Virus Name: Ryazan
V Status: Rare
Discovery: December, 1992
Symptoms: .EXE file growth
Eff Length: 512 Bytes
Type Code: PRaE - Parasitic Resident .EXE Infector
Detection Method: AVTK, Sweep, F-Prot, ViruScan, IBMAV, PCScan,
NAV, NAVDX, VAlert, ChAV,
Sweep/N, NShld, Innoc, NProt, AVTK/N, IBMAV/N, NAV/N,
Removal Instructions: Delete infected files
The Ryazan virus was submitted in December, 1992 and is originally
from the USSR. Ryazan is a memory resident infector of .EXE
When the first Ryazan infected program is executed, the Ryazan
virus will install itself memory resident in a "hole" in allocated
system memory at 0010. It will have hooked interrupt 21. Total
system and available free memory, as indicated by the DOS CHKDSK
program, will not be altered.
Once the Ryazan virus is memory resident, it will infect .EXE
programs, other than very small ones, when they are executed.
Infected programs will have a file length increase of 512 bytes with
the virus being located at the end of the file. The program's date
and time in the DOS disk directory listing will not be altered. The
following text string is encrypted within the Ryazan viral code in
It is unknown if Ryazan does anything besides replicate.