Virus Name: R-10
Aliases: DataRape-10, Rape-10
V Status: Rare
Discovery: September, 1991
Symptoms: .COM file growth; decrease in total system and available
memory; overwrites system hard disk
Eff Length: 500 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, F-Prot, Sweep, AVTK, PCScan,
NAV, IBMAV, NAVDX, VAlert, ChAV.
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The R-10, DataRape-10, or Rape-10 virus was isolated in September,
1991, and originated in Canada. R-10 is a memory resident infector
of .COM files, including COMMAND.COM. It is one of the viruses
which the RABID group claims responsibility for writing.
The first time a program infected with R-10 is executed, R-10 will
install itself memory resident at the top of system memory but below
the 640K DOS boundary. Interrupts 21 and 69 will be hooked by R-10
in memory. Total system and available free memory, as indicated by
the DOS CHKDSK program, will have decreased by 528 bytes.
Once R-10 is memory resident, it will infect .COM programs, including
COMMAND.COM, when they are executed. Infected .COM programs will
increase in size by 500 bytes, the virus being located at the end
of the infected file. There will be no change in the file date/time
in the DOS disk directory.
R-10 activates on a random basis, at which time it will overwrite
the system hard disk when a program is executed. The overwriting
of the hard disk starts at the C: drive boot sector, with the virus
writing to the hard disk the program the user was attempting to
execute. Once the virus completes writing this program to the
disk, it will continue formatting the hard drive, writing sectors
full of x'FF' characters until the user powers off the system.
R-10 is probably an earlier version of the R-11 virus.