Hobbit Virus


 Virus Name:  Hobbit 
 Aliases:    
 V Status:    Rare 
 Discovered:  November, 1993 
 Symptoms:    .EXE files altered; TSR 
 Origin:      Unknown 
 Eff Length:  505 Bytes Overwriting 
 Type Code:   ORsE - Overwriting Resident .EXE Infector 
 Detection Method:  F-Prot, ViruScan, AVTK, Sweep, NAV, NAVDX, VAlert, 
                    PCScan, ChAV, 
                    Sweep/N, NShld, AVTK/N, Innoc, NAV/N, LProt 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Hobbit virus was received in November, 1993.  Its origin or 
       point of isolation is unknown.  Hobbit is a memory resident infector 
       of .EXE programs, and should be considered a stealth virus. 
 
       When the first Hobbit infected program is executed, this virus will 
       install itself memory resident as a low system memory TSR of 1,440 
       bytes.  No interrupts will be directly mapped to the virus in memory 
       as it directly hooks the interrupts via the interrupt chain. 
 
       Once memory resident, the Hobbit virus will infect .EXE programs 
       when they are executed or opened.  Hobbit infected programs will not 
       increase in size as the virus overwrites 505 bytes of the .EXE file's 
       header.  The program's date and time in the DOS disk directory listing 
       will not be altered.  One text string is visible within the viral 
       code in all Hobbit infected programs: 
 
               "HOBIT" 
 
       It is unknown what Hobbit does besides replicate. 

Show viruses from discovered during that infect .

Main Page