Dodo 2456 Virus

Virus Name: Dodo 2456 Aliases: V Status: Rare Discovered: June, 1993 Symptoms: .COM file growth; file date/time changes; decrease in available free memory of approximately 100K Origin: The Netherlands Eff Length: 2,456 Bytes Type Code: PRsCK - Parasitic Resident .COM Infector Detection Method: AVTK, Sweep, ViruScan, F-Prot, IBMAV, NAVDX, VAlert, NAV, PCScan, ChAV, NShld, Sweep/N, AVTK/N, IBMAV/N, Innoc, NAV/N Removal Instructions: Delete infected files General Comments: The Dodo-2456 virus was isolated in The Netherlands in June, 1993. It is a memory resident infector of .COM programs, including COMMAND.COM. It is not released to the DoDo or Birdie virus. When the first Dodo 2456 infected program is executed, the Dodo virus will check the copy of COMMAND.COM located in the C: drive root directory. If this copy of COMMAND.COM has not been previously infected by the virus, the virus will infect it at this time. If COMMAND.COM is already infected, the virus will become memory resident. The Dodo 2456 virus installs itself memory resident as a low system memory TSR of 2.4K, but in the process of it becoming memory resident, it will actually end up keeping slightly over 100K of memory. Interrupt 21 will be hooked by Dodo2456 in memory. Once the Dodo 2456 virus is memory resident, it will infect .COM programs when they are executed. Infected programs will have a file length increase of 2,456 bytes with the virus being located at the end of the file. The program's date and time in the DOS disk directory listing will not be altered. The following text strings are visible within the viral code in all Dodo 2456 infected programs: "DODO" "c:\command.com" "Today we commemorate the DODO." "The bird who has become the victim of human civilization !!!!!" "A:\ EST POC" "command com" Besides being contained within the viral code, the text string "DODO" can be found starting in the fourth byte of all infected programs. It is unknown what Dodo 2456 does besides replicate.