Rasek Virus


 Virus Name:  Rasek 
 Aliases:     Rasek.1490, Coru¤a 
 V Status:    Rare 
 Discovery:   July, 1994 
 Symptoms:    .COM & .EXE growth; MBR & Diskette Boot Sector altered; 
              decrease in total system & available free memory; 
              file date/time seconds = "62" 
 Origin:      Spain 
 Eff Length:  1,490 - 1,506 Bytes 
 Type Code:   PRhAKXB - Parasitic Resident .COM .EXE MBR & Boot Sect Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, ViruScan, Sweep, 
                    NAV, NAVDX, VAlert, 
                    AVTK/N, Sweep/N, NProt, NShld, IBMAV/N, NAV/N 
 Removal Instructions:  Delete infected files, Replace MBR, DOS SYS on 
              system diskettes 
 General Comments: 
       The Rasek, Rasek.1490 or Coru¤a, virus was received in July, 1994. 
       It is originally from Spain.  Rasek is a memory resident multi- 
       partite virus which infects the system hard disk master boot record 
       (the sector containing the hard disk partition table), diskette 
       boot sectors, .COM and .EXE files, including COMMAND.COM. 
 
       When the first Rasek infected program is executed, this virus will 
       infect the system hard disk master boot record and become memory 
       resident.  If the program was executed from a diskette, the virus 
       will also infect the diskette boot sector.  Total system and available 
       free memory, as indicated by the DOS CHKDSK program, will have 
       decreased by 2,048 bytes, not moving interrupt 12's return. 
       Interrupts 13 and 21 will be hooked by the virus in memory. 
 
       Once the virus is memory resident, either from booting from the 
       infected system hard disk or executing an infected file, this virus 
       will infect .COM and .EXE programs, including COMMAND.COM.  Infected 
       .COM files will have a file length increase of 1,490 bytes while .EXE 
       files will increase in size by 1,490 to 1,506 bytes.  In both cases, 
       the virus will be located at the end of the file.  The program's date 
       and time in the DOS disk directory listing will not appear to be 
       altered, though the seconds field will have been set to "62".  The 
       following text strings are encrypted within the Rasek viral code: 
 
               "RaseK v2.0 from LA CORU¥A(SPAIN). Mar93" 
               "Invalid Partition Table" 
               "Error Loading Operating System" 
 
       Known variant(s) of Rasek are: 
       Rasek.1492: Based on the Rasek virus described above, this is a 
           later version.  It adds 1,492 bytes to the .COM files it infects, 
           and 1,492 to 1,508 bytes to the .EXE files.  The virus will be 
           located at the end of the file.  The following text strings are 
           encrypted within the viral code: 
               "RaseK << v3.1, from La Coru¤a(SPAIN). Ap 93" 
               "MSDOS3.3" 
               "Non-System disk or disk error" 
               "Replace and strike any key when ready" 
               "Disk Boot failure" 
           Origin:  Spain  July, 1994. 

Show viruses from discovered during that infect .

Main Page