Itti Virus

Virus Name: Itti Aliases: Itti-A V Status: Viron Discovered: April, 1992 Symptoms: .COM file corruption; boot failures; "EXEC failure" message; system hangs Origin: Unknown Eff Length: 161 Bytes Type Code: ONCK - Overwriting Non-Resident .COM Infector Detection Method: F-Prot, Sweep, ViruScan, AVTK, ChAV, IBMAV, NAV, NAVDX, VAlert, PCScan, NShld, Sweep/N, LProt, Innoc, NProt, AVTK/N, IBMAV/N, NAV/N Removal Instructions: Delete infected files General Comments: The Itti virus was received in April, 1992. Its origin is unknown. Itti is a non-resident overwriting virus which infects .COM programs, including COMMAND.COM. When a program infected with Itti is executed, the Itti virus will infect one .COM program located in the current directory by over- writing the host program's first 161 bytes. There will be no change to the file's length unless it was originally smaller than 161 bytes. In the case of .COM files smaller than 161 bytes, their length becomes 161 bytes. There will be no change to the file's date and time in the DOS disk directory listing. Once the Itti virus has completed infecting a file, it will display the following message and return the user to the DOS prompt: "EXEC failure" The above message, plus the text string "*.COM", can be found in the first 161 bytes of infected programs. Systems infected with the Itti virus will experience boot failures if the copy of COMMAND.COM located in the root directory of the bootable partition of the hard disk becomes infected. System hangs will occur if the Itti virus cannot find an uninfected .COM program to infect. Known variant(s) of Itti are: Itti-B: A 99 byte variant of Itti, this variant does not display the "EXEC failure" message, and the message is not contained within the viral code. Infected programs will have their file date and time in the DOS disk directory updated to the system date and time when infection occurred. Origin: Unknown April, 1992