and compares CRC and so on up to the moment when the host data appears in original form. It may take some time ever on fast computers.
Details
Rch.1217
This is a benign memory resident polymorphic parasitic virus. It hooks INT 9, 21h and writes itself to the end of COM and EXE files that are executed or opened. The virus deletes the anti-virus data files CHKLIST.MS and SMARTCHK.CPS, if they exist. On May 20th the virus inserts the following text into the keyboard buffer (i.e. simulates user input):
“Just a joke,Don’t mind!”—Rch
Details
Rch.1138
This is a benign memory resident polymorphic parasitic virus. It hooks INT 9, 21h and writes itself to the end of COM and EXE files that are executed or opened. On May 20th the virus inserts the following text into the keyboard buffer (i.e. simulates user input):
“Just a joke,Don’t mind!”—Rch
Details
Rb91.899
This is a very dangerous non-memory resident encrypted parasitic virus. It searches for .COM files, and writes itself to the end of the file. It contains the text string: “Virus° EMO *.com *.* RB91″. In April, it formats the disk sectors. It is non-memory resident, but after infection, it leaves a small memory-resident program that hooks INT 8 (timer), and periodically summons the INT 9 and INT 0Eh.
Details
Rawal.1378
This is a benign non-memory resident parasitic virus. It searches for a command processor (COMMAND.COM), then for .COM files, then writes itself to the end of the file. In July, the virus decrypts and displays the following message:
B I O - D A T A
NAME : SANJAY RAWAL
DOB : 24/11/1967
ADDRESS : 96, SATYA NIKETAN, NEW DELHI - 21
TELE : 675557
QUALS. : DIP. ELECTRICAL, SEC-A DIP. I.E.T.E.,POST DIP.
: COMPUTER APPLICATIONS, SHORT COURSE FROM A.T.I.E.P.I.
EXPRNCE : DBASE III+,CLIPPER,FOXPRO,ASSEMBLY 85/88, QBASIC,TURBO C
: SINCE JAN. 1990
A N Y V A C A N C Y ????
The virus also contains the following texts:
*.com
COMSPEC=
S A N
Details
Raving.2300
It is a dangerous nonmemory resident overwriting virus. It searches for .COM files and overwrites them. It displays the message:
I DON’T THINK YOU WOULD LIKE TO SMILE, BECAUSE I HAVE INFECTED A FILE!!!
HAVE YOU HEARD OF A RAVING VIRUS MC, YES YOU GUESSED IT THAT IS ME!!!
YOU WONT SEE ANOTHER RHYME UNTIL IT IS INFECTING TIME!!!
Details
RavenSys.1324
It is not a dangerous memory resident parasitic virus. It writes itself to the end of SYS files (device drivers). The header of the virus contains the text: “RAVEN00X”. The virus hooks INT 21h, intercepts Exec DOS call (4Bh) and on executing any program searches for SYS files and infects them.
When an infected driver is loaded into the memory, the virus hooks INT 21h and stays memory resident. It does it in two different ways depending on the system conditions. In case of first way, the virus leaves its TSR copy at the same addresses as being loaded. Then it waits for DOS system ChangeMemory call (AH=4Ah), allocates new block of memory and copies itself to there. In case of second way the virus writes its code on the first track of the hard drive (not used sectors) and copies its “loader’s” (90 bytes) code to Interrupt Vectors Table. Then it, the same as in case of first way, waits for ChangeMemory DOS call, allocates a block of memory, and reads to there its code from the hard drive.
While installing memory resident the virus displays the message:
+-+—·-· · · Raven Sys Infector 1.0 · · ·—-+-+
+-+—————————————————————–+-+
+-¦-+ Created By Stone Shadow +-:-¦
+-:-+ Copyright (c) 1995 - 96 By COEAC Viral System Development. +-¦-¦
+-+—————————————————————–+-+
+-+— ·· · · Creatures Of Electronic Anti Christ · · ·· —+-+
Details
Rauser.164.a
These are dangerous memory resident encrypted viruses. They hook INT 21h and while executing .COM files overwrite them, and while executing .EXE files create the companion .COM file.
“Rauser.250,253″ display:
Maaike I Love You !
Details
Raubkopie.2219
It is a very dangerous nonmemory resident parasitic virus. Searches for .COM and EXE files and infects them. On Friday, 13th it erases the disk sectors and displays the messages:
A C H T U N G
————————-
Die Benutzung einer RAUBKOPIE ist strafbar!
Nur wer Original-Disketten, Handbücher,
oder PD-Lizenzen besitzt, darf Kopien verwenden.
Programmierung ist mühevolle Detailarbeit:
Wer Raubkopien verwendet, betrügt
Programmierer um den Lohn ihrer Arbeit.
————————-
Bist Du sauber ? (J/N)
Ich will glauben, was Du sagst all..
CPU-ID wird gespeichert….
Details
Rattler.1536
It is a dangerous memory resident polymorphic parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files that are accessed. Depending on the system date it erases the disk sectors. It contains the text string:
This is RATTLER v2.0. Read the Infected Voice!
Details
RatSoft.753
These are dangerous nonmemory resident parasitic viruses. They search for .COM-files, then writes themselves to the end of the file. The viruses have lot of bugs, and infected files may halt the system. The viruses display the messages:
“RatSoft.753″: ratsoft company!!!
“RatSoft.821,828″: death you!!!!!!
ratsoft co
Details
Rat.615
It is a harmless nonmemory resident parasitic infector. It searches for the .COM files of the current directory and writes itself to the end of the file. It contains the text strings:
Techno-Rat I. Copyright by Lord Blaise, Odessa 1991.
*.* *.COM .\*.COM COM
Details
Rasputin
It is not a dangerous memory resident stealth boot virus. It is encrypted in sectors and well as in the system memory. It hooks INT 13h and writes itself to the MBR of the hard drive and the boot sector of the floppy disks. Location on a disk is in free clusters which virus marks as BAD (pseudo-bad clusters).
While loading at 4am the virus decrypts and runs a video-effect and displays the text:
RASPUTIN
Coded By
Blue Skull
Details
Rash.1737
It is a harmless memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed or closed. When infected files are opened, the virus disinfects them. The virus does not manifest itself in any way, it contains the text string:
- Rash97 -