Ondra Virus

Virus Name: Ondra Aliases: 4915 V Status: Viron Discovered: May, 1992 Symptoms: .EXE programs overwritten; program corruption; access to unexpected hangs; system hangs Origin: Unknown Eff Length: 5,000 Bytes Type Code: ONE - Overwriting Non-Resident .EXE Infector Detection Method: AVTK, ViruScan, F-Prot, Sweep, NAV, NAVDX, VAlert, PCScan, ChAV, NShld, Sweep/N, Innoc, AVTK/N, NAV/N, NProt, LProt Removal Instructions: Delete infected files General Comments: The Ondra virus was submitted in May, 1992. Its origin is unknown. Ondra is a non-resident direct action overwriting virus which infects .EXE programs. When a program infected with the Ondra virus is executed, the Ondra virus will infect all .EXE programs larger than approximately 5,000 bytes located in the current directory. Once the virus has completed infecting the programs in the current directory, it will start infecting programs on the B: drive. If the B: drive contains a write-protected diskette, it will retry writing to the drive indefinitely. Once the virus has completed infecting programs, the user will be returned to the DOS prompt. Programs infected with the Ondra virus will have no file length increase, but rather will be completely overwritten with the viral code and some of the contents of system memory. The file's date and time in the DOS disk directory listing will not be altered. The following text strings can be found within the viral code in all Ondra infected programs: "ondra.dat" "Invalid environment" "Runtime error" Systems infected with the Ondra virus will have .EXE programs fail to execute properly, and system hangs may frequently occur. Known variant(s) of Ondra are: Ondra-B: Received in July, 1992, this variant is a variant of Ondra described above. It infects one .EXE program each time an infected program is executed. Infected programs will be completely overwritten, though the viral code is contained in the first 4,915 bytes of the file. It contains the same text strings as the original virus. Origin: Unknown July, 1992.