Frodo
Frodo
Type File virus
Creator
Date Discovered 1989.10
Place of Origin Haifa, Israel
Source Language
Platform DOS
File Type(s) .com, .exe
Infection Length 4,096 bytes
Reported Costs

Frodo is the first full stealth virus that can run on the DOS operating system. It is probably the second ever, given that the Commodore 64 virus BHP was the first full-stealth ever.

Behavior

When a file infected with Frodo is executed, the virus becomes memory resident. It infects any file that is accessed by the user that has a .com or .exe extension, appending itself to the end of that file. The virus will set the file's time stamp to an extra 100 years. It may also corrupt some data files.

If the user runs the DIR command while the virus is in memory, it will show all infected files with their original length. If there is any attempt to read an infected file, only the original file will be seen. CHKDSK may be able to detect inconsistencies in the length of an infected file as well

On September 22, Frodo attempts to place a trojan on boot sectors. This trojan displays the message "FRODO LIVES" in large letters with a pattern moving around it. The code for placing the trojan contains many bugs and may cause the system to crash.

Name

Frodo gets its name from the text it displays. Frodo is the name of a character from Lord of the Rings. His birthday is September 22. It has also gone by the names 4096 and 4K for its size. Being the first stealth virus, it has also been called Stealth. Century and 100 years, or some variant on these two have been used as this virus sets an infected file's timestamp to 100 years in the future. Yet another name, IDF (Israeli Defense Force), was probably used because of the virus's origin in Israel.

Variants

The Fish virus is based on Frodo. It contains the text "COD SHARK CARP BASS TROUT FIN MUSKY SOLE FISH PIKE MACKEREL FISH TUNA FISH FI". It is 3,584 bytes long in a file and 4,096 bytes in memory.

Other Facts

Vesselin Bontchev said this was one of the easiest viruses to remove. All it required was for the user to type the commands "copy *.com nul" and "copy *.exe nul" then to shut down the computer to remove the virus from memory.

Sources

Jim Bates. Reports collected and collated by PC-Virus Index, Frodo.

VIRUS REPORT, 4096 virus.

Stefan Tode. University Hamburg, Virus Test Center, FISH #6 Virus. 1991.02.12

F-Secure Antivirus, F-Secure Virus Descriptions : Frodo.

Symantec Antivirus, Frodo.Frodo.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License