Virus Name: Ondra
V Status: Viron
Discovered: May, 1992
Symptoms: .EXE programs overwritten; program corruption; access to
unexpected hangs; system hangs
Eff Length: 5,000 Bytes
Type Code: ONE - Overwriting Non-Resident .EXE Infector
Detection Method: AVTK, ViruScan, F-Prot, Sweep, NAV, NAVDX, VAlert,
NShld, Sweep/N, Innoc, AVTK/N, NAV/N, NProt, LProt
Removal Instructions: Delete infected files
The Ondra virus was submitted in May, 1992. Its origin is unknown.
Ondra is a non-resident direct action overwriting virus which
infects .EXE programs.
When a program infected with the Ondra virus is executed, the
Ondra virus will infect all .EXE programs larger than approximately
5,000 bytes located in the current directory. Once the virus has
completed infecting the programs in the current directory, it will
start infecting programs on the B: drive. If the B: drive contains
a write-protected diskette, it will retry writing to the drive
indefinitely. Once the virus has completed infecting programs,
the user will be returned to the DOS prompt.
Programs infected with the Ondra virus will have no file length
increase, but rather will be completely overwritten with the viral
code and some of the contents of system memory. The file's date
and time in the DOS disk directory listing will not be altered.
The following text strings can be found within the viral code in
all Ondra infected programs:
Systems infected with the Ondra virus will have .EXE programs fail
to execute properly, and system hangs may frequently occur.
Known variant(s) of Ondra are:
Ondra-B: Received in July, 1992, this variant is a variant
of Ondra described above. It infects one .EXE program
each time an infected program is executed. Infected
programs will be completely overwritten, though the
viral code is contained in the first 4,915 bytes of
the file. It contains the same text strings as the
Origin: Unknown July, 1992.