Virus Name: Saddam
Aliases: Sadam, Profesor
V Status: Rare
Discovery: January, 1991
Symptoms: .COM growth; message; disk boot failures; I/O error message;
"Insufficient memory" message when attempting to run .BAT
files; DIR command errors; system hangs
Origin: France (reported September, 1990)
Eff Length: 919 Bytes
Type Code: PRsCK - Resident Parasitic .COM Infector
Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The Saddam virus was first reported in France in September, 1990.
In January, 1991, the first sample of this virus was actually
received, its isolation point was Israel. Saddam is a memory
resident infector of .COM files, including COMMAND.COM. It is based
on the Do-Nothing virus.
The first time a program infected with the Saddam virus is
executed, the virus will install itself memory resident in low
system memory, though not as a TSR. Interrupts 21 and 22 will be
hooked by the virus. COMMAND.COM will be infected at this time if
it has not previously been infected.
Once Saddam is memory resident, it will infect .COM programs as
they are executed or opened. Infected .COM files will have a file
length increase of 919 bytes, the virus will be located at the end
of infected programs. Programs infected with this virus will not
have their file date and time altered upon infection.
There are several symptoms which may be experienced on systems
infected with the Saddam virus. The most obvious symptom is that
the following message will occasionally be displayed:
LEAVE QUEIT BEFORE I COME"
This message cannot be seen in infected files, it is encrypted.
Other symptoms are that attempts to execute .BAT files will result
in an insufficient memory message. Attempts to boot from a disk
with a Saddam infected COMMAND.COM will fail, the system will
hang. Execution of some infected programs will result in an I/O
error and the program aborting execution. The DOS Directory
command may also not function properly. Lastly, infected systems
may experience frequent system hangs requiring the user to reboot
Known variant(s) of Saddam are:
Profesor: Based on the Saddam virus, Profesor also adds 919
bytes to the .COM files it infects. Its usage and
allocation of memory is similar to Saddam, though it
differs in that it will sometimes allocate very large
amounts of memory and programs will then fail to
execute. Professor infects up to two .COM files in
the current directory each time an infected program
is executed. Occassionally, execution of an infected
program will result in a line of meaningless characters
being displayed. Professor contains the following text
"The Profesor is in town again !!!"
Origin: Unknown January, 1992.