RAM Virus Virus
Virus Name: RAM Virus
V Status: Rare
Discovery: May, 1991
Symptoms: .COM & .EXE growth; black box; programs deleted on Fri 13th;
TSR; system slowdown
Eff Length: 3,517 Bytes (.COM) & 1,808 - 1,822 Bytes (.EXE
Type Code: PRsAK - Parasitic Resident .COM & .EXE Infector
Detection Method: AVTK, NAV, IBMAV, ViruScan, NAVDX, VAlert,
NShld, AVTK/N, NAV/N, IBMAV/N, Innoc 4.0+
Removal Instructions: Delete infected files
The RAM Virus was received from Europe in May, 1991. The RAM Virus
is based on the Jerusalem virus. Like the Jerusalem viruses, it is
a memory resident infector of .COM, .EXE, and overlay files. It
will also infect COMMAND.COM.
The first time a program infected with the RAM Virus is executed,
the virus will install itself memory resident as a low system
memory TSR of 4,008 bytes. Interrupts 08 and 21 will be hooked.
Once memory resident, the RAM Virus will infect programs as they
are executed. The file length increase on infected .EXE programs
is the same as for the Jerusalem virus, 1,808 to 1,822 bytes,
with the virus being located at the end of the infected program.
The RAM Virus will reinfect already infected .EXE programs, adding
an additional 1,808 bytes to the file length.
How the RAM Virus infects .COM programs is the major difference
between this virus and other Jerusalem-based viruses. The RAM
Virus, when infecting .COM programs, places a copy of itself at
the beginning of the .COM program and another copy at the end.
The file length increase on .COM programs, other than COMMAND.COM,
will be 3,517 bytes. COMMAND.COM will only have an infection at
the end of the program, and a file length increase of 1,704 bytes.
Programs infected with RAM Virus will contain two text strings:
After the RAM Virus has been memory resident for 30 minutes, a
"black box" will appear on the lower left hand side of the screen.
The virus will also slow the system down by approximately 30
The RAM Virus activates on Friday the 13ths. If the virus becomes
memory resident on Friday the 13ths, it will delete programs as
the user attempts to execute them.