Virus Name: Roguey
V Status: Rare
Discovery: November, 1993
Symptoms: .COM file growth; TSR; host program encrypted;
Lost clusters on infected disks; message displayed;
programs fail to function; system boot failure
Eff Length: 967 Bytes
Type Code: PRsCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, AVTK, Sweep, IBMAV, F-Prot, NAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, AVTK/N, IBMAV/N, Innoc, NProt, NAV/N,
Removal Instructions: Delete infected files
The Roguey, or Badcmdx, virus was received in November, 1993. Its
origin or point of isolation is unknown. Roguey is a memory
resident infector of .COM programs, including COMMAND.COM.
When the first Roguey infected program is executed, this virus will
install itself memory resident as a low system memory TSR of 1,584
bytes. Interrupt 21 will be hooked by the virus in memory.
Once Roguey is memory resident, it may infect .COM programs when they
are executed. Infected programs will have a file length increase of
967 bytes, though this file length increase will be hidden when the
virus is memory resident. Roguey encrypts the entire host program
in addition to its viral code, so the position of the virus in the
host file isn't particularly applicable.
The following message may be displayed by the virus when the user
attempts to execute infected programs:
"Bad Command or file name"
This text string is encrypted within infected programs, and thus is
not visible within infected files.
In addition to displaying the above message, users of infected
systems may note an increase in the occurrance of lost clusters on
infected disks, as well as the system failing to boot once the boot
copy of COMMAND.COM becomes infected.