Bad-389 Virus


 Virus Name:  Bad-389 
 Aliases:    
 V Status:    Rare 
 Discovery:   March, 1993 
 Symptoms:    .COM file growth; file date/time changes; TSR 
 Origin:      Unknown 
 Eff Length:  389 Bytes 
 Type Code:   PRsCK - Parasitic Resident .COM Infector 
 Detection Method:  AVTK, F-Prot, Sweep, ViruScan, IBMAV, NAV, NAVDX, 
                    VAlert, PCScan, ChAV, 
                    Sweep/N, Innoc, NShld, AVTK/N, NProt, IBMAV/N, NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Bad-389 virus was submitted in March, 1993.  Its origin or point 
       of isolation is unknown.  Bad-389 is a memory resident infector of 
       .COM programs, including COMMAND.COM. 
 
       When the first Bad-389 infected program is executed, the Bad-389 
       virus will install itself memory resident as a low system memory 
       TSR of 544 bytes.  Interrupt 21 will be hooked by the virus. Bad-389 
       cannot determine when it is already memory resident, so it will 
       reinfect memory each time an infected program is executed, taking 
       up an additional 544 bytes of memory. 
 
       Once memory resident, the Bad-389 virus will infect .COM programs, 
       including COMMAND.COM, when they are executed.  Infected programs 
       will have a file length increase of 389 bytes with the virus being 
       located at the end of the file.  The program's date and time in the 
       DOS disk directory listing will have been set to the current system 
       date and time when infection occurred.  The following text string 
       is visible within the viral code in all Bad-389 infected programs: 
 
               "Bad command or file name"

Show viruses from discovered during that infect .

Main Page