RAM Virus Virus


 Virus Name:  RAM Virus 
 Aliases: 
 V Status:    Rare 
 Discovery:   May, 1991 
 Symptoms:    .COM & .EXE growth; black box; programs deleted on Fri 13th; 
              TSR; system slowdown 
 Origin:      Europe 
 Eff Length:  3,517 Bytes (.COM) & 1,808 - 1,822 Bytes (.EXE 
 Type Code:   PRsAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  AVTK, NAV, IBMAV, ViruScan, NAVDX, VAlert, 
                    PCScan, ChAV, 
                    NShld, AVTK/N, NAV/N, IBMAV/N, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The RAM Virus was received from Europe in May, 1991.  The RAM Virus 
       is based on the Jerusalem virus.  Like the Jerusalem viruses, it is 
       a memory resident infector of .COM, .EXE, and overlay files.  It 
       will also infect COMMAND.COM. 
 
       The first time a program infected with the RAM Virus is executed, 
       the virus will install itself memory resident as a low system 
       memory TSR of 4,008 bytes.  Interrupts 08 and 21 will be hooked. 
 
       Once memory resident, the RAM Virus will infect programs as they 
       are executed.  The file length increase on infected .EXE programs 
       is the same as for the Jerusalem virus, 1,808 to 1,822 bytes, 
       with the virus being located at the end of the infected program. 
       The RAM Virus will reinfect already infected .EXE programs, adding 
       an additional 1,808 bytes to the file length. 
 
       How the RAM Virus infects .COM programs is the major difference 
       between this virus and other Jerusalem-based viruses.  The RAM 
       Virus, when infecting .COM programs, places a copy of itself at 
       the beginning of the .COM program and another copy at the end. 
       The file length increase on .COM programs, other than COMMAND.COM, 
       will be 3,517 bytes.  COMMAND.COM will only have an infection at 
       the end of the program, and a file length increase of 1,704 bytes. 
 
       Programs infected with RAM Virus will contain two text strings: 
 
               "sUMsDOS" 
               "COMMAND.COM" 
 
       After the RAM Virus has been memory resident for 30 minutes, a 
       "black box" will appear on the lower left hand side of the screen. 
       The virus will also slow the system down by approximately 30 
       percent. 
 
       The RAM Virus activates on Friday the 13ths.  If the virus becomes 
       memory resident on Friday the 13ths, it will delete programs as 
       the user attempts to execute them. 
 
       See:   Jerusalem

Show viruses from discovered during that infect .

Main Page