Rushhour is an early DOS file infector. In a similar manner to the Lehigh virus, it only infects one particular file. It is one of the few viruses from the year 1986.
When a KEYBGR.COM file infected with Rushhour is introduced to a new system and executed, the virus becomes resident in the memory. The virus waits fifteen minutes to begin infecting after execution. When the user enters a directory with KEYBGR.COM, Rushhour will infect the file by appending its code to the file.
The virus only infects the file KEYBGR.COM, a German keyboard driver for MS-DOS. The virus may cause the computer to make sounds, sometimes described as a short "Pchchch" (probably similar to white noise, as the source on this is in German where the letters "ch" together produce a different sound) when keys are pressed. Whether or not this is intentional is unclear, but it may have been, as the virus may cause interference with the keyboard driver. It contains text strings inside the virus code:
This program is a VIRUS program. Once activated it has control over alls ystem devices and even over all storage media inserted by the user. It continually copies itself into uninfected operating systems and thus spreads uncontrolled. The fact that the virus does not destroy any user programs or erase the disk is merely due to a philanthropic trait of the author......
Some versions of the virus contain a similar message in Dutch:
Dit is een demonstratie van een zogenaamd computervirus.Het heeft volledige controle over alle systeem-componentenen alle harde schijven en in de drive(s) ingevoerdediskettes. Het programma kopieert zichzelf naar andere,nog niet besmette besturingssystemen en verspreidt zich opdie manier ongecontroleerd. In dit geval zijn er geenprogramma`s beschadigd of schijven gewist, omdat ditslechts een demonstratie is. Een kwaadaardig virushad echter wel degelijk schade aan kunnen richten.
This translates into, "This is a demonstration of a so-called computer virus. It has complete control over all system components all hard disks and in the drive(s) introduced diskettes. It copies itself to another uncontaminated program, and spreads in an uncontrolled manner. No program has been damaged and no disks were erased, because this is solely a demonstration. It would have been possible to create one that does damage, but that would be contrary to our goals."
The creator of the virus named it Rush Hour. The reason for this name was never made clear.
- Avast: Rush
- AVG: Rush_Hour
- Avira: VGEN/6291.512
- Bitdefender: Rush_Hour.A
- ClamAV: Vgen.6291
- F-Prot: Rush_Hour.A
- Kaspersky Lab: Virus.DOS.Rushhour.a
- McAfee: Rush Hour.ow
- Panda: RushHour.3128
- RAVAntivirus: Rush_Hour.A
- Sophos: Rushhour
- Symantec: Rush Hour.B (d)
- Trend Micro: RUSH_HOUR.A
When Berndt Fix first planned the virus, he proposed several different possibilities for how it would work. A virus infecting .com as well as .exe files was proposed, but Fix decided against it when he considered the amount of space it would consume. Another possibility was a virus containing a 4500 character text on the dangers of viruses, but this was not done for the same reason.
Ralf Burger. Computer Viruses: A High-Tech Disease, pp. 137–144. Data Becker, GmbH, Düsseldorf; Abacus Software, Grand Rapids: 1987-1989. ISBN 1-55755-043-3
Funktion und Aufbau des Virus "RUSHHOUR". (German)
Kaspersky Labs, Virus.DOS.Rushhour.a.