RPVS Virus

Virus Name: RPVS Aliases: 453, TUQ V Status: Endangered Discovery: August, 1990 Symptoms: .COM growth Origin: West Germany Eff Length: 453 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, AVTK, F-Prot, Sweep, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, NAV/N, AVTK/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The RPVS, or 453, virus was discovered in West Germany in early August, 1990. This virus is a non-resident infector of .COM files. The RPVS is named for an unusual string that appears in a file dump of the virus - "TUQ.RPVS" - this in not really a text string, but a series of PUSH instructions. The RPVS virus is a rather unsophisticated virus. Whenever a .COM program infected with the RPVS or 453 virus is executed, the virus will look for an uninfected .COM file in the current directory. The virus determines if the .COM file has been previously infected by checking to see if the last two bytes of the file are 9090h. If the last two bytes are not 9090h, the file will be infected, appending 453 bytes of viral code to the end of the file. One .COM file is infected each time an infected program is executed. COMMAND.COM will not normally be infected. This virus does not contain any logic to activate and cause damage in its current state. It does contain many NOP instructions and odd jumps which leave plenty of space for later additions. Known variant(s) of RPVS are: RPVS-B: The RPVS virus after additional bytes have been added to the end of an infected program. When this occurs, the virus will act differently. It will not be able to determine that it has already infected a .COM file, so it will reinfect the first .COM file it finds in the current directory over and over again.