Virus Name: Rocko
V Status: Rare
Discovery: April, 1992
Symptoms: .COM & .EXE growth; decrease in total system & available free
Eff Length: 666 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: ViruScan, F-Prot, Sweep, AVTK, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, LProt, Innoc, NProt, AVTK/N, IBMAV/N,
Removal Instructions: Delete infected files
The Rocko virus was received in April, 1992 from Canada. Rocko
is a memory resident virus which infects .COM and .EXE programs,
including COMMAND.COM. It employs some stealth techniques to
When the first Rocko infected program is executed, Rocko will
install itself memory resident at the top of system memory but
below the 640K DOS boundary. Total system and available free
memory, as indicated by the DOS CHKDSK program, will have
decreased by 704 bytes. Interrupt 21 will be hooked by Rocko
Once the Rocko virus is resident, it will infect .COM and .EXE
programs when they are executed. Infected programs will appear
to not have any file length increase as the virus hides the
file length change when it is resident. The DOS CHKDSK program
will not return file allocation errors on infected files.
Programs infected with the Rocko virus will have a file length
increase of 666 bytes with the virus being located at the end
of the file. The program's time in the DOS disk directory
listing may disappear. The seconds in the file's timestamp will
have been set to 60. One text string can be found within the
viral code in infected programs:
The Rocko virus activates on the 13th of any month, at which time
the virus will overwrite the boot sector and file allocation table
on the system hard disk. It contains two mechanisms to perform
Known variant(s) of Rocko are:
Mutating Rocko: Based on the Rocko virus described above, this
variant, at the time of its submission, is not
detected by programs aware of the Rocko virus due
to an added complex encryption mechanism. Its size
in memory is 1,280 bytes, hooking interrupts 09 and
21. It adds 609 bytes to the .COM programs it
infects on execution, the virus being located at the
end of the file. When Mutating Rocko is memory
resident, the file length increase will be hidden.
One text string can be seen in all infected
"(c) Rock Steady/NuKE]"
Mutating Rocko activates on the 24th of any month,
at which time when the user hits CTRL-ALT-DEL, the
virus will overwrite the system hard disk. On
dates other than the 24th of the month, a cold
reboot will result.
Origin: Montreal, Canada August, 1992.
Rocko-B: Functionally similar to the Rocko virus, this variant
is functionally similar. It has 11 bytes which differ.
The text string at the end of the virus has been changed
Origin: Montreal, Canada September, 1992.