Seat Virus

Virus Name: Seat Aliases: Seat.2389, 2389 V Status: Rare Discovered: July, 1994 Symptoms: .COM & .EXE growth; DOS CHKDSK file allocation errors; decrease in total system & available free memory; some programs fail to function properly Origin: Unknown Eff Length: 2,389 - 2,403 Bytes Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector Detection Method: F-Prot, AVTK, Sweep, ViruScan, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, AVTK/N, Sweep/N, IBMAV/N, NShld, Innoc, NAV/N, LProt Removal Instructions: Delete infected files General Comments: The Seat, Seat.2389 or 2389, virus was received in July, 1994. Its origin or point of isolation is unknown. Seat is a memory resident semi-stealth virus which infects .COM and .EXE files, including COMMAND.COM. It does not infect all .EXE files. When the first Seat infected program is executed, the Seat virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, not moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 5,120 bytes. Interrupts 1C and 21 will be hooked by the virus in memory. Once the Seat virus is memory resident, it will infect .COM and some .EXE files when they are executed, opened, or a DOS DIR command is issued. Programs are not infected when they are the source or target of a COPY command. .COM programs infected with the Seat virus will have a file length increase of 2,389 bytes with the virus located at the beginning of the file. Infected .EXE files increase in size by 2,389 to 2,403 bytes with the virus being located at the end of the file. The file length increase will be hidden by the virus when it is memory resident. No text strings are visible within the viral code. Some programs will give not function properly when the Seat virus is memory resident.