Ontario (computer virus)

Ontario is a family of computer viruses, named after its point of isolation, the Canadian province of Ontario. This family of computer virus consists of Ontario.1024, Ontario.512 and Ontario.2048. The first variant Ontario.512 was discovered in July 1990. Because Ontario.1024 was also discovered in Ontario, it is likely that both viruses originate from within the province. By the Ontario.2048 variant, the author had adopted "Ontario" as the family's name and even included the name "Ontario-3" in the virus code.

Infection
Ontario.512 is an encrypting DOS file infector. Upon the execution of an infected .COM, .EXE or .OVL file, Ontario.512 goes memory resident and infects files of these times upon being opened. COMMAND.COM is infected using a special routine. Infected files will increase either 512 bytes (COM files) or between 512 and 1,023 bytes (EXE and OVL files). Some systems with larger file sectors may display increases of greater than 1,023 bytes for infected files of these types.

Symptoms
Ontario.512 primarily only infects files, so there is no one significant symptom. The two main symptoms are:


 * An increase in size of infected COM files of 512 bytes.
 * An increase in size of infected EXE and OVL files of between 512 and 1,023 bytes, and even greater on some systems.
 * Systems thoroughly infected by Ontario.512 may suffer from increasing file corruption and other hard drive problems over time.
 * Unspecified printer problems have been observed with the Ontario family, although most of these observations have related to Ontario.1024, not Ontario.512. It is unknown what specific problems these are, and if they affect Ontario.512.

The increase in COM file size in conjunction with EXE and OVL file increases is a very good guideline when determining Ontario.512 infection, although file length changes are common among virtually every file infector.

Prevalence
The WildList, an organisation tracking computer viruses, never reported Ontario.512 as being in the field. However, Ontario.1024 was included on the list for a period of time. It is unclear whether Ontario.512 was discovered in the field, or off a BBS out of Toronto, where Ontario.2048 was posted.

Ontario.1024
Ontario.1024 is a computer virus, discovered in October 1991, over a year after the isolation of the first Ontario virus, Ontario.512. Relative to Ontario.512, most additions involve making the virus harder to detect.

Infection
Ontario.1024 is an encrypting, stealth DOS file infector. Upon the execution of an infected .COM or .EXE file, Ontario.1024 goes memory resident and infects files of these types upon being opened. COMMAND.COM is infected using a special routine. Infected files will increase in size by 1,024 bytes. However, when Ontario.1024 is in memory, no increase in file size will be observed due to the virus' stealthing. Unlike Ontario.512, it will not infect .OVL files.

Symptoms
Ontario.1024 is the least readily identified version of the Ontario family. The following symptoms can be observed:


 * An increase in size of infected COM and EXE files of 1,024 bytes.
 * A decrease in available system memory of 3,072 bytes.
 * File size being changed after executables (infected ones) are executed, to display original file size.
 * Occasional printer-related problems.

The first three symptoms are good indications that a virus is present, but are not necessarily specific to Ontario.1024.

Prevalence
The WildList, an organisation tracking computer viruses, listed Ontario.1024 as being in the field from July 1993 to December 1998, when it was removed due to lack of a submitted sample. These reports indicated that Ontario.1024 had spread as widely as Australia and Israel at its peak in 1994-1995.

Like all DOS file infectors, the advent of Windows significantly hindered the spread of Ontario.1024. Trend Micro reports 301 infections since 6 November 2000, with rates having fallen to about once every month or two by 2005.

Ontario.2048
Ontario.2048 is a computer virus, discovered in September 1992. It is the third and final known variant of the Ontario family, both chronologically and in complexity. Because of its rather extreme differences from the original virus, some vendors identify it as a member of a separate family - hence the alias Bootache.2048.

Infection
Ontario.2048 is an encrypting, polymorphic, stealth DOS file infector. Upon the execution of an infected .COM, .EXE, .OVL, or .SYS file, Ontario.2048 goes memory resident and infects files of these times upon being opened. COMMAND.COM is infected using a special routine, and will not increase in file size. Infected files will increase in size by 2,048 bytes. However, when Ontario.2048 is in memory, no increase in file size will be observed due to the virus' stealthing.

When the DOS DEBUG program is in memory, Ontario.2048 will detect it and disinfect programs in memory to avoid being analysed. Ontario.2048 also features an extremely complex encryption system; a given sample of Ontario.2048 may only share two bytes in common with another.

Symptoms
Ontario.2048 can result in the following symptoms:


 * An increase in size of infected files by 2,048 bytes.
 * A decrease in available system memory of 5,120 bytes.
 * File size being changed after executables (infected ones) are executed, to display original file size.
 * Occasional printer-related problems have been observed in the Ontario.1024 variant of this family; it is unknown whether this carries over to Ontario.2048.

The first three symptoms are good indications that a virus is present, but are not necessarily specific to Ontario.1024.

Ontario.2048 also contains text, which is invisible because Ontario.2048 is encrypted. The following text strings are present:


 * COMSPEC=\COMMAND.COM COMEXEOVLSYS
 * MSDOS5.0
 * YAM
 * Your PC has a bootache! - Get some medicine!
 * Ontario-3 by Death Angel

The first line is a reference to the method used to find COMMAND.COM to infect, as well as file types that the virus infects. The second line refers to the version of MS-DOS that Ontario.2048 was written on. The third is a reference to the Youngsters Against McAfee virus group, which the author had joined by this point.

A number of descriptions note multipartite function in Ontario.2048. This is incorrect. Ontario.2048 does contain a boot sector within it with a boot virus. If inserted into the boot sector, it would be a functioning boot virus (although it would not spread the file infection portion of Ontario.2048). However, Ontario.2048 never performs the injection; the code is functionally useless. Based on the virus author's documentation for the virus, this appears to be intentional (reasons unknown).

Prevalence
The WildList, an organisation tracking computer viruses, has never listed Ontario.2048 as being in the field. However, Ontario.1024 was included for a period of time.

Like all DOS file infectors, the advent of Windows significantly hindered the spread of Ontario.2048. Trend Micro statistics report only two infections since November 6, 2006, which indicates that the virus is now obsolete.