Virus Name: Hobbit
V Status: Rare
Discovered: November, 1993
Symptoms: .EXE files altered; TSR
Eff Length: 505 Bytes Overwriting
Type Code: ORsE - Overwriting Resident .EXE Infector
Detection Method: F-Prot, ViruScan, AVTK, Sweep, NAV, NAVDX, VAlert,
Sweep/N, NShld, AVTK/N, Innoc, NAV/N, LProt
Removal Instructions: Delete infected files
The Hobbit virus was received in November, 1993. Its origin or
point of isolation is unknown. Hobbit is a memory resident infector
of .EXE programs, and should be considered a stealth virus.
When the first Hobbit infected program is executed, this virus will
install itself memory resident as a low system memory TSR of 1,440
bytes. No interrupts will be directly mapped to the virus in memory
as it directly hooks the interrupts via the interrupt chain.
Once memory resident, the Hobbit virus will infect .EXE programs
when they are executed or opened. Hobbit infected programs will not
increase in size as the virus overwrites 505 bytes of the .EXE file's
header. The program's date and time in the DOS disk directory listing
will not be altered. One text string is visible within the viral
code in all Hobbit infected programs:
It is unknown what Hobbit does besides replicate.