Rybka Virus

Virus Name: Rybka Aliases: V Status: Rare Discovery: November, 1991 Symptoms: .COM & .EXE growth; TSR; program execution failures; boot failures Origin: Unknown Eff Length: 123 Plus Bytes Type Code: PRAK - Parasitic Resident .COM & .EXE Infector Detection Method: Sweep, NAV, F-Prot, AVTK, ViruScan, NAVDX, IBMAV, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Rybka virus was received in November, 1991. Its origin is unknown. Rybka is a memory resident infector of .COM and .EXE programs, including COMMAND.COM. The first time a program infected with Rybka is executed, the Rybka virus will install itself memory resident as a low system memory TSR of 1.3K bytes, hooking interrupt 21. Since the Rybka virus cannot later recognize that it has already installed its TSR, it will install it again each time an infected program is executed. As a result, infected systems will have available free memory continue to decrease in 1.3K increments as the infection progresses. Once Rybka is memory resident, it will infect .COM and .EXE programs over 132 bytes in length when they are executed. If COMMAND.COM is executed, it will become infected as well. Rybka infected programs will increase in size by at least 132 bytes, though in many cases the file size increase may be over 13,000 bytes. In any event, the virus will be located at the end of the infected file. The file's date and time in a DOS disk directory listing will not have been altered. The following text string can be found in infected files: "VACSINA" Besides the increasing loss of available free memory while the virus is memory resident, Rybka infected systems will experience programs failing to execute properly, returning the user to the DOS prompt. If COMMAND.COM becomes infected, the system will fail to boot.