| Rushhour | |
|---|---|
| Type | File virus |
| Creator | Berndt Fix |
| Date Discovered | 1986 (day unknown) |
| Place of Origin | Germany |
| Source Language | Assembly |
| Platform | DOS |
| File Type(s) | .com |
| Infection Length | 457 bytes |
Rushhour is an early DOS file infecting virus. In a similar manner to the Lehigh virus, it only infects one particular file. It is one of the few viruses from the year 1986.
Behavior
When a KEYBGR.COM file infected with Rushhour is introduced to a new system and executed, the virus becomes resident in the memory. The virus waits fifteen minutes to begin infecting after execution. When the user enters a directory with KEYBGR.COM, Rushhour will infect the file by appending its code to the file.
The virus only infects the file KEYBGR.COM, a German keyboard driver for MS-DOS. The virus may cause the computer to make sounds, sometimes described as a short "Pchchch" (probably similar to white noise, as the source on this is in German where the letters "ch" together produce a different sound) when keys are pressed. Whether or not this is intentional is unclear, but it may have been, as the virus may cause interference with the keyboard driver. It contains text strings inside the virus code:
This program is a VIRUS program.
Once activated it has control over alls
ystem devices and even over all storage
media inserted by the user. It continually
copies itself into uninfected operating
systems and thus spreads uncontrolled.
The fact that the virus does not destroy any
user programs or erase the disk is merely due
to a philanthropic trait of the author......
Variants
Some variants of the virus contain a similar message in Dutch:
Dit is een demonstratie van een zogenaamd computervirus.Het
heeft volledige controle over alle systeem-componentenen alle
harde schijven en in de drive(s) ingevoerdediskettes. Het
programma kopieert zichzelf naar andere,nog niet besmette
besturingssystemen en verspreidt zich opdie manier
ongecontroleerd. In dit geval zijn er geenprogramma`s beschadigd
of schijven gewist, omdat ditslechts een demonstratie is. Een
kwaadaardig virushad echter wel degelijk schade aan kunnen richten.
This roughly translates into, "This is a demonstration of a so-called computer virus. It has complete control over all system components all hard disks and in the drive(s) introduced diskettes. It copies itself to another uncontaminated program, and spreads in an uncontrolled manner. No program has been damaged and no disks were erased, because this is solely a demonstration. It would have been possible to create one that does damage, but that would be contrary to our goals."
Name
The creator of the virus named it Rush Hour. The reason for this name was never made clear.
Antivirus Aliases
Avast: Rush
AVG: Rush_Hour
Avira: VGEN/6291.512
Bitdefender: Rush_Hour.A
ClamAV: Vgen.6291
F-Prot: Rush_Hour.A
Kaspersky Lab: Virus.DOS.Rushhour.a
McAfee: Rush Hour.ow
Panda: RushHour.3128
RAVAntivirus: Rush_Hour.A
Sophos: Rushhour
Symantec: Rush Hour.B (d)
Trend Micro: RUSH_HOUR.A
Other Facts
When Berndt Fix first planned the virus, he proposed several different possibilities for how it would work. A virus infecting .com as well as .exe files was proposed, but Fix decided against it when he considered the amount of space it would consume. Another possibility was a virus containing a 4500 character text on the dangers of viruses, but this was not done for the same reason.
Sources
Ralf Burger. Computer Viruses: A High-Tech Disease, pp. 137-144. Data Becker, GmbH, Düsseldorf; Abacus Software, Grand Rapids: 1987-1989. ISBN: 1-55755-043-3
Funktion und Aufbau des Virus "RUSHHOUR". (German)
Kaspersky Labs, Virus.DOS.Rushhour.a.