Todor Virus


 Virus Name:  Todor 
 Aliases:     1993 
 V Status:    Rare 
 Discovery:   June, 1992 
 Symptoms:    .COM & .EXE growth 
 Origin:      Bulgaria 
 Eff Length:  1,993 Bytes 
 Type Code:   PNEK - Parasitic Non-Resident COMMAND.COM & .EXE Infector 
 Detection Method:  ViruScan, AVTK, F-Prot, Sweep, IBMAV, NAV, PCScan, 
                    NAVDX, VAlert, ChAV, 
                    NShld, Sweep/N, AVTK/N, NAV/N, IBMAV/N, LProt, Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Todor virus was submitted in June, 1992.  It is from Bulgaria. 
       Todor is a non-resident infector of .EXE files and COMMAND.COM. 
 
       When a program infected with the Todor virus is executed, this 
       virus will infect up to four .EXE programs located in the current 
       directory.  Additionally, it will infect COMMAND.COM if it was 
       not previously infected.  Programs infected with the Todor virus 
       will have a file length increase of 1,993 bytes with the virus 
       being located at the end of the file.  The program's date and 
       time in the DOS disk directory listing will not be altered. 
 
       The following text strings are encrypted within the viral code in 
       Todor infected programs: 
 
               "????????COM" 
               "COMMAND.COM" 
               "*.exe *.com" 
               "COMSPEC=(C)Todor" 
 
       It is unknown what Todor does besides replicate. 
 
       Known variant(s) of Todor are: 
       Todor-B: Functionally equivalent to the original virus, this 
                variant contains minor alterations. 
                Isolated:  The Netherlands  July, 1992.

Show viruses from discovered during that infect .

Main Page