Riot Virus
Virus Name: Riot
Aliases:
V Status: New
Discovery: January, 1996
Symptoms: .COM file growth; file date/time seconds = "58";
decrease in available free memory;
.EXE files appear to be smaller than actual size
Origin: Unknown
Eff Length: 1,012 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, IBMAV, AVTK, VAlert, PCScan, F-Prot,
NAV, NAVDX, ChAV,
NShld, IBMAV/N, AVTK/N, LProt, NProt, NAV/N, Innoc 4.0+
Removal Instructions: Delete infected files
General Comments:
The Riot virus was received in January, 1996. Its origin or point
of isolation is unknown. Riot is a memory resident encrypted virus
which infects .COM files, including COMMAND.COM.
When the first Riot infected program is executed, this virus will
install itself memory resident at the top of system memory but below
the 640K DOS boundary, not moving interrupt 12's return. Available
free memory, as indicated by the DOS CHKDSK program from DOS 5.0,
will have decreased by 1,040 bytes. Interrupts 09, 13, 16, 1C, and
21 will be hooked by the virus in memory.
Once the Riot virus is memory resident, it will infect .COM files,
including COMMAND.COM, when they are opened, executed or copied.
Infected .COM files will have a file length increase of 1,012 bytes,
though this file length increase will be hidden when the virus is
memory resident. The file's date and time in the DOS disk directory
listing will not appear to be altered, though the seconds field will
have been set to "58". The following text strings are encrypted
within the viral code:
"CARPE DIEM! - SIEZE THE DAY!"
"(c) '95 The Unforgiven/Immortal Riot Kudos To Raver!"
"Program infected!"
This virus will also alter the seconds field of the file date and
time to "58" on .EXE files which the virus does not infect. As a
result, these uninfected files will appear to be 1,012 bytes smaller
than their actual size in a DOS disk directory listing when the
virus is memory resident.
Known variant(s) of Riot are:
Riot.1299: Also received in January, 1996, this is a 1,299 byte
variant of the Riot virus described above. Its size in memory
is 1,328 bytes, hooking interrupts 09, 21, and 24. Once
resident, it infects .COM files, including COMMAND.COM, when
they are executed, opened, or copied. Infected files will have
a file length increase of 1,299 bytes with the virus being
located at the end of the file. The program's date and time in
the DOS disk directory listing will not be altered. The
following text strings are encrypted within the viral code:
"CARPE_DIEM_II - FLOATING THROUGH THE VOID!"
"SVW: The Unforgiven/Immortal Riot Fuck Corporate Life!"
Origin: Unknown January, 1996.
Riot.1305: Also received in January, 1996, this is a 1,305 byte
variant of the Riot virus described above. Its size in memory
is 1,328 bytes, hooking interrupts 09, 21, and 24. Once
resident, it infects .COM files, including COMMAND.COM, when
they are executed, opened, or copied. Infected files will have
a file length increase of 1,305 bytes with the virus being
located at the end of the file. The program's date and time in
the DOS disk directory listing will not be altered. The
following text strings are encrypted within the viral code:
"CARPE_DIEM_II - FLOATING THROUGH THE VOID!"
"SVW: The Unforgiven/Immortal Riot Fuck Corporate Life!"
Origin: Unknown January, 1996.
Riot.1415: Also received in January, 1996, this is a 1,415 byte
variant of the Riot virus described above. Its size in memory
is 1,440 bytes, hooking interrupts 09, 16, 21, and 24. Once
resident, it infects .COM files, including COMMAND.COM, when
they are executed, opened, or copied. Infected files will have
a file length increase of 1,415 bytes with the virus being
located at the end of the file. The program's date and time in
the DOS disk directory listing will not be altered. The
following text strings are encrypted within the viral code:
"CALL 0910-14000 for a CURE! PR"
"This virus was written by The Unforgiven/Immortal Riot"
"Fuck you Ratman!It's some version of CARPE DIEM_II!"
Origin: Unknown January, 1996.