Virus Name: Basilisk
V Status: Rare
Discovery: March, 1993
Symptoms: .COM & .EXE growth; decrease in total system & available free
memory; DOS CHKDSK file allocation errors when resident;
file date/time seconds = 62
Origin: North America
Eff Length: 1,639 - 1,653 Bytes
Type Code: PRhAK - Parasitic Resident .COM & .EXE Infector
Detection Method: F-Prot, NAV, ViruScan, IBMAV, AVTK, Sweep, ChAV,
NAVDX, VAlert, PCScan,
NShld, AVTK/N, Sweep/N, NProt, NAV/N, IBMAV/N, Innoc,
Removal Instructions: Delete infected files
The Basilisk virus was submitted in March, 1993, and is from North
America. Basilisk is based on the R-10, R-11, and Sunday 2 viruses,
and is a memory resident infector of .COM and .EXE programs,
including COMMAND.COM. It should be considered a stealth-type
virus as it infects programs on open, as well as hiding the file
length increase when the virus is memory resident.
When the first Basilisk infected program is executed, the Basilisk
virus will install itself memory resident at the top of system
memory but below the 640K DOS boundary, hooking interrupts 21, 22
and 27. Total system and available free memory, as indicated by the
DOS CHKDSK program, will have decreased by 3,408 bytes. Interrupt
12's return will not be moved. Also at this time, Basilisk will
Once the Basilisk virus is memory resident, it will infect .COM and
.EXE programs larger than approximately 2K in size when they are
executed or opened for any reason. Infected .COM programs will have
a file length increase of 1,639 bytes. .EXE programs will have a
file length increase of 1,639 to 1,653 bytes. In both cases, the
file length increase will be hidden by the virus when the virus is
memory resident. The viral code will be located at the end of the
infected program. The file's date and time in the DOS disk directory
listing will appear not to be altered, but will actually have the
seconds field set to 62.
The following text strings are encrypted within the Basilisk viral
code in all infected programs:
"Packed file is corrupt"
"(c) 1992 YAM/RABID International"
"The slave thinks he is released from bondage"
"only to find a stronger set of chains"
Systems infected with the Basilisk virus will experience file
allocation errors detected on infected files when the Basilisk
virus is memory resident.