Basilisk Virus


 Virus Name:  Basilisk 
 Aliases:    
 V Status:    Rare 
 Discovery:   March, 1993 
 Symptoms:    .COM & .EXE growth; decrease in total system & available free 
              memory; DOS CHKDSK file allocation errors when resident; 
              file date/time seconds = 62 
 Origin:      North America 
 Eff Length:  1,639 - 1,653 Bytes 
 Type Code:   PRhAK - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  F-Prot, NAV, ViruScan, IBMAV, AVTK, Sweep, ChAV, 
                    NAVDX, VAlert, PCScan, 
                    NShld, AVTK/N, Sweep/N, NProt, NAV/N, IBMAV/N, Innoc, 
                    LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Basilisk virus was submitted in March, 1993, and is from North 
       America.  Basilisk is based on the R-10, R-11, and Sunday 2 viruses, 
       and is a memory resident infector of .COM and .EXE programs, 
       including COMMAND.COM.  It should be considered a stealth-type 
       virus as it infects programs on open, as well as hiding the file 
       length increase when the virus is memory resident. 
 
       When the first Basilisk infected program is executed, the Basilisk 
       virus will install itself memory resident at the top of system 
       memory but below the 640K DOS boundary, hooking interrupts 21, 22 
       and 27.  Total system and available free memory, as indicated by the 
       DOS CHKDSK program, will have decreased by 3,408 bytes.  Interrupt 
       12's return will not be moved.  Also at this time, Basilisk will 
       infect COMMAND.COM. 
 
       Once the Basilisk virus is memory resident, it will infect .COM and 
       .EXE programs larger than approximately 2K in size when they are 
       executed or opened for any reason.  Infected .COM programs will have 
       a file length increase of 1,639 bytes.  .EXE programs will have a 
       file length increase of 1,639 to 1,653 bytes.  In both cases, the 
       file length increase will be hidden by the virus when the virus is 
       memory resident.  The viral code will be located at the end of the 
       infected program.  The file's date and time in the DOS disk directory 
       listing will appear not to be altered, but will actually have the 
       seconds field set to 62. 
 
       The following text strings are encrypted within the Basilisk viral 
       code in all infected programs: 
 
               "Basilisk v1.0" 
               "Packed file is corrupt" 
               "(c) 1992 YAM/RABID International" 
               "The slave thinks he is released from bondage" 
               "only to find a stronger set of chains" 
 
       Systems infected with the Basilisk virus will experience file 
       allocation errors detected on infected files when the Basilisk 
       virus is memory resident. 
 
       See:  Sunday-2 

Show viruses from discovered during that infect .

Main Page