Virus Name: OMT
Aliases: 413, One More Thing
V Status: Rare
Discovered: May, 1992
Symptoms: .COM file growth; long disk accesses; system hangs;
hard disk overwritten after 1992
Eff Length: 413 Bytes
Type Code: PNCK - Parasitic Non-Resident .COM Infector
Detection Method: ViruScan, Sweep, AVTK, F-Prot, IBMAV, PCScan,
NAV, NAVDX, VAlert, ChAV,
NShld, Sweep/N, AVTK/N, NProt, IBMAV/N, Innoc, NAV/N
Removal Instructions: Delete infected files
The OMT, One More Thing or 417, virus was discovered in Australia
in May, 1992 by Peter Ferrie. The OMT virus is a non-resident,
direct action infector of .COM programs, including COMMAND.COM.
It is destructive when it activates after in years after 1992.
When a program infected with the OMT virus is executed, the OMT
virus will infect all of the .COM programs located in the current
directory. Once it has completed infecting all of the .COM
programs, a system hang usually occurs. The virus contains code
to infect the C: drive root directory, however it appears this
code isn't functional.
Programs infected with the OMT virus will have a file length
increase of 413 bytes with the virus being located at the end of
the infected file. The program's date and time in the DOS disk
directory listing will not be altered.
OMT is an encrypted virus, so no text strings are visible within
the viral code in infected files. The following text strings
are included in the virus:
"And one more thing... fuck you!"
The OMT virus activates when the year of the system date is after
1992. At that time, the virus will overwrite the system hard disk
starting at side 0, cylinder 0, sector 1, when an infected program