Ontario.1024 (computer virus)

Ontario.1024 is a computer virus, discovered in October 1991, over a year after the isolation of the first Ontario virus, Ontario.512. Relative to Ontario.512, most additions involve making the virus harder to detect.

Infection

Ontario.1024 is an encrypting, stealth DOS file infector. Upon the execution of an infected .COM or .EXE file, Ontario.1024 goes memory resident and infects files of these types upon being opened. COMMAND.COM is infected using a special routine. Infected files will increase in size by 1,024 bytes. However, when Ontario.1024 is in memory, no increase in file size will be observed due to the virus' stealthing. Unlike Ontario.512, it will not infect .OVL files.

Symptoms

Ontario.1024 is the least readily identified version of the Ontario family. The following symptoms can be observed:

• An increase in size of infected COM and EXE files of 1,024 bytes.
• A decrease in available system memory of 3,072 bytes.
• File size being changed after executables (infected ones) are executed, to display original file size.
• Occasional printer-related problems.

The first three symptoms are good indications that a virus is present, but are not necessarily specific to Ontario.1024.

Prevalence

The WildList[1], an organisation tracking computer viruses, listed Ontario.1024 as being in the field from July 1993 to December 1998, when it was removed due to lack of a submitted sample. These reports indicated that Ontario.1024 had spread as widely as Australia and Israel at its peak in 1994-1995.

Like all DOS file infectors, the advent of Windows significantly hindered the spread of Ontario.1024. Trend Micro[2] reports 301 infections since 6 November 2000, with rates having fallen to about once every month or two by 2005.

See also

• Ontario (computer virus)
• Ontario.2048 (computer virus)

External links

• F-Secure
• Symantec (partially Ontario.512)
• McAfee