Virus Name: Reaper
Aliases: Reaper Man
V Status: Rare
Discovery: October, 1992
Symptoms: .COM & .EXE file growth; file date/time corruption;
decrease in total system & available free memory
Eff Length: 1,072 Bytes
Type Code: PRhA - Parasitic Resident .COM & .EXE Infector
Detection Method: AVTK, F-Prot, ViruScan, Sweep, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, NProt, AVTK/N, LProt, NAV/N,
Removal Instructions: Delete infected files
The Reaper, or Reaper Man, virus was submitted in October, 1992.
It is originally from England. Reaper is a memory resident
infector of .COM and .EXE programs, but not COMMAND.COM, and does
not infect programs on the A: drive.
When the first Reaper infected program is executed, the Reaper
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, hooking interrupt 21.
Total system and available free memory, as indicated by the DOS
CHKDSK program, will have decreased by 3,008 bytes. Interrupt 12's
return will not be moved.
Once the Reaper virus is memory resident, it will infect .COM and
.EXE programs, other than COMMAND.COM, when they are copied or
opened for some reason other than execution. Programs are infected
only when their location is other than on the A: drive. Programs
infected with the Reaper virus will have a file length increase of
1,072 bytes with the virus being located at the end of the file.
Reaper is not able to determine when a program was previously
infected, so it will reinfect programs, adding an additional 1,072
bytes. The program's date and time in the DOS disk directory
listing will be corrupted to an unusual value which is not a normal,
valid date and time. The corruption of file date and times in the
DOS disk directory listing may also occur for programs which are not
infected by the virus.
The following text strings can be found within the viral code in
all Reaper infected programs:
"(c) 92, Apache Warrior, ARCV Pres."
"[ReaperMan] Apache Warrior"