Type File virus
Creator Berndt Fix
Date Discovered 1986 (day unknown)
Place of Origin Germany
Source Language Assembly
Platform DOS
File Type(s) .com
Infection Length 457 bytes

Rushhour is an early DOS file infecting virus. In a similar manner to the Lehigh virus, it only infects one particular file. It is one of the few viruses from the year 1986.


When a KEYBGR.COM file infected with Rushhour is introduced to a new system and executed, the virus becomes resident in the memory. The virus waits fifteen minutes to begin infecting after execution. When the user enters a directory with KEYBGR.COM, Rushhour will infect the file by appending its code to the file.

The virus only infects the file KEYBGR.COM, a German keyboard driver for MS-DOS. The virus may cause the computer to make sounds, sometimes described as a short "Pchchch" (probably similar to white noise, as the source on this is in German where the letters "ch" together produce a different sound) when keys are pressed. Whether or not this is intentional is unclear, but it may have been, as the virus may cause interference with the keyboard driver. It contains text strings inside the virus code:

  This program is a VIRUS program.
  Once activated it has control over alls
  ystem devices and even over all storage
  media inserted by the user. It continually
  copies itself into uninfected operating
  systems and thus spreads uncontrolled.
  The fact that the virus does not destroy any
  user programs or erase the disk is merely due
  to a philanthropic trait of the author......


Some variants of the virus contain a similar message in Dutch:

  Dit is een demonstratie van een zogenaamd computervirus.Het
  heeft volledige controle over alle systeem-componentenen alle
  harde schijven en in de drive(s) ingevoerdediskettes. Het
  programma kopieert zichzelf naar andere,nog niet besmette
  besturingssystemen en verspreidt zich opdie manier
  ongecontroleerd. In dit geval zijn er geenprogramma`s beschadigd
  of schijven gewist, omdat ditslechts een demonstratie is. Een
  kwaadaardig virushad echter wel degelijk schade aan kunnen richten.

This roughly translates into, "This is a demonstration of a so-called computer virus. It has complete control over all system components all hard disks and in the drive(s) introduced diskettes. It copies itself to another uncontaminated program, and spreads in an uncontrolled manner. No program has been damaged and no disks were erased, because this is solely a demonstration. It would have been possible to create one that does damage, but that would be contrary to our goals."


The creator of the virus named it Rush Hour. The reason for this name was never made clear.

Antivirus Aliases

Avast: Rush
AVG: Rush_Hour
Avira: VGEN/6291.512
Bitdefender: Rush_Hour.A
ClamAV: Vgen.6291
F-Prot: Rush_Hour.A
Kaspersky Lab: Virus.DOS.Rushhour.a
McAfee: Rush Hour.ow
Panda: RushHour.3128
RAVAntivirus: Rush_Hour.A
Sophos: Rushhour
Symantec: Rush Hour.B (d)
Trend Micro: RUSH_HOUR.A

Other Facts

When Berndt Fix first planned the virus, he proposed several different possibilities for how it would work. A virus infecting .com as well as .exe files was proposed, but Fix decided against it when he considered the amount of space it would consume. Another possibility was a virus containing a 4500 character text on the dangers of viruses, but this was not done for the same reason.


Ralf Burger. Computer Viruses: A High-Tech Disease, pp. 137-144. Data Becker, GmbH, Düsseldorf; Abacus Software, Grand Rapids: 1987-1989. ISBN: 1-55755-043-3

Funktion und Aufbau des Virus "RUSHHOUR". (German)

Kaspersky Labs, Virus.DOS.Rushhour.a.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License