Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Bachkhoa.3999

This is a resident, encrypted COM and EXE infector with effective length of virus code 399 bytes. The virus infects files of length more that 489 bytes and less than 60000 bytes with COM type files. It avoids programs SCAN and F-PROT. When infecting files it redirects the interrupt INT 24h to its body and by doing so it avoids detection in case of wrong writing. The virus code is anti-heuristic. The way in which the virus saves data necessary for execution of infected program also suggests that there is an effort to make cleaning of virus more difficult. The virus marks infected files – in the file date and at the end of infected file we always find the following 4 bytes in hexa: 0x4F 0xCF 0xCB 0x4F. The virus erases files in which anti-virus programs store some information on integrity of programs according to the following list:

CHKLIST.MS, CHKLIST.CPS, FILESIGN.SAV, FILE-ID.DIZ

The country of origin is indicated by the following text:

Ha Noi University of Technology
Your PC was infected by BACH KHOA virus version 1.5

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.