Baobab Virus


 Virus Name:  Baobab 
 Aliases:    
 V Status:    Rare 
 Discovery:   July, 1992 
 Symptoms:    .EXE file growth; file date/time changes; decrease in total 
              system & available free memory 
 Origin:      India 
 Eff Length:  1,641 - 1,651 Bytes 
 Type Code:   PRhE - Parasitic Resident .EXE Infector 
 Detection Method:  AVTK, Sweep, ViruScan, IBMAV, F-Prot, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Baobab virus was received in July, 1992.  It is originally 
       from India.  Baobab is a memory resident infector of .EXE programs. 
 
       When the first Baobab infected program is executed, the Baobab 
       virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary.  It does not move 
       interrupt 12's return.  Total system and available free memory, 
       as indicated by the DOS CHKDSK program, will have decreased by 
       2,560 bytes.  Interrupt 21 will be hooked by the Baobab virus 
       in memory. 
 
       Once the Baobab virus is memory resident, it will infect .EXE 
       programs when they are executed.  Infected programs will have 
       a file length increase of 1,641 to 1,651 bytes with the virus 
       being located at the end of the infected file.  The Baobab virus 
       will reinfect previously infected programs, adding an additional 
       1,648 bytes with each reinfection.  Infected programs will have 
       their date and time in the DOS disk directory listing altered 
       to the current system date and time when the last infection 
       of the file occurred. 
 
       It is unknown what Baobab may do besides replicate. 
 
       Known variant(s) of Baobab are: 
       Baobab-731: A 731 byte variant of the Baobab virus described 
                   above, this variant's size in memory is 1,552 bytes. 
                   Once resident, it will infect .EXE programs when they 
                   are executed, adding 733 to 752 bytes to the file. 
                   The virus will be located at the end of the file, and 
                   the file's date and time in the DOS disk directory 
                   listing will have been updated to the current system 
                   date and time.  Like the original virus, this variant 
                   will reinfect previously infected .EXE programs, adding 
                   736 bytes with each reinfection.  The following text 
                   string is encrypted within the viral code: 
                   "Fhello" 
                   Origin:  Unknown  March, 1993. 

Show viruses from discovered during that infect .

Main Page