Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Ontario

These viruses come from Canada, from the province Ontario. Their author is Death Angel, who later became a member of the group “Youngsters Against McAfee”, abbreviated as YAM.

Ontario.512

This is a resident, encrypted COM and EXE infector. In memory it occupies 2048 bytes. In its body there is an encrypted string:

C:\COMMAND.COM

Ontario.1024

This is a resident, encrypted, stealth COM and EXE infector occupying 3 KB on the top of memory. It infects COMMAND.COM without changing its length. It utilizes the unused area in this file in a similar way as the virus Lehigh does. The virus infects files when they are executed or opened. It will append itself to their end and increase their length by 1024 bytes. Each 4th byte in the infected COM file is always “O” and the infected EXE file has SP set always to 600h. The set value of seconds in the time of the last file modification is nonsensical. If the virus is active in memory no increase in length of infected files can be seen. An attempt to view the infected file code in a debugger with the virus in memory will fail because the virus will adjust the program so as if was not infected. In the virus body there are encrypred the following strings:

COMSPEC= \COMMAND.COM COMEXEOVL

The first two are used when infecting COMMAND.COM, in the third one there are file types which the virus will infect.

Ontario.2048

This virus represents the third member of the family. It is a polymorphic, resident, stealth COM, EXE, OVL and SYS infector. For its needs it reserves 5 KB below the top of memory. It infects COMMAND.COM in the same way as Ontario.1024 does and so it does not change its length. When finding out the length by means of the DOS command DIR no increase of the infected file is seen. The debugging trick has been retained also in this variant. The virus controls interrupts INT 24h and INT 13h, and so suppresses displaying of erroneous messages with write protected media . When infecting SYS files the virus will avoid IBMBIO.SYS and IO.SYS. Moreover, the virus body contains boot sector, but that is never written into hard disk´s MBR nor diskettes boot sector. In the virus body there are the following encrypted texts:

COMSPEC= \COMMAND.COM COMEXEOVLSYS *YAM*' Your PC has a bootache! - Get some medicine! Ontario-3 by Death Angel

© 1992-2004 Eset s.r.o. All rights reserved. No part of this Encyclopedia may be reproduced, transmitted or used in any other way in any form or by any means without the prior permission.