Rubbit Virus


 Virus Name:  Rubbit 
 Aliases:     Rubbit.681 
 V Status:    Rare 
 Discovery:   July, 1994 
 Symptoms:    .COM file growth; file date/time changes; 
              possibly system hangs 
 Origin:      Unknown 
 Eff Length:  681 Bytes 
 Type Code:   PRfCK - Parasitic Resident .COM Infector 
 Detection Method:  F-Prot, AVTK, IBMAV, ViruScan, NAV, Sweep, NAVDX, 
                    VAlert, PCScan, ChAV, 
                    AVTK/N, Sweep/N, IBMAV/N, NShld, NProt, NAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Rubbit, or Rubbit.681, virus was submitted in July, 1994, along 
       with four variants of the virus.  Rubbit is a memory resident 
       infector of .COM programs, including COMMAND.COM.  The description 
       included here is for Rubbit.681, three of the four remaining variants 
       are included below.  One variant, Rubbit.3811, did not replicate and 
       is thus not included. 
 
       When the first Rubbit infected program is executed, this virus will 
       install itself memory resident in available system memory, at 9000, 
       hooking interrupt 21.  Since it is in available memory, a system hang 
       could occur if any program executed by the system user overwrites 
       this area.  There will be no change to total system and available 
       free memory as indicated by the DOS CHKDSK program. 
 
       Once memory resident, the Rubbit virus will infect .COM programs, 
       including COMMAND.COM, when they are executed.  Infected programs 
       will have a file length increase of 681 bytes with the virus being 
       located at the end of the file.  The program's date and time in the 
       DOS disk directory listing will have been updated to the current 
       system date and time when infection occurred.  The following text 
       string can be found within the viral code in all infected programs: 
 
               "RUBBIT.$$$" 
 
       It is unknown what Rubbit may do besides replicate. 
 
       Known variant(s) of Rubbit are: 
       Rubbit.1018: Rubbit.1018 is a 1,018 byte variant of the Rubbit 
             virus described above.  It infects .COM programs, including 
             COMMAND.COM, when they are executed.  Infected programs will 
             have a file length increase of 1,018 bytes with the virus being 
             located at the end of the file.  The file length increase will 
             not be visible in the DOS disk directory listing when the virus 
             is memory resident.  The file's date and time in the DOS disk 
             directory listing will not be altered.  The following text 
             string can be found within the viral code in all infected files: 
             "RUBBIT.$$$" 
             The DOS CHKDSK program will indicate file allocation errors on 
             all infected files when the virus is memory resident. 
             Origin:  Unknown  July, 1994.  
       Rubbit.2060: Rubbit.2060 is a 2,060 byte variant of the Rubbit 
             virus described above.  This variant becomes memory resident at 
             the top of system memory but below the 640K DOS boundary, not 
             moving interrupt 12's return.  Total system and available free 
             memory, as indicated by the DOS CHKDSK program, will have 
             decreased by 11,288 bytes.  Interrupt 21 will be hooked.  It 
             infects .COM and .EXE programs, including COMMAND.COM, when they 
             are executed.  Infected .COM files will have a file length 
             increase of 2,060 bytes while .EXE files increase by 2,060 to 
             2,075 bytes.  The file length increase will be hidden by the 
             virus when it is memory resident.  In both cases, the virus will 
             be located at the end of the file.  The file's date and time in 
             the DOS disk directory listing will not be altered.  The 
             following text string can be found within the viral code: 
             "RuBBit" 
             The following text strings are encrypted within the viral code: 
             "##      << How do you do >>         ##" 
             "##  !!   Today is My Birthday   !!  ##" 
             "$$ OH! YES! Happy Birthday To You ! $$" 
             The DOS CHKDSK program will indicate file allocation errors on 
             all infected files when the virus is memory resident. 
             Origin:  Unknown  July, 1994.  
       Rubbit.3164: Rubbit.3164 is a 3,164 byte variant of the Rubbit 
             virus described above.  This variant becomes memory resident as 
             a low system memory TSR of 6,928 bytes, hooking interrupt 21. 
             It infects .COM and .EXE programs, including COMMAND.COM, when 
             they are executed.  Infected files will have a file length 
             increase of 3,164 bytes with the virus being located at the end 
             of the file.  The file length increase will be hidden by the 
             virus when it is memory resident.  The file's date in the DOS 
             disk directory listing will not be altered, but the time field 
             will have been updated to the system time when infection 
             occurred.  The following text string can be found within the 
             viral code: 
             "RuBBit" 
             The following text strings are encrypted within the viral code: 
             "## RuBBit  Version 2.2 Written by [P.F] in Taiwan. ##" 
             "## This idea is from Dark Slayer.    1994/05/02    ##" 
             "RuBBitRuBBit" 
             The DOS CHKDSK program will indicate file allocation errors on 
             all infected files when the virus is memory resident.  The 
             virus will disinfect programs when they are read into memory 
             thus hiding the file infection further from the user. 
             Origin:  Unknown  January, 1996. 
       Rubbit.3839: Rubbit.3839 is a 3,839 byte variant of the Rubbit 
             virus described above.  This variant becomes memory resident as 
             a low system memory TSR of 8,272 bytes, hooking interrupt 21. 
             It infects .COM and .EXE programs, including COMMAND.COM, when 
             they are executed.  Infected files will have a file length 
             increase of 3,839 bytes with the virus being located at the end 
             of the file.  The file length increase will be hidden by the 
             virus when it is memory resident.  The file's date and time in 
             the DOS disk directory listing will not be altered.  The 
             following text strings can be found within the viral code: 
             "RuBBit" 
             The following text strings are encrypted within the viral code: 
             "##  !!  RuBBit  Version 2.0     !!  ##" 
             "##      << How do you do >>         ##" 
             "##  !!   Today is My Birthday   !!  ##" 
             "$$ OH! YES! Happy Birthday To You ! $$" 
             The DOS CHKDSK program will indicate file allocation errors on 
             all infected files when the virus is memory resident.  The 
             virus will disinfect programs when they are read into memory 
             thus hiding the file infection further from the user. 
             Origin:  Unknown  July, 1994. 
  

Show viruses from discovered during that infect .

Main Page