Rael Virus

Virus Name: Rael Aliases: V Status: Rare Discovery: April, 1994 Symptoms: .COM file growth; programs deleted upon execution; message; unexpected access to C: drive; TSR Origin: Argentina Eff Length: 3,211 - 3,226 Bytes Type Code: PRsC - Parasitic Resident .COM Infector Detection Method: F-Prot, Sweep, AVTK, ViruScan, NAV, NAVDX, VAlert, IBMAV, ChAV, NProt, AVTK/N, Sweep/N, NShld, NAV/N, IBMAV/N, Innoc Removal Instructions: Delete infected files General Comments: The Rael virus was received from Argentina in April, 1994. This virus is a memory resident direct action infector of particular .COM programs located in the C:\DOS directory. When the first Rael infected program is executed, this virus will install itself memory resident as a low system memory TSR of 3,268 bytes, hooking interrupt 21. The virus will also access the C: drive at this time with the express purpose of infecting the following programs: "c:\dos\sys.com" "c:\dos\dosshell.com" "c:\dos\format.com" "c:\dos\keyb.com" If these programs were not previously infected, the Rael virus will infect them. The infected programs will have a file length increase of 3,211 to 3,226 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. Next, the virus will display the following message on the system display: "RAEL IMPERIAL AEROSOL KID" Once the above actions have been performed, the virus will delete any programs the user attempts to execute. The above message text string, as well as the above file names, are encrypted within the viral code, as well as the following additional text strings: "01/NOV/93 por RAEL" "comCOMMANDcommand" "RAEL IMPERIAL AEROSOL KID VIRUS III" "-Buenos Aires-Argentina...Rael, Imperial Aerosol Kid-" "Exists in the daylight, spraygun head...-SaTaN" "C BRaIn B.B.S. 383-7480 Las 24 Horas"