Rocko Virus


 Virus Name:  Rocko 
 Aliases:     RKO 
 V Status:    Rare 
 Discovery:   April, 1992 
 Symptoms:    .COM & .EXE growth; decrease in total system & available free 
              memory 
 Origin:      Canada 
 Eff Length:  666 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, F-Prot, Sweep, AVTK, IBMAV, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, LProt, Innoc, NProt, AVTK/N, IBMAV/N, 
                    NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Rocko virus was received in April, 1992 from Canada.  Rocko 
       is a memory resident virus which infects .COM and .EXE programs, 
       including COMMAND.COM.  It employs some stealth techniques to 
       avoid detection. 
 
       When the first Rocko infected program is executed, Rocko will 
       install itself memory resident at the top of system memory but 
       below the 640K DOS boundary.  Total system and available free 
       memory, as indicated by the DOS CHKDSK program, will have 
       decreased by 704 bytes.  Interrupt 21 will be hooked by Rocko 
       in memory. 
 
       Once the Rocko virus is resident, it will infect .COM and .EXE 
       programs when they are executed.  Infected programs will appear 
       to not have any file length increase as the virus hides the 
       file length change when it is resident.  The DOS CHKDSK program 
       will not return file allocation errors on infected files. 
 
       Programs infected with the Rocko virus will have a file length 
       increase of 666 bytes with the virus being located at the end 
       of the file.  The program's time in the DOS disk directory 
       listing may disappear.  The seconds in the file's timestamp will 
       have been set to 60.  One text string can be found within the 
       viral code in infected programs: 
 
               "RocK STeaDY!" 
 
       The Rocko virus activates on the 13th of any month, at which time 
       the virus will overwrite the boot sector and file allocation table 
       on the system hard disk.  It contains two mechanisms to perform 
       this damage. 
 
       Known variant(s) of Rocko are: 
       Mutating Rocko: Based on the Rocko virus described above, this 
                       variant, at the time of its submission, is not 
                       detected by programs aware of the Rocko virus due 
                       to an added complex encryption mechanism.  Its size 
                       in memory is 1,280 bytes, hooking interrupts 09 and 
                       21.  It adds 609 bytes to the .COM programs it 
                       infects on execution, the virus being located at the 
                       end of the file.  When Mutating Rocko is memory 
                       resident, the file length increase will be hidden. 
                       One text string can be seen in all infected 
                       programs: 
                       "(c) Rock Steady/NuKE]" 
                       Mutating Rocko activates on the 24th of any month, 
                       at which time when the user hits CTRL-ALT-DEL, the 
                       virus will overwrite the system hard disk.  On 
                       dates other than the 24th of the month, a cold 
                       reboot will result. 
                       Origin:  Montreal, Canada  August, 1992. 
       Rocko-B: Functionally similar to the Rocko virus, this variant 
                is functionally similar.  It has 11 bytes which differ. 
                The text string at the end of the virus has been changed 
                to: 
                "-Rk STd-" 
                Origin: Montreal, Canada  September, 1992. 

Show viruses from discovered during that infect .

Main Page