RaubKopie Virus


 Virus Name:  RaubKopie 
 Aliases:     Raubkopi 
 V Status:    Rare 
 Discovery:   March, 1991 
 Symptoms:    .COM & .EXE growth; messages 
 Origin:      Germany 
 Eff Length:  2,219 Bytes 
 Type Code:   PNAK - Parasitic Non-Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, Sweep, NAV, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The RaubKopie virus was submitted in March, 1991 by Jan Terpstra of 
       the Netherlands.  It is originally from Germany.  Raubkopie is a 
       non-resident direct action infector of .COM and .EXE files.  It 
       will infect COMMAND.COM. 
 
       When a program infected with RaubKopie is executed, the virus will 
       infect up to five .COM programs in the current directory.  If less 
       than five uninfected .COM programs existed in the current 
       directory, it will then infect .EXE files until the total number of 
       programs it has infected on this execution totals five. 
 
       .COM programs infected with Raubkopie will increase in size by 
       2,219 bytes with the virus being located at the beginning of the 
       infected file.  The program's date and time in the disk directory 
       will not be altered. 
 
       .EXE programs infected with Raubkopie will increase in size by 
       2,475 to 2,491 bytes with the virus being located at the end of the 
       file. The larger file size increase with .EXE files is due to a 
       different mechanism being used to infect the programs.  With .EXE 
       files, the virus will first add up to 16 bytes to the candidate 
       .EXE file so that the program's length is now divisible by 16. 
       After adding the additional bytes, it then adds 256 bytes of hex 
       00's and appends the Raubkopie code to the end of the program.  The 
       program's date and time in the disk directory will not be altered. 
 
       The RaubKopie virus will occasionally display messages and require 
       a response when an infected program is invoked.  The messages 
       displayed cannot be seen within infected programs, they are 
       encrypted.  The first message displayed when the messages occur is: 
 
               "           A C H T U N G 
                    --------------------------- 
 
                Die Benutzung einer RAUBKOPIE ist strafbar! 
                Nur wer Original-Disketten, Handbucher, 
                oder PD-Lizenzen besitzt, darf Kopien verwenden. 
 
                Programmierung is muhevolle Detailarbeit: 
                Wer Raubkopien verwendet, betrugt 
                Programmierer un den Lohn ihrer Arbeit. 
 
                    ---------------------------           " 
 
       A pause will then occur, and the following question will be 
       displayed: 
 
               "Bist Du sauber ? (J/N) " 
 
       Entering "J" for yes will result in the following message being 
       displayed and the program which the user was attempting to execute 
       will proceed to execute: 
 
               "Ich will glauben, was Du sagst ..... " 
 
       Entering "N" for no will result in the following messages, the 
       second of which is garbled, and the program the user was attempting 
       to execute will be terminated: 
 
               "CPU-ID wird gespeichert... 
 
                **** LO            " 
 
       The last garbled message in original samples of this virus is: 
 
               "**** Losche dieses Programm ****". 
 
       There is also code within the RaubKopie virus to format the boot 
       sector of the system hard disk if the system date is greater than 
       the 12th of the month, or the hour is above 17:00 (5:00 PM).  This 
       code, however, does not function properly due to a bug within the 
       RaubKopie virus. 
 
       Besides the messages and file growth, infected systems may have 
       some of the directories containing RaubKopie infected programs 
       sorted so that .COM files appear at the beginning of the directory 
       listing. 
 
       Known variant(s) of RaubKopie are: 
       Raubkopie-FRD: Received in September, 1992, Raubkopie-FRD is 
                      a variant of the virus described above.  Infected 
                      .COM programs will have a file length increase of 
                      1,888 bytes with the virus being located at the 
                      beginning of the file.  Infected .EXE programs will 
                      have a file length increase of 2,150 to 2,160 bytes 
                      with the virus being located at the end of the file. 
                      The following text strings are contained within the 
                      viral code: 
                      "\ OSSI EN ST" 
                      "C:\ * NETWARE LMS MAUS MDB DOS BASE L" 
                      "*.exe *.com" 
                      "C:\   C:\CONFIG.SYS DEVICE =   COUNTRY.SYS" 
                      "hgt42" 
                      "V1 FRD" 
                      This variant of RaubKopie will alter the C:\CONFIG.SYS 
                      file to contain the "DEVICE =   COUNTRY.SYS" statement 
                      indicated above. 
                      Origin:  Unknown  September, 1992. 

Show viruses from discovered during that infect .

Main Page