Rizal is a trojan that damages critical system files. The trojan is a Windows NE (16-bit) file 14kb long.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
When run the trojan first adds a big amount of similar command blocks AUTOEXEC.BAT. These commands will clear screen, output the below given messages and wait for key to be pressed.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- R I Z A L I A N T R O J A N PROGRAMMED BY: THE HAMMER HEAD TEAM Computer Science Dept. Jose Rizal University Shaw BLVD Mandaluyong City Philppines LARRY CONANAN and BENITO TY -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Then the trojan destroys MSDOS.SYS file by zeroing it. This only affects DOS and Windows 9x/ME systems.
After that the trojan starts to copy files from \Windows\Command\ folder to \My Documents\, \Windows\, \Windows\System\, \Windows\System\Iosubsys\ and \Windows\Help\ folders. The copied files have zero length. After restart an affected system could become unusable.
Technical Details: Alexey Podrezov; F-Secure Corp.; September 2001