Otto6 Virus


 Virus Name:  Otto6 
 Aliases:    
 V Status:    Rare 
 Discovered:  September, 1992 
 Symptoms:    .COM file growth; decrease in total system & available free 
              memory; host program encrypted 
 Origin:      United States 
 Eff Length:  640 Bytes 
 Type Code:   PNCK - Parasitic Non-Resident .COM Infector 
 Detection Method:  F-Prot, ViruScan, Sweep, AVTK, IBMAV, VAlert, 
                    NAV, NAVDX, PCScan, ChAV, 
                    NShld, Sweep/N, LProt, Innoc, NProt, AVTK/N, IBMAV/N, 
                    NAV/N 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Otto6 virus was received in September, 1992.  It is from the 
       United States.  Otto6 is a non-resident, direct action infector 
       of .COM programs, including COMMAND.COM.  It does install a small 
       portion of its code in memory, though it is not a complete copy 
       of the virus, and the virus is not infective from memory. 
 
       When the first Otto6 infected program is executed, the Otto6 virus 
       will install a small portion of its viral code at the top of system 
       memory but below the 640K DOS boundary.  Total system and available 
       free memory, as indicated by the DOS CHKDSK program, will have 
       decreased by 2,048 bytes.  Interrupt 9 will be hooked by the portion 
       of Otto6 resident in memory, providing it was not previously hooked 
       by some other program.  Also at this time, the Otto6 virus will 
       infect one .COM program located in the current directory. 
 
       Each time a program infected with the Otto6 virus is executed, the 
       Otto6 virus will infect one previously uninfected .COM program 
       located in the current directory.  Infected programs will have a 
       file length increase of 640 bytes with the virus being located at 
       the end of the file.  The program's date and time in the DOS disk 
       directory listing will not be altered.  The following text strings 
       are encrypted within the viral code: 
 
               "OTTO6 VIRUS, <<ÚS>>, YAM, 
                COPYRIGHT MICROSHAFT INDUSTRIES 1992" 
               "<<ÚS>> YAM, MICROSHAFT INDUSTRIES (tm.) 1992!" 
               "*.COM" 
 
       The Otto6 virus is an encrypted virus.  It not only encrypts the 
       viral code, but the host program as well. 
 
       It is unknown what Otto6 does besides replicate. 
 
       Known variant(s) of Otto6 are: 
       Otto-415: Based on the Otto6 virus described above, Otto-415 is 
                 a 415 byte variant.  It infects one .COM file in the 
                 current directory each time an infected program is 
                 executed.  Infected programs will have a file length 
                 increase of 415 bytes with the virus being located at the 
                 end of the file.  The program's date and time in the DOS 
                 disk directory listing will not be altered.  The Otto-415 
                 virus encrypts the viral code and the original host 
                 program, so the following text strings are not visible 
                 within infected programs: 
                 "OTTO VIRUS written by: OTTO SCHTUCK" 
                 "COPYRIGHT MICROSHAFT INDUSTRIES 1992 (tm.)" 
                 "*.COM" 
                 Origin:  United States  December, 1992. 

Show viruses from discovered during that infect .

Main Page