Ontario.2048 (computer virus)

Ontario.2048 (computer virus)

Computer virus | Fullname = Ontario.2048
Common name = Ontario.2048
Technical name = Ontario.2048
Family = Ontario
Aliases = Bootache.2048, Ontario III
Classification = Virus
Type = DOS
Subtype = DOS file infector
IsolationDate = September 1992
Isolation = Ontario, Canada
Origin = Ontario, Canada
Author = Death Angel

Ontario.2048 is a computer virus, discovered in September 1992. It is the third and final known variant of the Ontario family, both chronologically and in complexity. Because of its rather extreme differences from the original virus, some vendors identify it as a member of a separate family - hence the alias Bootache.2048.

Infection

Ontario.2048 is an encrypting, polymorphic, stealth DOS file infector. Upon the execution of an infected .COM, .EXE, .OVL, or .SYS file, Ontario.2048 goes memory resident and infects files of these times upon being opened. COMMAND.COM is infected using a special routine, and will not increase in file size. Infected files will increase in size by 2,048 bytes. However, when Ontario.2048 is in memory, no increase in file size will be observed due to the virus' stealthing.

When the DOS DEBUG program is in memory, Ontario.2048 will detect it and disinfect programs in memory to avoid being analysed. Ontario.2048 also features an extremely complex encryption system; a given sample of Ontario.2048 may only share two bytes in common with another.

ymptoms

Ontario.2048 can result in the following symptoms:

*An increase in size of infected files by 2,048 bytes.
*A decrease in available system memory of 5,120 bytes.
*File size being changed after executables (infected ones) are executed, to display original file size.
*Occasional printer-related problems have been observed in the Ontario.1024 variant of this family; it is unknown whether this carries over to Ontario.2048.

The first three symptoms are good indications that a virus is present, but are not necessarily specific to Ontario.1024.

Ontario.2048 also contains text, which is invisible because Ontario.2048 is encrypted. The following text strings are present:

:COMSPEC=COMMAND.COM COMEXEOVLSYS:MSDOS5.0:YAM:Your PC has a bootache! - Get some medicine!:Ontario-3 by Death Angel

The first line is a reference to the method used to find COMMAND.COM to infect, as well as file types that the virus infects. The second line refers to the version of MSDOS that Ontario.2048 was written on. The third is a reference to the Youngsters Against McAfee virus group, which the author had joined by this point.

A number of descriptions note multipartite function in Ontario.2048. This is incorrect. Ontario.2048 does contain a boot sector within it with a boot virus. If inserted into the boot sector, it would be a functioning boot virus (although it would not spread the file infection portion of Ontario.2048). However, Ontario.2048 never performs the injection; the code is functionally useless. Based on the virus author's documentation for the virus [http://www.textfiles.com/virus/DOCUMENTATION/ontario3.txt] , this appears to be intentional (reasons unknown).

Prevalence

The WildList [http://www.wildlist.org/] , an organisation tracking computer viruses, has never listed Ontario.2048 as being in the field. However, Ontario.1024 was included for a period of time.

Like all DOS file infectors, the advent of Windows significantly hindered the spread of Ontario.2048. Trend Micro statistics report only two infections since November 6, 2006 [http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=ONTARIO%2E2048&VSect=S] , which indicates that the virus is now obsolete.

External links

* [http://www.f-secure.com/v-descs/sbc.shtml F-Secure]
* [http://www.avp.ch/avpve/bootmult/bootache.stm AVP]
* [http://vil.nai.com/vil/content/v_893.htm McAfee]
* [http://www.textfiles.com/virus/DOCUMENTATION/ontario3.txt Author's documentation]


Wikimedia Foundation. 2010.

Игры ⚽ Нужно сделать НИР?

Look at other dictionaries:

  • Ontario.1024 (computer virus) — Ontario.1024 Common name Ontario.1024 Technical name Ontario.1024 Aliases 1024 SBC Family Ontario Classification Virus Type DOS …   Wikipedia

  • Ontario (computer virus) — Ontario.512 Common name Ontario.512 Technical name Ontario.512 Aliases SBC Family Ontario Classification Virus Type DOS …   Wikipedia

  • Ontario.2048 — Common name Ontario.2048 Technical name Ontario.2048 Aliases Bootache.2048, Ontario III Family Ontario Classification Virus Type DOS …   Wikipedia

  • Ontario (disambiguation) — Ontario is the most populous province in Canada. Ontario may also refer to: Contents 1 Places 2 Lakes 3 Computer viruses …   Wikipedia

  • List of computer viruses (L–R) — This list is incomplete; you can help by expanding it. Name Alias(es) Type Subtype Isolation Date Isolation Origin Author Notes L1 …   Wikipedia

  • West Nile virus — Taxobox name = West Nile virus virus group = iv familia = Flaviviridae genus = Flavivirus species = West Nile virus Infobox Disease Name = West Nile Fever DiseasesDB = 30025 ICD10 = ICD10|A|92|3 MeshID = D014901West Nile virus (or WNV) is a virus …   Wikipedia

  • Agriculture and Food Supplies — ▪ 2007 Introduction Bird flu reached Europe and Africa, and concerns over BSE continued to disrupt trade in beef. An international vault for seeds was under construction on an Arctic island. Stocks of important food fish species were reported… …   Universalium

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”