R-10 Virus

Virus Name: R-10 Aliases: DataRape-10, Rape-10 V Status: Rare Discovery: September, 1991 Symptoms: .COM file growth; decrease in total system and available memory; overwrites system hard disk Origin: Canada Eff Length: 500 Bytes Type Code: PRhCK - Parasitic Resident .COM Infector Detection Method: ViruScan, F-Prot, Sweep, AVTK, PCScan, NAV, IBMAV, NAVDX, VAlert, ChAV. NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The R-10, DataRape-10, or Rape-10 virus was isolated in September, 1991, and originated in Canada. R-10 is a memory resident infector of .COM files, including COMMAND.COM. It is one of the viruses which the RABID group claims responsibility for writing. The first time a program infected with R-10 is executed, R-10 will install itself memory resident at the top of system memory but below the 640K DOS boundary. Interrupts 21 and 69 will be hooked by R-10 in memory. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 528 bytes. Once R-10 is memory resident, it will infect .COM programs, including COMMAND.COM, when they are executed. Infected .COM programs will increase in size by 500 bytes, the virus being located at the end of the infected file. There will be no change in the file date/time in the DOS disk directory. R-10 activates on a random basis, at which time it will overwrite the system hard disk when a program is executed. The overwriting of the hard disk starts at the C: drive boot sector, with the virus writing to the hard disk the program the user was attempting to execute. Once the virus completes writing this program to the disk, it will continue formatting the hard drive, writing sectors full of x'FF' characters until the user powers off the system. R-10 is probably an earlier version of the R-11 virus. See: R-11