Rhubarb Virus


 Virus Name:  Rhubarb 
 Aliases: 
 V Status:    New 
 Discovery:   1996 
 Isolated:    April, 1998 
 Symptoms:    Diskette Boot Sector & MBR altered; 
              decrease in available free memory; 
              message displayed & hard disk corruption 
 Origin:      Romania 
 Eff Length:  N/A 
 Type Code:   BRhX - Resident Boot Sector & MBR Infector 
 Detection Method:  ViruScan, NAVDX, NAV 
 Removal Instructions:  ViruScan 
 
 General Comments: 
       The Rhubarb virus was first discovered in 1996, though the copy 
       received by the author of VSUM was received in April, 1998.  It 
       is reportedly from Romania.  Rhubarb is a memory resident stealth 
       infector of the system hard disk master boot record (MBR) and 
       diskette boot sectors.  It is a destructive virus. 
 
       The first time a system is booted from a Rhubarb infected diskette, 
       the Rhubarb virus will infect the system hard disk master boot 
       record and become memory resident. 
 
       Once the system hard disk MBR is infected, any subsequent boot 
       from the system hard disk will result in the virus becoming memory 
       resident.  Total DOS memory will not decrease, though the amount 
       of available free memory, as indicated by the DOS CHKDSK program 
       from DOS 5.0, will have decreased by 1,024 bytes. 
 
       Once the Rhubarb virus is memory resident, it will infect the 
       boot sector of non-write protected diskettes when they are 
       accessed. 
 
       Rhubarb is a stealth virus, and when it is memory resident, it 
       cannot be detected on the system hard disk or diskettes by 
       anti-viral programs.  These programs determine that the virus 
       is in memory, and prompt the user to reboot the system from a 
       clean, write protected diskette.  This is required so that the 
       virus can be detected, and not spread, to other media. 
 
       The Rhubarb virus is a destructive virus, activating on December 
       17th of any year, when the system is booted from infected media. 
       At this time, the virus will display the following message and 
       overwrite the beginning of the system hard drive: 
 
           "RP wants to say hello!" 
 
       The system will then be unbootable from the system hard drive. 
 
       Known variant(s) of Rhubarb are: 
       Rhubarb.B: Also received in April, 1998, this is a minor 
           variant of the Rhubarb virus described above. 
           Origin: Unknown  April, 1998.

Show viruses from discovered during that infect .

Main Page