Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Rizal


Aliases:


Rizal
Trojan.Win16.Rizal

Malware
Trojan
W32

Summary

Rizal is a trojan that damages critical system files. The trojan is a Windows NE (16-bit) file 14kb long.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

When run the trojan first adds a big amount of similar command blocks AUTOEXEC.BAT. These commands will clear screen, output the below given messages and wait for key to be pressed.

	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
	   R I Z A L I A N    T R O J A N
	PROGRAMMED BY: THE HAMMER HEAD TEAM
    Computer Science Dept. Jose Rizal University
       Shaw BLVD Mandaluyong City Philppines
LARRY CONANAN and BENITO TY
	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Then the trojan destroys MSDOS.SYS file by zeroing it. This only affects DOS and Windows 9x/ME systems.

After that the trojan starts to copy files from \Windows\Command\ folder to \My Documents\, \Windows\, \Windows\System\, \Windows\System\Iosubsys\ and \Windows\Help\ folders. The copied files have zero length. After restart an affected system could become unusable.





Technical Details: Alexey Podrezov; F-Secure Corp.; September 2001



Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.