Budo Virus


 Virus Name:  Budo 
 Aliases:    
 V Status:    Viron 
 Discovery:   October, 1992 
 Symptoms:    .COM & .EXE file corruption; programs fail to execute 
 Origin:      Finland 
 Eff Length:  890 Bytes 
 Type Code:   ONA - Overwriting Non-Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, Sweep, AVTK, F-Prot, IBMAV, 
                    NAV, NAVDX, VAlert, PCScan, ChAV, 
                    NShld, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Budo virus was submitted from Finland in October, 1992.  Budo 
       is a non-resident, direct action overwriting virus which infects 
       .COM and .EXE programs, but not COMMAND.COM. 
 
       When a program infected with the Budo virus is executed, this virus 
       may infect one .COM or .EXE program located in the current directory. 
       The user is then returned to the DOS prompt.  Infected programs will 
       have the first 890 bytes overwritten by the Budo viral code.  Unless 
       the original host program was smaller than 890 bytes, there will be 
       no increase in file size.  In the case of programs which were 
       smaller than 890 bytes, they will become 890 bytes in length.  The 
       program's date and time in the DOS disk directory listing will not 
       be altered.  The following text strings can be found within the 
       viral code: 
 
               "*.COM" 
               "*.EXE" 
               "BUDO V1.2 TH‘HV FINLAND PQ" 
               "FLOW LIKE A RIVER - STRIKE LIKE THUNDER" 
 
       Budo destroys the programs it infects, and infected programs must 
       be replaced from clean, uninfected backups. 
 
       Known variant(s) of Budo are: 
       Budo.1000: Received in July, 1994, Budo.1000 is a memory resident, 
                  1,000 byte variant of the Budo virus described above.  When 
                  the first infected program is executed, it installs itself 
                  memory resident as a low system memory TSR of 1,232 bytes, 
                  hooking interrupts 21 and 22.  Once resident, it may infect 
                  .COM programs when they are executed, overwriting the first 
                  1,000 bytes.  The program's date and time in the DOS disk 
                  directory listing will not be altered.  The following text 
                  strings are visible within the viral code in all infected 
                  files: 
                  "????????COM" 
                  "*.COM" 
                  "*.EXE" 
                  "BUDO V1.0 April/92" 
                  "T‘H & HV Finland" 
                  "Flow like a river - strike like a thunder" 
                  "Incorrect DOS version" 
                  "TELAPI" 
                  Origin:  Finland  July, 1994.

Show viruses from discovered during that infect .

Main Page