Virus Name: Rattle
Aliases: Death Rattle
V Status: Rare
Discovery: July, 1992
Symptoms: .COM file growth; system hangs; file time seconds = 62
Eff Length: 615 Bytes
Type Code: PRaCK - Parasitic Resident .COM Infector
Detection Method: Sweep, ViruScan, F-Prot, IBMAV, AVTK, PCScan,
NAV, NAVDX, VAlert, ChAV,
NShld, Sweep/N, LProt, NProt, AVTK/N, NAV/N, IBMAV/N,
Removal Instructions: Delete infected files
The Rattle, or Death Rattle, virus was submitted in July, 1992. Its
origin is unknown, though the submission was from a European source.
Rattle is based on the Vienna virus, though this virus is a
memory resident infector of .COM programs, including COMMAND.COM.
The first time a program infected with the Rattle virus is executed,
the Rattle virus will install itself memory resident in available
free memory. Total system and available free memory, as indicated
by the DOS CHKDSK program, will not decrease. Interrupt 21 will
be hooked by Rattle in memory.
Once the Rattle virus is memory resident, it will infect .COM
programs when they are executed. If COMMAND.COM is executed, it
will become infected. Programs infected with the Rattle virus will
have a file length increase of 615 bytes with the virus being
located at the end of the file. The file's date and time in the
DOS disk directory listing will not appear to be altered, though
the seconds field will have been set to 62.
Systems infected with the Rattle virus may experience frequent
system hangs due to a program the user was attempting to execute
overwriting the virus in memory.