Threat Description

Rizal

Details

Aliases: Rizal, Trojan.Win16.Rizal
Category: Malware
Type: Trojan
Platform: W32

Summary



Rizal is a trojan that damages critical system files. The trojan is a Windows NE (16-bit) file 14kb long.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



When run the trojan first adds a big amount of similar command blocks AUTOEXEC.BAT. These commands will clear screen, output the below given messages and wait for key to be pressed.

	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
	   R I Z A L I A N    T R O J A N
	PROGRAMMED BY: THE HAMMER HEAD TEAM
    Computer Science Dept. Jose Rizal University
       Shaw BLVD Mandaluyong City Philppines
LARRY CONANAN and BENITO TY
	-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Then the trojan destroys MSDOS.SYS file by zeroing it. This only affects DOS and Windows 9x/ME systems.

After that the trojan starts to copy files from \Windows\Command\ folder to \My Documents\, \Windows\, \Windows\System\, \Windows\System\Iosubsys\ and \Windows\Help\ folders. The copied files have zero length. After restart an affected system could become unusable.





Technical Details: Alexey Podrezov; F-Secure Corp.; September 2001


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More