Dada Virus

Virus Name: Dada Aliases: V Status: Rare Discovery: January, 1992 Symptoms: .EXE file growth; decrease in available free memory; file date/time changes; .EXE programs may fail to execute Origin: Unknown Eff Length: 1,358 - 1,372 Bytes Type Code: PRsE - Parasitic Resident .EXE Infector Detection Method: Sweep, ViruScan, F-Prot, AVTK, IBMAV, NAV, NAVDX, VAlert, PCScan, ChAV, LProt, Sweep/N, NShld, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Dada virus was submitted in January, 1992. Its origin or point of isolation are unknown. Dada is a memory resident infector of .EXE programs. The first time a program infected with the Dada virus is executed, this virus will install itself as a low system memory TSR of 2,048 bytes. Most memory mapping utilities will show it as an increase in the size of the in-memory command interpretor. Interrupts 08 and 21 will be hooked by Dada in memory. The virus will also alter the ceiling for conventional memory, so that the system will only have about 64K of conventional memory available. The remaining memory below 640K will appear as available memory, though not conventional memory. Once the Dada virus is memory resident, it will infect .EXE programs when they are executed. Infected programs will have a file length increase of 1,358 to 1,372 bytes with the virus being located at the end of the infected program. The file's date and time in the DOS disk directory listing will have been updated to the current system date and time. The following text string can be found within the viral code in infected programs: "PATH=.EXE" As a result of the Dada virus' alteration of conventional memory, execution of .EXE programs over 64K in size may not execute in the way the user expects. Unpredictable errors may result.