Virus Name: Repent Virus Type: File Infector Virus (infects .COM files) Virus Length: No change
PC Vectors Hooked: None Executing Procedure: 1) Searches for a .COM file in the current directory. 2) It then checks whether it has been infected by Repent. If so, it continues to look for any uninfected .COM file. 3) It infects only three files at a time. Damage: Overwrites original files, so the length of infected files won't increase. Note: 1) Doesn't stay resident in memory. 2) Repent doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: Readiosys Alias Name: AntiCMOS, Lenart Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. When the system is booted from an infected hard disk, the virus loads itself in memory. After loading successfully, it infects most accessed disks. The DOS CHKDSK program will show a "total bytes memory" decrease of 2,048 bytes. This virus may change the CMOS settings, depending on the system hardware. In many cases, the system will hang before the virus can finish loading into memory.
Virus Name: Ripper Alias Name: Jack Ripper Virus Type: Boot Virus Virus Length: N/A Description: This virus infects boot sectors. Infection method: 1) The virus loads into memory when the system is booted from an infected diskette. 2) While loaded, the virus infects any accessed, non-protected disks. Damage: 1) The virus corrupts the hard disk over time by randomly selecting disk writes (approximately 1 per 1000) and by swapping two words in the write buffer. Note: 1) If you attempt to examine the infected boot sectors while the virus is in memory, it will display the original, uninfected version.
Virus Name: Radyum Virus Type: File Infector Virus (infects .COM files) Virus Length: 448 Bytes(COM)
PC Vectors Hooked: None Executing Procedure: 1) Searches for and infects all uninfected .COM files. 2) It infects only one file at a time. 3) It then executes the original file. Damage: None Detecting Method: Infected files will increase by 448 Bytes. Note: 1) Doesn't stay resident in memory. 2) Radyum doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: Redx-1 Virus Type: File Infector Virus (infects .COM files) Virus Length: 796 Bytes
PC Vectors Hooked: None Executing Procedure: 1) Searches for a .COM file in the C:\ root directory. 2) Once it locates a .COM file it checks whether it has been infected by REDX-1. If it has, it continues searching for an uninfected .COM file. 3) It then infects other .COM files two at a time. 4) It finally executes the original file. Damage: None Detecting Method: Infected files will increase by 796 Bytes.
Note: 1) Doesn't stay resident in memory. 2) REDX-1 doesn't hook INT 24h when infecting files. Error message occurs if there is an I/O error (such as write protect).
Virus Name: RKO-1 Virus Type: Memory Resident, File Infector Virus Virus Length: None. PC Vectors Hooked: 1) INT 21h (AX=4B00h) (execute program) 2) INT 24h Executing Procedure: 1a) If the system date is the 13th, the virus destroys all data on the hard disk. 1b) Otherwise, the virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory it will infect any uninfected file that is executed.
Damage: If system date is the 13th, then the virus will destroy all data on the hard disk.. Detecting Method: None. Note: 1) The RKO-1 virus hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: RNA#1 Virus Type: File Infector Virus (infects .COM & .EXE files) Virus Length: 7296 Bytes(COM & EXE) PC Vectors Hooked: INT 24h Executing Procedure: 1) Searches for COM & EXE files on the "C:\ drive". 2) If found, it then deletes them (deletes four files at one time) 3) When the files are deleted, the virus will create a file named "ZSQA.TH" on disk "C:\". Damage: It will delete files on the "C:\drive". Detecting Method: Infected files will increase by 7296 Bytes. Note: 1) Doesn't stay resident in memory. 2) The RNA#1 hooks INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: RNA#2 Virus Type: File Infector Virus (infects .COM & .EXE files) Virus Length: 7408 Bytes(COM & EXE)
PC Vectors Hooked: None Executing Procedure: 1) Searches for COM & EXE files on "C:\drive". 2) If any files are found, the virus will infect them (it infects only four files at one time). Damage: None. Detecting Method: Infected files will increase by 7408 Bytes.
Note: 1) Doesn't stay resident in memory. 2) RNA#2 doesn't hook INT 24h when infecting files. It omits I/O errors (such as write protect).
Virus Name: REAPER Other names: None Virus Type: File Infector Virus Virus Length: 1072 bytes. Executing Procedure: 1) The virus checks if it is memory resident. If it isn't, it loads itself into memory by hooking INT 21h. 2) It then executes the original file. 3) Once in resident memory it will infect any uninfected file that is executed. Damage: 1) The Reaper virus will check the system date after it resides in memory. 2) If it is Aug 21, the virus will display the following message: "Reaper Man. (c) 92, Apache Warrior, ARCV Pres." Detecting Method: Increases infected file size by 1072 bytes Note: Loads itself resident in memory. An error message occurs if there is an I/O error (such as write protect).
Virus Name: RED SPIDER Virus Type: 1) Infects .COM files that are between 2,000 (7D0H) and 63,500 (F80CH) bytes in length. 2) Infects .EXE files that are smaller than 524,288 (80000H) bytes. 3) This virus is memory resident and a file infector. Virus Length: 949 - 964 bytes.
Interrupt Vectors Hooked: INT 21h. Infection Process: 1) The virus stays resident at the top of the MCB (memory control block) but below the DOS 640k boundary. 2) Infects .EXE and .COM programs when they are executed. 3) Infected files will have a file length increase of 949 - 964 bytes with the virus located at the end of the file. Damage: Increased file sizes. Decreased available memory. Symptoms: The available free memory decreases by 976 bytes. Note: 1) If COMMAND.COM is infected, the file length will not change. 2) The following text strings can be found encrypted in the virus code: "Red Spider Virus created by Garfield from Zielona Gora in feb 1993 ....... "
Origin :
Eff Length : 954 bytes
Type Code : Polymorphic File Virus
Symptoms :
Increase in the size of infected COM and EXE files by 954 bytes and decrease in available memory by 976 bytes. Executing programs may slow down due to the infection procedure of the virus.
General Comments:
The RED SPIDER virus, on first infection, will decrypt parts of its code to avoid detection. It will then allocate 976 bytes of memory and then transfer its code to the High Memory Area. Once in memory, the virus will hook INT 21.
It will infect all COM and EXE files that are executed, opened or copied. Its infection procedure will append its code to the end of the file. It will not hide the increase in file size of infected files.
To be always memory resident, it will use these two files (if present) to infect other files in your disk:
"COMMAND.COM" and "NCMAIN.EXE"
This text string is found in the decrypted virus code:
"Red Spider Virus" "Created by Garfield from Zielona Gora in Feb 1993"