Red Diavolyata Virus
Virus Name: Red Diavolyata
Aliases: USSR 830, MLTI
V Status: Rare
Discovery: December, 1990
Symptoms: .COM growth; decrease in system and available memory; file
Eff Length: 830 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Red Diavolyata virus is an 830 byte memory resident infector of
.COM files, including COMMAND.COM. It was submitted in December,
1990, and originated in the USSR.
The first time a program infected with Red Diavolyata is executed,
the virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. The interrupt 12 return is
not moved. The DOS CHKDSK command will indicate that total system
memory and available free memory have decreased by 960 bytes.
Interrupt 21 will be hooked by the virus.
Once Red Diavolyata is memory resident, any .COM program executed
will become infected by the virus. If COMMAND.COM is executed, it
will be infected.
Infected .COM programs will have their file length increased by 830
bytes, and their date and time in the disk directory will have been
altered to the system date and time when infection occurred. The
virus will be located at the end of the infected program.
The following text strings can be found at the end of infected
"Eddie die somewhere in time"
"This programm was written in the city of Prostokwashino"
"(C) 1990 RED DIAVOLYATA"
Additionally, the text string "MLTI!COMMAND" can be found within
It is unknown if Red Diavolyata does anything besides replicate.
Known variant(s) of Red Diavolyata are:
Red Diavolyata B: Very similar to Red Diavolyata B, the major
difference from the original virus is that
interrupt 1C will also be hooked when the virus
is memory resident. There are two bytes within
the virus which differ from the original virus.