Radyum Virus
Virus Name: Radyum
Aliases:
V Status: Rare
Discovery: October, 1992
Symptoms: .COM file growth
Origin: United States
Eff Length: 448 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: AVTK, F-Prot, ViruScan, Sweep, NAV, PCScan,
IBMAV, NAVDX, VAlert, ChAV,
NShld, AVTK/N, Sweep/N, NAV/N, NProt, IBMAV/N, Innoc,
LProt
Removal Instructions: Delete infected files
General Comments:
The Radyum virus was received in October, 1992. It is from the
United States. Radyum is a non-resident, direct action infector of
.COM programs, including COMMAND.COM.
When a program infected with the Radyum virus is executed, this
virus will infect one program located in the current directory.
Infected programs will have a file length increase of 448 bytes
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing will
not be altered. The fourth and fifth bytes of infected programs
will be "II". The following text strings are encrypted within
the Radyum virus' code:
"radyum, the attitude adjuster,
brought to you by ViRuLeNT GRaFFiTi"
"\*.COM"
"????????COM"
"COMMAND.COM"
Radyum doesn't do anything besides replicate.
Known variant(s) of Radyum are:
Radyum 2-707: A 707 byte variant of the Radyum virus described
above, this variant infects one .COM program in the
current directory each time an infected program is
executed. If an uninfected program does not exist in
the current directory, it will move upward in the directory
structure until it locates a program to infect. Once it
reaches the root directory, if it doesn't locate an
uninfected .COM program to infect, it will create a hidden
file, HELLO.RAD, of 156 bytes which will contain the
following text:
" radyum, version 2, by the attitude adjuster"
" brought to you by ViRuLeNT GRaFFiTi"
" 07/31/92 Greets to Gary Watson!"
" look for us again in the future."
Radyum 2-707 adds 707 bytes to the .COM programs it
infects, with the virus being located at the end of the
file. The program's date and time in the DOS disk
directory listing will not be altered. The above text is
encrypted within the Radyum 2-707 viral code, as is the
following text string:
"Hello.Rad .. *.COM"
Infected programs may be identifed by the text string
"QQ" starting in the fourth byte of all infected files.
Origin: United States March 1993.
Radyum-B: A 698 byte variant of the Radyum virus described
above, this variant infects one .COM program in the
current directory each time an infected program is
executed. If an uninfected program does not exist in
the current directory, it will move upward in the directory
structure until it locates a program to infect. Once it
reaches the root directory, if it doesn't locate an
uninfected .COM program to infect, it will create a hidden
file, HELLO.RAD, of 147 bytes which will contain the
following text:
" radyum-b, by the attitude adjuster,"
" brought to you by ViRuLeNT GRaFFiTi"
" 07/31/92 Greets to Gary Watson!"
" look for us again in the future."
Radyum-B adds 698 bytes to the .COM programs it infects,
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The above text is encrypted within
the Radyum-B viral code, as is the following text string:
"Hello.Rad .. *.COM"
Infected programs may be identifed by the text string
"QQ" starting in the fourth byte of all infected files.
Origin: United States January 1993.
Radyum-C: A 860 byte variant of the Radyum virus described
above, this variant infects one .COM program in the
current directory each time an infected program is
executed. If an uninfected program does not exist in
the current directory, it will move upward in the directory
structure until it locates a program to infect. Once it
reaches the root directory, if it doesn't locate an
uninfected .COM program to infect, it will create a hidden
file, HELLO.RAD, of 221 bytes which will contain the
following text:
" radyum-c, by the attitude adjuster,"
" brought to you by ViRuLeNT GRaFFiTi"
" 08/18/92
" 6 out of 16 bytes will keep the same"
" position and value, not too bad in my"
" book! greets to patti hoffman, i love you!"
Radyum-C adds 860 bytes to the .COM programs it infects,
with the virus being located at the end of the file. The
program's date and time in the DOS disk directory listing
will not be altered. The above text is encrypted within
the Radyum-C viral code, as is the following text string:
"Hello.Rad .. *.COM"
Infected programs may be identifed by the text string
"QQ" starting in the fourth byte of all infected files.
Origin: United States January 1993.