Saddam Virus


 Virus Name:  Saddam 
 Aliases:     Sadam, Profesor 
 V Status:    Rare 
 Discovery:   January, 1991 
 Symptoms:    .COM growth; message; disk boot failures; I/O error message; 
              "Insufficient memory" message when attempting to run .BAT 
              files; DIR command errors; system hangs 
 Origin:      France (reported September, 1990) 
 Isolated:    Israel 
 Eff Length:  919 Bytes 
 Type Code:   PRsCK - Resident Parasitic .COM Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Saddam virus was first reported in France in September, 1990. 
       In January, 1991, the first sample of this virus was actually 
       received, its isolation point was Israel.  Saddam is a memory 
       resident infector of .COM files, including COMMAND.COM.  It is based 
       on the Do-Nothing virus. 
 
       The first time a program infected with the Saddam virus is 
       executed, the virus will install itself memory resident in low 
       system memory, though not as a TSR.  Interrupts 21 and 22 will be 
       hooked by the virus. COMMAND.COM will be infected at this time if 
       it has not previously been infected. 
 
       Once Saddam is memory resident, it will infect .COM programs as 
       they are executed or opened.  Infected .COM files will have a file 
       length increase of 919 bytes, the virus will be located at the end 
       of infected programs.  Programs infected with this virus will not 
       have their file date and time altered upon infection. 
 
       There are several symptoms which may be experienced on systems 
       infected with the Saddam virus.  The most obvious symptom is that 
       the following message will occasionally be displayed: 
 
               "HEY SADAM 
                LEAVE QUEIT BEFORE I COME" 
 
       This message cannot be seen in infected files, it is encrypted. 
 
       Other symptoms are that attempts to execute .BAT files will result 
       in an insufficient memory message.  Attempts to boot from a disk 
       with a Saddam infected COMMAND.COM will fail, the system will 
       hang.  Execution of some infected programs will result in an I/O 
       error and the program aborting execution.  The DOS Directory 
       command may also not function properly.  Lastly, infected systems 
       may experience frequent system hangs requiring the user to reboot 
       the system. 
 
       Known variant(s) of Saddam are: 
       Profesor: Based on the Saddam virus, Profesor also adds 919 
                 bytes to the .COM files it infects.  Its usage and 
                 allocation of memory is similar to Saddam, though it 
                 differs in that it will sometimes allocate very large 
                 amounts of memory and programs will then fail to 
                 execute.  Professor infects up to two .COM files in 
                 the current directory each time an infected program 
                 is executed.  Occassionally, execution of an infected 
                 program will result in a line of meaningless characters 
                 being displayed.  Professor contains the following text 
                 strings: 
                 "???COM" 
                 "*.COM" 
                 "The Profesor is in town again !!!" 
                 Origin:  Unknown  January, 1992. 
 
       See:   Do-Nothing

Show viruses from discovered during that infect .

Main Page