Virus Name: RPVS
Aliases: 453, TUQ
V Status: Endangered
Discovery: August, 1990
Symptoms: .COM growth
Origin: West Germany
Eff Length: 453 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, IBMAV,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, NAV/N,
Removal Instructions: Delete infected files
The RPVS, or 453, virus was discovered in West Germany in early
August, 1990. This virus is a non-resident infector of .COM files.
The RPVS is named for an unusual string that appears in a file dump
of the virus - "TUQ.RPVS" - this in not really a text string, but a
series of PUSH instructions.
The RPVS virus is a rather unsophisticated virus. Whenever a .COM
program infected with the RPVS or 453 virus is executed, the virus
will look for an uninfected .COM file in the current directory.
The virus determines if the .COM file has been previously infected
by checking to see if the last two bytes of the file are 9090h. If
the last two bytes are not 9090h, the file will be infected,
appending 453 bytes of viral code to the end of the file. One .COM
file is infected each time an infected program is executed.
COMMAND.COM will not normally be infected.
This virus does not contain any logic to activate and cause damage
in its current state. It does contain many NOP instructions and
odd jumps which leave plenty of space for later additions.
Known variant(s) of RPVS are:
RPVS-B: The RPVS virus after additional bytes have been added to
the end of an infected program. When this occurs, the
virus will act differently. It will not be able to
determine that it has already infected a .COM file, so it
will reinfect the first .COM file it finds in the current
directory over and over again.