Totoro Virus


 Virus Name:  Totoro 
 Aliases:    
 V Status:    New 
 Discovery:   March, 1993 
 Symptoms:    .COM & .EXE growth; file date/time changes; TSR 
 Origin:      Taiwan 
 Eff Length:  1,540 - 1,554 Bytes 
 Type Code:   PRsA - Parasitic Resident .COM & .EXE Infector 
 Detection Method:  ViruScan, F-Prot, Sweep, NAV, IBMAV, PCScan, 
                    AVTK, NAVDX, VAlert, ChAV, 
                    NShld, LProt, Sweep/N, NAV/N, NProt, AVTK/N, IBMAV/N, 
                    Innoc 4.0+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Totoro virus was submitted in March, 1993, and is originally 
       from Taiwan.  Totoro is a memory resident infector of .COM and 
       .EXE programs, but not COMMAND.COM.  It is based on the Jerusalem 
       virus. 
 
       When the first Totoro infected program is executed, the Totoro virus 
       will install itself memory resident as a low system memory TSR of 
       1,856 bytes, hooking interrupt 21. 
 
       Once the Totoro virus is memory resident, it will infect .COM and 
       .EXE programs when they are executed.  Infected .COM files will have 
       a file length increase of 1,540 bytes with the virus being located 
       at the beginning of the file.  Infected .EXE files will have a file 
       length increase of 1,540 to 1,554 bytes with the virus being located 
       at the end of the file.  In both cases, the program's date and time 
       in the DOS disk directory listing will have been updated to the 
       current system date and time when infection occurred.  The following 
       text strings are visible within the Totoro viral code in all infected 
       programs: 
 
               "COMMAND.COM" 
               "Totoro  Dragon" 
               "Hello! I am TOTORO CAT" 
               "Written by Y.T.J.C.T." 
               "Don't Worry,be Happy" 
               "YTIT" 
 
       It is unknown what Totoro does besides replicate. 
 
       Known variant(s) of Totoro are: 
       Totoro.B: Received in July, 1994, Totoro.B's memory resident 
               TSR is 1,872 bytes, hooking interrupt 21.  Like the original 
               virus, this variant infects .COM and .EXE programs when they 
               are executed.  Infected .COM programs will have a file length 
               increase of 1,540 bytes with the virus being located at the 
               beginning of the file.  .EXE programs increase in size by 
               1,540 to 1,554 bytes with the virus being located at the end 
               of the file.  The program's date and time in the DOS disk 
               directory listing will have been updated to the current system 
               date and time when infection occurred.  The following text 
               strings are visible within the viral code: 
               "MMAND.COM" 
               "--- Satan virus ---" 
               "Welcome to the "CLUB"" 
               "Written  by Mad Satan" 
               "Ver 1.06   in Taipei" 
               "- Mad Satan -" 
               Occassionally, when this virus is memory resident, attempts to 
               execute programs will result in the display being blanked, and 
               the cursor moving across the bottom of the screen.  Every once 
               in while, it will spike up to the top of the screen and then 
               return to the bottom of the screen. 
               Origin:  Unknown  July, 1994.

Show viruses from discovered during that infect .

Main Page