%%File: VIRS0671.TXT %%Name/Aliases: RMNS, RMNS MW %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM application. %%Features: Memory resident; TSR. %%Damage: No damage, only replicates. %%Size: Two parts; Male (297 bytes) and Female (353 bytes) %%See Also: %%Notes: The following notes are extracted from VB, May 1995: The virus get its name from an internal text string at the end of the code. The virus has two parts, the male code is 297 bytes long, and the female code is 353 bytes long. The following text strings are found at end: Male: R.M.N.S Test Virus R.M.N.S MW Man Female: R.M.N.S Test Virus R.M.N.S MW Woman Each section is installed separately in memory, and file infection occurs only when both section are memory resident on the same PC. The code is appended to the end of COM file with JMP VIRUS instruction at the beginning of the host file. The two codes are similar and different from each other at the same time. They both intercept Int 21h, and take control upon the execution of an infected file. The difference comes it their functionality. The male intercepts file execution. The female infects file only when asked by the male virus. The virus places its ID in register AX. When an inquiry is make about the value of register AX, a file infected with the male part returns a value of 4BBCh, and the female part returns 4BBDh. However, both parts returns 4BBBh when they are memory resident. Also, the time date stamp of all infected files are set to 31.07.80; 12:07am. The virus intercepts Int 21h function Load and Execute only. Both parts use the subfunctions of Load and Execute call for their communication and infection. On a Load and Execute call, the male section checks the file and if it is a clean COM file, then it calls the female section with an ' infect it ' call (Int 21h, AX=4BB4h). The female part checks the length of the file. If its longer than 65024 bytes, infection is aborted, otherwise, the infection process takes place. The system timer is used in deciding which part to be used in the infection by this method both parts have a 50% chance of infecting files. The virus makes no attempt to hide its present, suppress DOS error message, etc. So far its only goal is to propagate. The recommended method for disinfection is to use clean system conditions, then identify and replace the infected files.