Virus Name: RaubKopie
V Status: Rare
Discovery: March, 1991
Symptoms: .COM & .EXE growth; messages
Eff Length: 2,219 Bytes
Type Code: PNAK - Parasitic Non-Resident .COM & .EXE Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, NAV, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The RaubKopie virus was submitted in March, 1991 by Jan Terpstra of
the Netherlands. It is originally from Germany. Raubkopie is a
non-resident direct action infector of .COM and .EXE files. It
will infect COMMAND.COM.
When a program infected with RaubKopie is executed, the virus will
infect up to five .COM programs in the current directory. If less
than five uninfected .COM programs existed in the current
directory, it will then infect .EXE files until the total number of
programs it has infected on this execution totals five.
.COM programs infected with Raubkopie will increase in size by
2,219 bytes with the virus being located at the beginning of the
infected file. The program's date and time in the disk directory
will not be altered.
.EXE programs infected with Raubkopie will increase in size by
2,475 to 2,491 bytes with the virus being located at the end of the
file. The larger file size increase with .EXE files is due to a
different mechanism being used to infect the programs. With .EXE
files, the virus will first add up to 16 bytes to the candidate
.EXE file so that the program's length is now divisible by 16.
After adding the additional bytes, it then adds 256 bytes of hex
00's and appends the Raubkopie code to the end of the program. The
program's date and time in the disk directory will not be altered.
The RaubKopie virus will occasionally display messages and require
a response when an infected program is invoked. The messages
displayed cannot be seen within infected programs, they are
encrypted. The first message displayed when the messages occur is:
" A C H T U N G
Die Benutzung einer RAUBKOPIE ist strafbar!
Nur wer Original-Disketten, Handbucher,
oder PD-Lizenzen besitzt, darf Kopien verwenden.
Programmierung is muhevolle Detailarbeit:
Wer Raubkopien verwendet, betrugt
Programmierer un den Lohn ihrer Arbeit.
A pause will then occur, and the following question will be
"Bist Du sauber ? (J/N) "
Entering "J" for yes will result in the following message being
displayed and the program which the user was attempting to execute
will proceed to execute:
"Ich will glauben, was Du sagst ..... "
Entering "N" for no will result in the following messages, the
second of which is garbled, and the program the user was attempting
to execute will be terminated:
"CPU-ID wird gespeichert...