Rider Virus


 Virus Name:  Rider 
 Aliases:     Rider.577 
 V Status:    Rare 
 Discovery:   August, 1994 
 Symptoms:    .COM file growth; C: drive system files may be deleted 
 Origin:      Norway 
 Eff Length:  577 Bytes 
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector 
 Detection Method:  AVTK, NAV, IBMAV, Sweep, ViruScan, 
                    F-Prot, NAVDX, VAlert, ChAV, 
                    AVTK/N, Sweep/N, IBMAV/N, NShld, NAV/N, NProt, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Rider virus was received in August, 1994, and appears to be from 
       Norway.  It is a non-resident, direct action infector of .COM files, 
       including COMMAND.COM. 
 
       When a program infected with the Rider virus is executed, this virus 
       will infect one .COM file located in the current directory.  Infected 
       programs will have a file length increase of 577 bytes with the virus 
       being located at the end of the file.  The program's date and time in 
       the DOS disk directory listing will not be altered.  The following 
       text strings are encrypted within the Rider viral code: 
 
               "The iNFiLtRAtOR Virus by The Dark Rider from Norway-93" 
               "*.COM .." 
               "C:\COMMAND.COM C:\DOS\COMMAND.COM C:\IO.SYS C:\MSDOS.SYS" 
 
       The Rider virus will delete the files indicated in the third text 
       string above, which results in the system failing to boot from the 
       system hard disk.  To result this problem, the user must boot from 
       an uninfected, write protected system disk, and then replace the 
       files using the DOS SYS command, and copying COMMAND.COM to the C: 
       drive root and DOS directories. 
 
       Known variant(s) of Rider are: 
       Rider.575: Received in January, 1996, this is a 575 byte variant 
           of the Rider virus described above.  It infects one .COM file 
           in the current directory when an infected program is executed, 
           increasing the host program's size by 575 bytes.  The virus will 
           be located at the end of the file and the program's date and time 
           in the DOS disk directory listing will not be altered.  The 
           following text strings are encryted within the viral code: 
           "The iNFiLtRAtOR Virus by The Dark Rider from Norway-93" 
           "*.COM.." 
           "C:\COMMAND. C:\DOS\COMMAND.COM C:\IO.SYS C:\MSDOS.SYS" 
           As with the original virus, this variant deletes the files 
           indicated in the third text string above, resulting in the 
           system failing to boot from the system hard disk. 
           Origin: Norway  January, 1996.

Show viruses from discovered during that infect .

Main Page