Virus Name: Todor
V Status: Rare
Discovery: June, 1992
Symptoms: .COM & .EXE growth
Eff Length: 1,993 Bytes
Type Code: PNEK - Parasitic Non-Resident COMMAND.COM & .EXE Infector
Detection Method: ViruScan, AVTK, F-Prot, Sweep, IBMAV, NAV, PCScan,
NAVDX, VAlert, ChAV,
NShld, Sweep/N, AVTK/N, NAV/N, IBMAV/N, LProt, Innoc 4.0+
Removal Instructions: Delete infected files
The Todor virus was submitted in June, 1992. It is from Bulgaria.
Todor is a non-resident infector of .EXE files and COMMAND.COM.
When a program infected with the Todor virus is executed, this
virus will infect up to four .EXE programs located in the current
directory. Additionally, it will infect COMMAND.COM if it was
not previously infected. Programs infected with the Todor virus
will have a file length increase of 1,993 bytes with the virus
being located at the end of the file. The program's date and
time in the DOS disk directory listing will not be altered.
The following text strings are encrypted within the viral code in
Todor infected programs:
It is unknown what Todor does besides replicate.
Known variant(s) of Todor are:
Todor-B: Functionally equivalent to the original virus, this
variant contains minor alterations.
Isolated: The Netherlands July, 1992.