Baba Virus

Virus Name: Baba Aliases: Baba.353 V Status: New Discovery: July, 1994 Symptoms: .COM file growth; file date/time changes; decrease in system and available free memory Origin: Unknown Eff Length: 353 Bytes Type Code: PRhC - Parasitic Resident .COM Infector Detection Method: F-Prot, AVTK, IBMAV, ViruScan, Sweep, NAV, NAVDX, VAlert, PCScan, ChAV, NProt, AVTK/N, Sweep/N, IBMAV/N, NShld, NAV/N, Innoc Removal Instructions: Delete infected files General Comments: The Baba or Baba.353 virus was received in July, 1994. Its origin or point of isolation is unknown. Baba is a memory resident infector of .COM files, but not COMMAND.COM. When the first Baba infected program is executed, this virus will install itself memory resident at the top of system memory but below the 640K DOS boundary, moving interrupt 12's return. Total system and available free memory, as indicated by the DOS CHKDSK program, will have decreased by 384 bytes. Interrupt 21 will be hooked by the virus in memory. Once memory resident, Baba will infect .COM programs when they are executed. Infected programs will have a file length increase of 353 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will have been updated to the current system date and time when infection occurred. The following text string is visible within the viral code in all infected files: "=>COMMAND.COM<=" Known variant(a) of Baba are: Baba.350: Received in July, 1995, this is a 350 byte variant of the Baba virus described above. Its size in memory is 368 bytes, hooking interrupt 21. It adds 350 bytes to the .COM files it infects, and updates the file date and time in the DOS disk directory listing to the current system date and time when infection occurred. The virus will be located at the end of the file. The following text string is visible within the viral code: "=>COMMAND.COM<=" Origin: Unknown July, 1995