DoDo Virus

Virus Name: DoDo Aliases: Birdie V Status: Rare Discovered: February, 1992 Symptoms: .COM file growth Origin: Unknown Eff Length: 408 Bytes Type Code: PRbCK - Parasitic Resident .COM Infector Detection Method: ViruScan, F-Prot, Sweep, NAV, ChAV, IBMAV, AVTK, NAVDX, VAlert, PCScan, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The DoDo, or Birdie, virus was received in February, 1992. Its origin and point of isolation are unknown. DoDo is a resident resident infector of .COM programs, including COMMAND.COM. It is not related to the Dodo 2456 virus. The first time a program infected with the DoDo virus is executed, the DoDo virus will install itself memory resident in video card memory. Interrupt 21 will be directly hooked by the virus in the interrupt area. After the DoDo virus is memory resident, it will infect .COM programs when they are executed. Infected programs will have a file length increase of 408 bytes with the virus being located at the end of the infected file. The program's date and time in the DOS disk directory listing will not be altered. One text string can be found in the viral code in infected programs: "Birdie Hop!" DoDo doesn't do anything besides replicate. Known variant(s) of DoDo are: Pig: The Pig virus is a 407 byte variant of the DoDo virus. Besides being one byte shorter, the major difference with this variant is that it will become memory resident in available free memory. The text string found in this variant is: "GIP". Origin: Unknown February, 1992. Pig-B: Functionally equivalent to the Pig variant, this virus has three bytes which differ. Origin: Unknown June, 1992.