Summary

Rizal is a trojan that damages critical system files. The trojan is a Windows NE (16-bit) file 14kb long.

Additional Details

When run the trojan first adds a big amount of similar command blocks AUTOEXEC.BAT. These commands will clear screen, output the below given messages and wait for key to be pressed.

	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
	   R I Z A L I A N    T R O J A N

	PROGRAMMED BY: THE HAMMER HEAD TEAM

    Computer Science Dept. Jose Rizal University
       Shaw BLVD Mandaluyong City Philppines

            LARRY CONANAN and BENITO TY

	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Then the trojan destroys MSDOS.SYS file by zeroing it. This only affects DOS and Windows 9x/ME systems.

After that the trojan starts to copy files from \Windows\Command\ folder to \My Documents\, \Windows\, \Windows\System\, \Windows\System\Iosubsys\ and \Windows\Help\ folders. The copied files have zero length. After restart an affected system could become unusable.

[Analysis: Alexey Podrezov; F-Secure Corp.; September 2001]