Ontario.2048 (computer virus)
Encyclopedia
Ontario.2048 is a computer virus
, discovered in September 1992. It is the third and final known variant of the Ontario family
, both chronologically and in complexity. Because of its rather extreme differences from the original virus, some vendors identify it as a member of a separate family - hence the alias Bootache.2048.
, stealth DOS
file infector. Upon the execution of an infected .COM
, .EXE
, .OVL, or .SYS file, Ontario.2048 goes memory resident and infects files of these times upon being opened. COMMAND.COM
is infected using a special routine, and will not increase in file size. Infected files will increase in size by 2,048 bytes. However, when Ontario.2048 is in memory, no increase in file size will be observed due to the virus' stealthing.
When the DOS DEBUG
program is in memory, Ontario.2048 will detect it and disinfect programs in memory to avoid being analysed. Ontario.2048 also features an extremely complex encryption
system; a given sample of Ontario.2048 may only share two bytes in common with another.
The first three symptoms are good indications that a virus is present, but are not necessarily specific to Ontario.1024.
Ontario.2048 also contains text, which is invisible because Ontario.2048 is encrypted. The following text strings are present:
The first line is a reference to the method used to find COMMAND.COM to infect, as well as file types that the virus infects. The second line refers to the version of MSDOS that Ontario.2048 was written on. The third is a reference to the Youngsters Against McAfee virus group, which the author had joined by this point.
A number of descriptions note multipartite
function in Ontario.2048. This is incorrect. Ontario.2048 does contain a boot sector within it with a boot virus. If inserted into the boot sector, it would be a functioning boot virus (although it would not spread the file infection portion of Ontario.2048). However, Ontario.2048 never performs the injection; the code is functionally useless. Based on the virus author's documentation for the virushttp://www.textfiles.com/virus/DOCUMENTATION/ontario3.txt, this appears to be intentional (reasons unknown).
was included for a period of time.
Like all DOS file infectors, the advent of Windows
significantly hindered the spread of Ontario.2048. Trend Micro statistics report only two infections since November 6, 2006http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ONTARIO%2E2048&VSect=S, which indicates that the virus is now obsolete.
Computer virus
A computer virus is a computer program that can replicate itself and spread from one computer to another. The term "virus" is also commonly but erroneously used to refer to other types of malware, including but not limited to adware and spyware programs that do not have the reproductive ability...
, discovered in September 1992. It is the third and final known variant of the Ontario family
Ontario (computer virus)
Ontario.512 is a computer virus, discovered in July 1990. It is named after its point of isolation, the Canadian province of Ontario. Because Ontario.1024 was also discovered in Ontario, it is likely that both viruses originate from within the province...
, both chronologically and in complexity. Because of its rather extreme differences from the original virus, some vendors identify it as a member of a separate family - hence the alias Bootache.2048.
Infection
Ontario.2048 is an encrypting, polymorphicPolymorphic code
In computer terminology, polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact. That is, the code changes itself each time it runs, but the function of the code will not change at all...
, stealth DOS
DOS
DOS, short for "Disk Operating System", is an acronym for several closely related operating systems that dominated the IBM PC compatible market between 1981 and 1995, or until about 2000 if one includes the partially DOS-based Microsoft Windows versions 95, 98, and Millennium Edition.Related...
file infector. Upon the execution of an infected .COM
COM file
In many computer operating systems, a COM file is a type of executable file; the name is derived from the file name extension .COM. Originally, the term stood for "Command file", a text file containing commands to be issued to the operating system , on many of the Digital Equipment Corporation mini...
, .EXE
EXE
EXE is the common filename extension denoting an executable file in the DOS, OpenVMS, Microsoft Windows, Symbian, and OS/2 operating systems....
, .OVL, or .SYS file, Ontario.2048 goes memory resident and infects files of these times upon being opened. COMMAND.COM
COMMAND.COM
COMMAND.COM is the filename of the default operating system shell for DOS operating systems and the default command line interpreter on Windows 95, Windows 98 and Windows Me...
is infected using a special routine, and will not increase in file size. Infected files will increase in size by 2,048 bytes. However, when Ontario.2048 is in memory, no increase in file size will be observed due to the virus' stealthing.
When the DOS DEBUG
DEBUG (DOS Command)
debug is a command in DOS, MS-DOS, OS/2 and Microsoft Windows which runs the program debug.exe...
program is in memory, Ontario.2048 will detect it and disinfect programs in memory to avoid being analysed. Ontario.2048 also features an extremely complex encryption
Encryption
In cryptography, encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key. The result of the process is encrypted information...
system; a given sample of Ontario.2048 may only share two bytes in common with another.
Symptoms
Ontario.2048 can result in the following symptoms:- An increase in size of infected files by 2,048 bytes.
- A decrease in available system memory of 5,120 bytes.
- File size being changed after executables (infected ones) are executed, to display original file size.
- Occasional printer-related problems have been observed in the Ontario.1024Ontario.1024 (computer virus)Ontario.1024 is a computer virus, discovered in October 1991, over a year after the isolation of the first Ontario virus, Ontario.512. Relative to Ontario.512, most additions involve making the virus harder to detect.-Infection:...
variant of this family; it is unknown whether this carries over to Ontario.2048.
The first three symptoms are good indications that a virus is present, but are not necessarily specific to Ontario.1024.
Ontario.2048 also contains text, which is invisible because Ontario.2048 is encrypted. The following text strings are present:
- COMSPEC=\COMMAND.COM COMEXEOVLSYS
- MSDOS5.0
- YAM
- Your PC has a bootache! - Get some medicine!
- Ontario-3 by Death Angel
The first line is a reference to the method used to find COMMAND.COM to infect, as well as file types that the virus infects. The second line refers to the version of MSDOS that Ontario.2048 was written on. The third is a reference to the Youngsters Against McAfee virus group, which the author had joined by this point.
A number of descriptions note multipartite
Multipartite virus
A multipartite virus is a computer virus that infects and spreads in multiple ways. The term was coined to describe the first viruses that included DOS executable files and PC BIOS boot sector virus code, where both parts are viral themselves. For a complete cleanup, all parts of the virus must be...
function in Ontario.2048. This is incorrect. Ontario.2048 does contain a boot sector within it with a boot virus. If inserted into the boot sector, it would be a functioning boot virus (although it would not spread the file infection portion of Ontario.2048). However, Ontario.2048 never performs the injection; the code is functionally useless. Based on the virus author's documentation for the virushttp://www.textfiles.com/virus/DOCUMENTATION/ontario3.txt, this appears to be intentional (reasons unknown).
Prevalence
The WildListhttp://www.wildlist.org/, an organisation tracking computer viruses, has never listed Ontario.2048 as being in the field. However, Ontario.1024Ontario.1024 (computer virus)
Ontario.1024 is a computer virus, discovered in October 1991, over a year after the isolation of the first Ontario virus, Ontario.512. Relative to Ontario.512, most additions involve making the virus harder to detect.-Infection:...
was included for a period of time.
Like all DOS file infectors, the advent of Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
significantly hindered the spread of Ontario.2048. Trend Micro statistics report only two infections since November 6, 2006http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ONTARIO%2E2048&VSect=S, which indicates that the virus is now obsolete.