Ontario (computer virus)

Last updated
Ontario.512
Common nameOntario.512
Technical nameOntario.512
AliasesSBC
FamilyOntario
Classification Virus
Type DOS
Subtype DOS file infector
IsolationJuly 1990
Point of isolation Hamilton (?), Ontario, Canada
Point of origin Ontario, Canada
Author(s) Death Angel

Ontario is a family of computer viruses, named after its point of isolation, the Canadian province of Ontario. This family of computer virus consists of Ontario.1024, Ontario.512 and Ontario.2048. The first variant Ontario.512 was discovered in July 1990. Because Ontario.1024 was also discovered in Ontario, it is likely that both viruses originate from within the province. By the Ontario.2048 variant, the author had adopted "Ontario" as the family's name and even included the name "Ontario-3" in the virus code.

Contents

Ontario.512

Infection

Ontario.512 is an encrypting DOS file infector. Upon the execution of an infected .COM, .EXE or .OVL file, Ontario.512 goes memory resident and infects files of these times upon being opened. COMMAND.COM is infected using a special routine. Infected files will increase either 512 bytes (COM files) or between 512 and 1,023 bytes (EXE and OVL files). Some systems with larger file sectors may display increases of greater than 1,023 bytes for infected files of these types.

Symptoms

Ontario.512 primarily only infects files, so there is no one significant symptom. The two main symptoms are:

The increase in COM file size in conjunction with EXE and OVL file increases is a very good guideline when determining Ontario.512 infection, although file length changes are common among virtually every file infector.

Prevalence

The WildList , an organisation tracking computer viruses, never reported Ontario.512 as being in the field. However, Ontario.1024 was included on the list for a period of time. It is unclear whether Ontario.512 was discovered in the field, or off a BBS out of Toronto, where Ontario.2048 was posted.

Ontario.1024

Ontario.1024
Common nameOntario.1024
Technical nameOntario.1024
Aliases1024 SBC
FamilyOntario
Classification Virus
Type DOS
Subtype DOS file infector
IsolationOctober 1991
Point of isolation Ontario, Canada
Point of origin Ontario, Canada
Author(s) Death Angel

Ontario.1024 is a computer virus, discovered in October 1991, over a year after the isolation of the first Ontario virus, Ontario.512. Relative to Ontario.512, most additions involve making the virus harder to detect.

Infection

Ontario.1024 is an encrypting, stealth DOS file infector. Upon the execution of an infected .COM or .EXE file, Ontario.1024 goes memory resident and infects files of these types upon being opened. COMMAND.COM is infected using a special routine. Infected files will increase in size by 1,024 bytes. However, when Ontario.1024 is in memory, no increase in file size will be observed due to the virus' stealthing. Unlike Ontario.512, it will not infect .OVL files.

Symptoms

Ontario.1024 is the least readily identified version of the Ontario family. The following symptoms can be observed:

The first three symptoms are good indications that a virus is present, but are not necessarily specific to Ontario.1024.

Prevalence

The WildList , an organisation tracking computer viruses, listed Ontario.1024 as being in the field from July 1993 to December 1998, when it was removed due to lack of a submitted sample. These reports indicated that Ontario.1024 had spread as widely as Australia and Israel at its peak in 1994-1995.

Like all DOS file infectors, the advent of Windows significantly hindered the spread of Ontario.1024. Trend Micro reports 301 infections since 6 November 2000, with rates having fallen to about once every month or two by 2005.

Ontario.2048

Ontario.2048
Common nameOntario.2048
Technical nameOntario.2048
AliasesBootache.2048, Ontario III
FamilyOntario
Classification Virus
Type DOS
Subtype DOS file infector
IsolationSeptember 1992
Point of isolation Ontario, Canada
Point of origin Ontario, Canada
Author(s) Death Angel

Ontario.2048 is a computer virus, discovered in September 1992. It is the third and final known variant of the Ontario family, both chronologically and in complexity. Because of its rather extreme differences from the original virus, some vendors identify it as a member of a separate family - hence the alias Bootache.2048.

Infection

Ontario.2048 is an encrypting, polymorphic, stealth DOS file infector. Upon the execution of an infected .COM, .EXE, .OVL, or .SYS file, Ontario.2048 goes memory resident and infects files of these times upon being opened. COMMAND.COM is infected using a special routine, and will not increase in file size. Infected files will increase in size by 2,048 bytes. However, when Ontario.2048 is in memory, no increase in file size will be observed due to the virus' stealthing.

When the DOS DEBUG program is in memory, Ontario.2048 will detect it and disinfect programs in memory to avoid being analysed. Ontario.2048 also features an extremely complex encryption system; a given sample of Ontario.2048 may only share two bytes in common with another.

Symptoms

Ontario.2048 can result in the following symptoms:

The first three symptoms are good indications that a virus is present, but are not necessarily specific to Ontario.1024.

Ontario.2048 also contains text, which is invisible because Ontario.2048 is encrypted. The following text strings are present:

COMSPEC=\COMMAND.COM COMEXEOVLSYS
MSDOS5.0
YAM
Your PC has a bootache! - Get some medicine!
Ontario-3 by Death Angel

The first line is a reference to the method used to find COMMAND.COM to infect, as well as file types that the virus infects. The second line refers to the version of MS-DOS that Ontario.2048 was written on. The third is a reference to the Youngsters Against McAfee virus group, which the author had joined by this point.

A number of descriptions note multipartite function in Ontario.2048. This is incorrect. Ontario.2048 does contain a boot sector within it with a boot virus. If inserted into the boot sector, it would be a functioning boot virus (although it would not spread the file infection portion of Ontario.2048). However, Ontario.2048 never performs the injection; the code is functionally useless. Based on the virus author's documentation for the virus , this appears to be intentional (reasons unknown).

Prevalence

The WildList , an organisation tracking computer viruses, has never listed Ontario.2048 as being in the field. However, Ontario.1024 was included for a period of time.

Like all DOS file infectors, the advent of Windows significantly hindered the spread of Ontario.2048. Trend Micro statistics report only two infections since November 6, 2006 , which indicates that the virus is now obsolete.

Related Research Articles

In computer science, self-modifying code is code that alters its own instructions while it is executing – usually to reduce the instruction path length and improve performance or simply to reduce otherwise repetitively similar code, thus simplifying maintenance. The term is usually only applied to code where the self-modification is intentional, not in situations where code accidentally modifies itself due to an error such as a buffer overflow.

<span class="mw-page-title-main">COM file</span> Type of simple executable file

A COM file is a type of simple executable file. On the Digital Equipment Corporation (DEC) VAX operating systems of the 1970s, .COM was used as a filename extension for text files containing commands to be issued to the operating system. With the introduction of Digital Research's CP/M, the type of files commonly associated with COM extension changed to that of executable files. This convention was later carried over to DOS. Even when complemented by the more general EXE file format for executables, the compact COM files remained viable and frequently used under DOS.

Abraxas, also known as Abraxas5, discovered in April 1993, is an encrypted, overwriting, file infecting computer virus which infects .COM and .EXE files, although it does not infect command.com. It does not become memory resident. Each time an infected file is executed, Abraxas infects the copy of dosshell.com located in the C:\DOS directory, as well as one EXE file in the current directory. Due to a bug in the virus, only the first EXE file in any directory is infected.

Acid is a computer virus which infects .COM and .EXE files including command.com. Each time an infected file is executed, Acid infects all of the .EXE files in the current directory. Later, if an infected file is executed, it infects the .COM files in the current directory. Programs infected with Acid will have had the first 792 bytes of the host program overwritten with Acid's own code. There will be no file length increase unless the original host program was smaller than 792 bytes, in which case it will become 792 bytes in length. The program's date and time in the DOS disk directory listing will not be altered.

Ada is a computer virus that can affect any of the DOS operating systems. Ada was first discovered in 1991.

<span class="mw-page-title-main">AIDS (computer virus)</span> DOS computer virus

AIDS is a DOS computer virus which overwrites COM files.

ABC, discovered in October 1992, is a memory-resident, file-infecting computer virus which infects EXE files and may alter both COM and EXE files. ABC activates on the 13th day of every month.

Jerusalem is a logic bomb DOS virus first detected at Hebrew University of Jerusalem, in October 1987. On infection, the Jerusalem virus becomes memory resident, and then infects every executable file run, except for COMMAND.COM. COM files grow by 1,813 bytes when infected by Jerusalem and are not re-infected. Executable files grow by 1,808 to 1,823 bytes each time they are infected, and are then re-infected each time the files are loaded until they are too large to load into memory. Some .EXE files are infected but do not grow because several overlays follow the genuine .EXE file in the same file. Sometimes .EXE files are incorrectly infected, causing the program to fail to run as soon as it is executed.

Westwood is a computer virus, a variant of the Jerusalem family, discovered August 1990, in Westwood, Los Angeles, California. The virus was isolated by a UCLA engineering student who discovered it in a copy of the "speed.com" program distributed with a new motherboard. Viral infection was first indicated when an early version of Microsoft Word reported internal checksum failure and failed to run.

Scott's Valley [sic] is a computer virus, a member of the Slow virus family and distantly related to the Jerusalem virus family. It was discovered in September 1990 in Scotts Valley, California.

Sunday is a computer virus, a member of the Jerusalem virus family. It was discovered in November 1989 after a number of simultaneous reports from Seattle, Washington, United States, and surrounding areas. Several other Seattle outbreaks, including AirCop, were later traced to Asia.

Alabama is a computer virus, discovered in October 1989 on the campus of the Hebrew University of Jerusalem.

OneHalf is a DOS-based polymorphic computer virus discovered in October 1994. It is also known as Slovak Bomber, Freelove or Explosion-II. It infects the master boot record (MBR) of the hard disk, and any files with extensions .COM, .SCR and .EXE. However, it will not infect files that have SCAN, CLEAN, FINDVIRU, GUARD, NOD, VSAFE, MSAV or CHKDSK in the name.

Form was a boot sector virus isolated in Switzerland in the summer of 1990 which became very common worldwide. The origin of Form is widely listed as Switzerland, but this may be an assumption based on its isolation locale. The only notable characteristics of Form are that it infects the boot sector instead of the Master Boot Record (MBR) and the clicking noises associated with some infections. Infections under Form can result in severe data damage if operating system characteristics are not identical to those Form assumes.

The Whale virus is a computer virus discovered on July 1, 1990. The file size, at 9,216 bytes, was for its time the largest virus ever discovered. It is known for using several advanced "stealth" methods.

4k is a computer virus which infects COM files and EXE files. The virus was one of the first file infectors to employ stealth tactics. Infected systems will hang, after September 22 every year, which is also the date of birth of Bilbo Baggins, a character from The Lord of the Rings. The code was intended to display the message Frodo Lives, but hangs in all known variants.

The booting process of Microsoft Windows varies between different releases.

5lo is a computer virus that increases file size and does little more than replicate. Size: 1,032 bytes

<span class="mw-page-title-main">Computer virus</span> Computer program that modifies other programs to replicate itself and spread

A computer virus is a type of malware that, when executed, replicates itself by modifying other computer programs and inserting its own code into those programs. If this replication succeeds, the affected areas are then said to be "infected" with a computer virus, a metaphor derived from biological viruses.

Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.