|Place of Origin||Kurukshetra, India|
|Infection Length||~2,800 bytes|
The virus checks if it is already memory, searching for the value 0AD75h. If WIN.SYS is found in the root of drive C:, it will not become memory resident or infect files. If neither of these conditions exists, the virus becomes memory resident. It infects any Windows Portable Executable. Blackbat avoids infecting files with "AV", "AN", and "F-" in their names, effectively preventing it from attacking antivirus products. It appends its code to the end of the file.
On December 8, the virus delivers a payload, displaying the message box "Happy BirthDay :-)".
Blackbat was written by Rohitab, who published it in issue 6 of 29A magazine. Its copyright date is 1999, but no more specific date was given. In addition, Issue 6 of 29A was released in 2004. Its location of origin is in all likelihood India, as during 1999, Rohitab was in his last semester at Kurukshetra University and later working at DCM Technologies, according to his resume.
Rohitab. Rohitab.com, BlackBat Virus – Non Destructive.