Virus Name: Arf
Aliases: Rigor Mortis, Thor
V Status: Rare
Discovery: March, 1991
Isolated: United States
Symptoms: .COM growth; messages
Eff Length: 1,000 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Arf, Thor, or Rigor Mortis virus was submitted in March, 1991
from the United States. Arf is a virus written by RABID, which is
based in Canada. This virus is a non-resident infector of .COM
files, including COMMAND.COM. Arf is based on the Vienna virus,
and some anti-viral programs may identify it as Vienna.
When a program infected with Arf is executed, the virus will check
to see if COMMAND.COM has been previously infected. If it is not
infected, the virus will infect it and display the message:
"Rigor Mortis !!!
I am Hi.pas"
After checking (and possibly infecting) COMMAND.COM, the virus will
search the current directory for one .COM program to infect. If an
uninfected .COM program is found, it will be infected with the
following message being displayed:
"Arf krad krad krad
krad krad kr"
The virus will then proceed to check the B: drive for a file to
Files infected with the Arf virus will have a file length increase
of 1,000 bytes. The virus will be located at the end of the
infected program. The above text messages can be found within the
The Arf virus may not be in the public domain, the original sample
submitted is not a natural infection of the virus. Its name is due
to the "Arf" string displayed when files other than COMMAND.COM are
infected. Its alias of Thor is because it is believed to have been
written by a group calling itself Thor.
Note: the original sample of this virus was on an .EXE file, and is
not a natural infection. This virus may be a research virus and not
in the public domain.
Known variant(s) of Arf are:
Arf-B: Arf-B was submitted in May, 1991. It is from the United
States. This variant appears to be an earlier version of the
Arf virus described above. When a program infected with
Arf-B is executed, it will check the current directory for an
uninfected .COM program to infect. If an uninfected .COM
program is found, it will infect the program. The B: drive
may also be accessed. Whether or not a program was infected,
it will then display the message:
"Arf Arf Got you!
-- RABID '90"
Infected programs will have a file length increase of 1,000
bytes, and their date and time in the disk directory will be
altered, though not to the current system date and time.
Execution of COMMAND.COM after it has become infected will
result in the following messages, and a system hang:
Memory allocation error
Cannot start COMMAND, exiting"
.COM programs infected with Arf-B will usually fail to
function once infected, resulting in a system hang.