Virus Name: Itti
V Status: Viron
Discovered: April, 1992
Symptoms: .COM file corruption; boot failures; "EXEC failure" message;
Eff Length: 161 Bytes
Type Code: ONCK - Overwriting Non-Resident .COM Infector
Detection Method: F-Prot, Sweep, ViruScan, AVTK, ChAV,
IBMAV, NAV, NAVDX, VAlert, PCScan,
NShld, Sweep/N, LProt, Innoc, NProt, AVTK/N, IBMAV/N,
Removal Instructions: Delete infected files
The Itti virus was received in April, 1992. Its origin is unknown.
Itti is a non-resident overwriting virus which infects .COM
programs, including COMMAND.COM.
When a program infected with Itti is executed, the Itti virus will
infect one .COM program located in the current directory by over-
writing the host program's first 161 bytes. There will be no
change to the file's length unless it was originally smaller than
161 bytes. In the case of .COM files smaller than 161 bytes, their
length becomes 161 bytes. There will be no change to the file's
date and time in the DOS disk directory listing.
Once the Itti virus has completed infecting a file, it will display
the following message and return the user to the DOS prompt:
The above message, plus the text string "*.COM", can be found in
the first 161 bytes of infected programs.
Systems infected with the Itti virus will experience boot failures
if the copy of COMMAND.COM located in the root directory of the
bootable partition of the hard disk becomes infected. System
hangs will occur if the Itti virus cannot find an uninfected .COM
program to infect.
Known variant(s) of Itti are:
Itti-B: A 99 byte variant of Itti, this variant does not
display the "EXEC failure" message, and the message is not
contained within the viral code. Infected programs will
have their file date and time in the DOS disk directory
updated to the system date and time when infection
Origin: Unknown April, 1992