Rybka Virus

 Virus Name:  Rybka 
 V Status:    Rare 
 Discovery:   November, 1991 
 Symptoms:    .COM & .EXE growth; TSR; program execution failures; 
              boot failures 
 Origin:      Unknown 
 Eff Length:  123 Plus Bytes 
 Type Code:   PRAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  Sweep, NAV, F-Prot, AVTK, ViruScan, NAVDX, 
                    IBMAV, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 General Comments: 
       The Rybka virus was received in November, 1991.  Its origin is 
       unknown.  Rybka is a memory resident infector of .COM and .EXE 
       programs, including COMMAND.COM. 
       The first time a program infected with Rybka is executed, the 
       Rybka virus will install itself memory resident as a low system 
       memory TSR of 1.3K bytes, hooking interrupt 21.  Since the 
       Rybka virus cannot later recognize that it has already installed 
       its TSR, it will install it again each time an infected program 
       is executed.  As a result, infected systems will have available 
       free memory continue to decrease in 1.3K increments as the 
       infection progresses. 
       Once Rybka is memory resident, it will infect .COM and .EXE programs 
       over 132 bytes in length when they are executed.  If COMMAND.COM 
       is executed, it will become infected as well.  Rybka infected 
       programs will increase in size by at least 132 bytes, though in 
       many cases the file size increase may be over 13,000 bytes.  In 
       any event, the virus will be located at the end of the infected 
       file.  The file's date and time in a DOS disk directory listing 
       will not have been altered.  The following text string can be found 
       in infected files: 
       Besides the increasing loss of available free memory while the virus 
       is memory resident, Rybka infected systems will experience programs 
       failing to execute properly, returning the user to the DOS 
       prompt.  If COMMAND.COM becomes infected, the system will fail 
       to boot. 

Show viruses from discovered during that infect .

Main Page