Odo Virus


 Virus Name:  Odo 
 Aliases:     Odo.816 
 V Status:    New 
 Discovered:  January, 1996 
 Symptoms:    .COM file growth; file date/time seconds = "02"; 
              decrease in available free memory; 
              file sizes may appear incorrectly in DOS DIR listing 
 Origin:      Unknown 
 Eff Length:  816 Bytes 
 Type Code:   PRhCK - Parasitic Resident .COM Infector 
 Detection Method:  F-Prot, AVTK 7.61+, IBMAV, ViruScan 2.51+, 
                    NAV 3.09 9608+, NAVBoot 0.A 9608+, ChAV, 
                    Innoc 4.0+, AVTK/N 7.61+, IBMAV/N, NShld 2.32 9607+, 
                    NAV/N 2.0 9608+ 
 Removal Instructions:  Delete infected files 
 
 General Comments: 
       The Odo or Odo.816 virus was received in January, 1996.  Its origin 
       or point of isolation is unknown.  Odo is a memory resident infector 
       of .COM files, including COMMAND.COM. 
 
       When the first Odo infected program is executed, this virus will 
       install itself memory resident at the top of system memory but 
       below the 640K DOS boundary, not moving interrupt 12's return. 
       Available free memory, as indicated by the DOS CHKDSK program 
       from DOS 5.0, will have decreased by 816 bytes.  Interrupts 09 
       and 21 will be hooked by the virus in memory. 
 
       Once the Odo virus is memory resident, it will infect .COM files, 
       including COMMAND.COM, when they are executed or opened, but not 
       on copy.  Infected files will have a file length increase of 816 
       bytes with the virus being located at the end of the file, though 
       the file length increase will be hidden when the virus is memory 
       resident.  The file's date and time in the DOS disk directory 
       listing will not appear to be altered, though the seconds field 
       will have been set to "02".  The following text string is visible 
       within the viral code: 
 
           "9[cnr[jdxa-bnl" 
 
       When this virus is memory resident, non-infected .COM files will 
       appear to be 816 bytes smaller than their actual size, and then 
       appear to be their normal size once they become infected by the 
       virus. 
 
       Known variant(s) of Odo are: 
       Odo.930: Also received in January, 1996, this is a 930 byte 
           variant of the Odo virus described above.  Its size in memory 
           is 960 bytes, hooking interrupts 09 and 21. Once resident, 
           it infects .COM files when executed, adding 930 bytes to the 
           file's length, though this file length increase is not visible 
           in the DOS disk directory listing when the virus is memory 
           resident.  The file's date and time in the DOS disk directory 
           listing will not appear to be altered, though the seconds field 
           will have been set to "02".  The same text string appears within 
           the viral code as with the original virus.  Some .EXE files 
           may appear to decrease in size by 930 bytes when this variant 
           is memory resident. 
           Origin:  Unknown  January, 1996. 

Show viruses from discovered during that infect .

Main Page