Virus Name: Otto6
V Status: Rare
Discovered: September, 1992
Symptoms: .COM file growth; decrease in total system & available free
memory; host program encrypted
Origin: United States
Eff Length: 640 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: F-Prot, ViruScan, Sweep, AVTK, IBMAV, VAlert,
NAV, NAVDX, PCScan, ChAV,
NShld, Sweep/N, LProt, Innoc, NProt, AVTK/N, IBMAV/N,
Removal Instructions: Delete infected files
The Otto6 virus was received in September, 1992. It is from the
United States. Otto6 is a non-resident, direct action infector
of .COM programs, including COMMAND.COM. It does install a small
portion of its code in memory, though it is not a complete copy
of the virus, and the virus is not infective from memory.
When the first Otto6 infected program is executed, the Otto6 virus
will install a small portion of its viral code at the top of system
memory but below the 640K DOS boundary. Total system and available
free memory, as indicated by the DOS CHKDSK program, will have
decreased by 2,048 bytes. Interrupt 9 will be hooked by the portion
of Otto6 resident in memory, providing it was not previously hooked
by some other program. Also at this time, the Otto6 virus will
infect one .COM program located in the current directory.
Each time a program infected with the Otto6 virus is executed, the
Otto6 virus will infect one previously uninfected .COM program
located in the current directory. Infected programs will have a
file length increase of 640 bytes with the virus being located at
the end of the file. The program's date and time in the DOS disk
directory listing will not be altered. The following text strings
are encrypted within the viral code:
"OTTO6 VIRUS, <<ÚS>>, YAM,
COPYRIGHT MICROSHAFT INDUSTRIES 1992"
"<<ÚS>> YAM, MICROSHAFT INDUSTRIES (tm.) 1992!"
The Otto6 virus is an encrypted virus. It not only encrypts the
viral code, but the host program as well.
It is unknown what Otto6 does besides replicate.
Known variant(s) of Otto6 are:
Otto-415: Based on the Otto6 virus described above, Otto-415 is
a 415 byte variant. It infects one .COM file in the
current directory each time an infected program is
executed. Infected programs will have a file length
increase of 415 bytes with the virus being located at the
end of the file. The program's date and time in the DOS
disk directory listing will not be altered. The Otto-415
virus encrypts the viral code and the original host
program, so the following text strings are not visible
within infected programs:
"OTTO VIRUS written by: OTTO SCHTUCK"
"COPYRIGHT MICROSHAFT INDUSTRIES 1992 (tm.)"
Origin: United States December, 1992.