Virus Name: Baobab
V Status: Rare
Discovery: July, 1992
Symptoms: .EXE file growth; file date/time changes; decrease in total
system & available free memory
Eff Length: 1,641 - 1,651 Bytes
Type Code: PRhE - Parasitic Resident .EXE Infector
Detection Method: AVTK, Sweep, ViruScan, IBMAV, F-Prot,
NAV, NAVDX, VAlert, PCScan, ChAV,
NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N,
Removal Instructions: Delete infected files
The Baobab virus was received in July, 1992. It is originally
from India. Baobab is a memory resident infector of .EXE programs.
When the first Baobab infected program is executed, the Baobab
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary. It does not move
interrupt 12's return. Total system and available free memory,
as indicated by the DOS CHKDSK program, will have decreased by
2,560 bytes. Interrupt 21 will be hooked by the Baobab virus
Once the Baobab virus is memory resident, it will infect .EXE
programs when they are executed. Infected programs will have
a file length increase of 1,641 to 1,651 bytes with the virus
being located at the end of the infected file. The Baobab virus
will reinfect previously infected programs, adding an additional
1,648 bytes with each reinfection. Infected programs will have
their date and time in the DOS disk directory listing altered
to the current system date and time when the last infection
of the file occurred.
It is unknown what Baobab may do besides replicate.
Known variant(s) of Baobab are:
Baobab-731: A 731 byte variant of the Baobab virus described
above, this variant's size in memory is 1,552 bytes.
Once resident, it will infect .EXE programs when they
are executed, adding 733 to 752 bytes to the file.
The virus will be located at the end of the file, and
the file's date and time in the DOS disk directory
listing will have been updated to the current system
date and time. Like the original virus, this variant
will reinfect previously infected .EXE programs, adding
736 bytes with each reinfection. The following text
string is encrypted within the viral code:
Origin: Unknown March, 1993.