Rubbit Virus

Virus Name: Rubbit Aliases: Rubbit.681 V Status: Rare Discovery: July, 1994 Symptoms: .COM file growth; file date/time changes; possibly system hangs Origin: Unknown Eff Length: 681 Bytes Type Code: PRfCK - Parasitic Resident .COM Infector Detection Method: F-Prot, AVTK, IBMAV, ViruScan, NAV, Sweep, NAVDX, VAlert, PCScan, ChAV, AVTK/N, Sweep/N, IBMAV/N, NShld, NProt, NAV/N, Innoc, LProt Removal Instructions: Delete infected files General Comments: The Rubbit, or Rubbit.681, virus was submitted in July, 1994, along with four variants of the virus. Rubbit is a memory resident infector of .COM programs, including COMMAND.COM. The description included here is for Rubbit.681, three of the four remaining variants are included below. One variant, Rubbit.3811, did not replicate and is thus not included. When the first Rubbit infected program is executed, this virus will install itself memory resident in available system memory, at 9000, hooking interrupt 21. Since it is in available memory, a system hang could occur if any program executed by the system user overwrites this area. There will be no change to total system and available free memory as indicated by the DOS CHKDSK program. Once memory resident, the Rubbit virus will infect .COM programs, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 681 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will have been updated to the current system date and time when infection occurred. The following text string can be found within the viral code in all infected programs: "RUBBIT.$$$" It is unknown what Rubbit may do besides replicate. Known variant(s) of Rubbit are: Rubbit.1018: Rubbit.1018 is a 1,018 byte variant of the Rubbit virus described above. It infects .COM programs, including COMMAND.COM, when they are executed. Infected programs will have a file length increase of 1,018 bytes with the virus being located at the end of the file. The file length increase will not be visible in the DOS disk directory listing when the virus is memory resident. The file's date and time in the DOS disk directory listing will not be altered. The following text string can be found within the viral code in all infected files: "RUBBIT.$$$" The DOS CHKDSK program will indicate file allocation errors on all infected files when the virus is memory resident. Origin: Unknown July, 1994. Rubbit.2060: Rubbit.2060 is a 2,060 byte variant of the Rubbit virus described above. This variant becomes memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 11,288 bytes. Interrupt 21 will be hooked. It infects .COM and .EXE programs, including COMMAND.COM, when they are executed. Infected .COM files will have a file length increase of 2,060 bytes while .EXE files increase by 2,060 to 2,075 bytes. The file length increase will be hidden by the virus when it is memory resident. In both cases, the virus will be located at the end of the file. The file's date and time in the DOS disk directory listing will not be altered. The following text string can be found within the viral code: "RuBBit" The following text strings are encrypted within the viral code: "## << How do you do >> ##" "## !! Today is My Birthday !! ##" "$$ OH! YES! Happy Birthday To You ! $$" The DOS CHKDSK program will indicate file allocation errors on all infected files when the virus is memory resident. Origin: Unknown July, 1994. Rubbit.3164: Rubbit.3164 is a 3,164 byte variant of the Rubbit virus described above. This variant becomes memory resident as a low system memory TSR of 6,928 bytes, hooking interrupt 21. It infects .COM and .EXE programs, including COMMAND.COM, when they are executed. Infected files will have a file length increase of 3,164 bytes with the virus being located at the end of the file. The file length increase will be hidden by the virus when it is memory resident. The file's date in the DOS disk directory listing will not be altered, but the time field will have been updated to the system time when infection occurred. The following text string can be found within the viral code: "RuBBit" The following text strings are encrypted within the viral code: "## RuBBit Version 2.2 Written by [P.F] in Taiwan. ##" "## This idea is from Dark Slayer. 1994/05/02 ##" "RuBBitRuBBit" The DOS CHKDSK program will indicate file allocation errors on all infected files when the virus is memory resident. The virus will disinfect programs when they are read into memory thus hiding the file infection further from the user. Origin: Unknown January, 1996. Rubbit.3839: Rubbit.3839 is a 3,839 byte variant of the Rubbit virus described above. This variant becomes memory resident as a low system memory TSR of 8,272 bytes, hooking interrupt 21. It infects .COM and .EXE programs, including COMMAND.COM, when they are executed. Infected files will have a file length increase of 3,839 bytes with the virus being located at the end of the file. The file length increase will be hidden by the virus when it is memory resident. The file's date and time in the DOS disk directory listing will not be altered. The following text strings can be found within the viral code: "RuBBit" The following text strings are encrypted within the viral code: "## !! RuBBit Version 2.0 !! ##" "## << How do you do >> ##" "## !! Today is My Birthday !! ##" "$$ OH! YES! Happy Birthday To You ! $$" The DOS CHKDSK program will indicate file allocation errors on all infected files when the virus is memory resident. The virus will disinfect programs when they are read into memory thus hiding the file infection further from the user. Origin: Unknown July, 1994.