Virus Name: Rasek
Aliases: Rasek.1490, Coru¤a
V Status: Rare
Discovery: July, 1994
Symptoms: .COM & .EXE growth; MBR & Diskette Boot Sector altered;
decrease in total system & available free memory;
file date/time seconds = "62"
Eff Length: 1,490 - 1,506 Bytes
Type Code: PRhAKXB - Parasitic Resident .COM .EXE MBR & Boot Sect Infector
Detection Method: F-Prot, AVTK, IBMAV, ViruScan, Sweep,
NAV, NAVDX, VAlert,
AVTK/N, Sweep/N, NProt, NShld, IBMAV/N, NAV/N
Removal Instructions: Delete infected files, Replace MBR, DOS SYS on
The Rasek, Rasek.1490 or Coru¤a, virus was received in July, 1994.
It is originally from Spain. Rasek is a memory resident multi-
partite virus which infects the system hard disk master boot record
(the sector containing the hard disk partition table), diskette
boot sectors, .COM and .EXE files, including COMMAND.COM.
When the first Rasek infected program is executed, this virus will
infect the system hard disk master boot record and become memory
resident. If the program was executed from a diskette, the virus
will also infect the diskette boot sector. Total system and available
free memory, as indicated by the DOS CHKDSK program, will have
decreased by 2,048 bytes, not moving interrupt 12's return.
Interrupts 13 and 21 will be hooked by the virus in memory.
Once the virus is memory resident, either from booting from the
infected system hard disk or executing an infected file, this virus
will infect .COM and .EXE programs, including COMMAND.COM. Infected
.COM files will have a file length increase of 1,490 bytes while .EXE
files will increase in size by 1,490 to 1,506 bytes. In both cases,
the virus will be located at the end of the file. The program's date
and time in the DOS disk directory listing will not appear to be
altered, though the seconds field will have been set to "62". The
following text strings are encrypted within the Rasek viral code:
"RaseK v2.0 from LA CORU¥A(SPAIN). Mar93"
"Invalid Partition Table"
"Error Loading Operating System"
Known variant(s) of Rasek are:
Rasek.1492: Based on the Rasek virus described above, this is a
later version. It adds 1,492 bytes to the .COM files it infects,
and 1,492 to 1,508 bytes to the .EXE files. The virus will be
located at the end of the file. The following text strings are
encrypted within the viral code:
"RaseK << v3.1, from La Coru¤a(SPAIN). Ap 93"
"Non-System disk or disk error"
"Replace and strike any key when ready"
"Disk Boot failure"
Origin: Spain July, 1994.