Arf Virus


 Virus Name:  Arf 
 Aliases:     Rigor Mortis, Thor 
 V Status:    Rare 
 Discovery:   March, 1991 
 Isolated:    United States 
 Symptoms:    .COM growth; messages 
 Origin:      Canada 
 Eff Length:  1,000 Bytes 
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Arf, Thor, or Rigor Mortis virus was submitted in March, 1991 
       from the United States.  Arf is a virus written by RABID, which is 
       based in Canada.  This virus is a non-resident infector of .COM 
       files, including COMMAND.COM.  Arf is based on the Vienna virus, 
       and some anti-viral programs may identify it as Vienna. 
 
       When a program infected with Arf is executed, the virus will check 
       to see if COMMAND.COM has been previously infected.  If it is not 
       infected, the virus will infect it and display the message: 
 
               "Rigor Mortis !!! 
                  I am Hi.pas" 
 
       After checking (and possibly infecting) COMMAND.COM, the virus will 
       search the current directory for one .COM program to infect.  If an 
       uninfected .COM program is found, it will be infected with the 
       following message being displayed: 
 
               "Arf krad krad krad 
                  krad krad kr" 
 
       The virus will then proceed to check the B: drive for a file to 
       infect. 
 
       Files infected with the Arf virus will have a file length increase 
       of 1,000 bytes.  The virus will be located at the end of the 
       infected program.  The above text messages can be found within the 
       infected files. 
 
       The Arf virus may not be in the public domain, the original sample 
       submitted is not a natural infection of the virus.  Its name is due 
       to the "Arf" string displayed when files other than COMMAND.COM are 
       infected.  Its alias of Thor is because it is believed to have been 
       written by a group calling itself Thor. 
 
       Note: the original sample of this virus was on an .EXE file, and is 
       not a natural infection.  This virus may be a research virus and not 
       in the public domain. 
 
       Known variant(s) of Arf are: 
       Arf-B: Arf-B was submitted in May, 1991.  It is from the United 
              States.  This variant appears to be an earlier version of the 
              Arf virus described above.  When a program infected with 
              Arf-B is executed, it will check the current directory for an 
              uninfected .COM program to infect.  If an uninfected .COM 
              program is found, it will infect the program.  The B: drive 
              may also be accessed.  Whether or not a program was infected, 
              it will then display the message: 
 
                       "Arf Arf Got you! 
                        -- RABID '90" 
 
              Infected programs will have a file length increase of 1,000 
              bytes, and their date and time in the disk directory will be 
              altered, though not to the current system date and time. 
 
              Execution of COMMAND.COM after it has become infected will 
              result in the following messages, and a system hang: 
 
                       "EXEC failure 
                        Memory allocation error 
                        Cannot start COMMAND, exiting" 
 
              .COM programs infected with Arf-B will usually fail to 
              function once infected, resulting in a system hang.

Show viruses from discovered during that infect .

Main Page