Traceback | |
---|---|
Type | File virus |
Creator | |
Date Discovered | 1988.10 |
Place of Origin | |
Source Language | |
Platform | DOS |
Infection Length | 3,066 bytes |
Reported Costs |
Traceback is a virus that places information in newly infected files about the files that infected them. It also has an effect similar to the Cascade virus.
Behavior
When a file infected with Traceback is executed, the virus becomes memory resident. It infects clean programs as they are executed. If the date is after 1988.12.05, it will infect one more .com or .exe file in the current working directory. It searches the rest of the drive if it can't find another file in the current directory and will terminate when it finds another infected file.
The newly infected file contains the path of the file that infected it. It also updates a counter in the body of the infecting file. These characteristics give Traceback its name.
If the system date is after 1988.12.28 and Traceback has been in memory an hour, the virus will cause characters to fall down the display, similar to the Cascade virus. If a key is pressed after this payload has been activated, the system will lock up. The cascade effect and system lock last one minute, then the system returns to normal. The payload repeats every hour.
Variants
Traceback.B infects COMMAND.COM and lacks the cascade effect. It also lacks the features that gave the original its name. If a disk with an infected COMMAND.COM is booted, running a program results in a memory allocation error and the system halts. It contains the text string "MICRODIC MSG".
Traceback.B2 is similar to Traceback.B, but does have the same cascade effect as the original. It contains the additional text string "XPO DAD".
Traceback.II is very similar to the original, except it is smaller, weighing in at 2,930 bytes. It has a subvariant, Traceback.II.B does not restore the screen after a minute, causing the system to hang and requiring a reboot.
Traceback.3029 is nearly identical to the original, aside from its smaller size.
Traceback.Spanish was isolated in 1991. While it infects both .com and .exe files, it only goes for a .com for the extra file it infects. Like Traceback.II.B, it causes the system to hang.
Origin
It is uncertain where the original Traceback comes from. Many of its variants come from Spain.
Sources
Patricia Hoffman. Online VSUM, Traceback.
-. -, Traceback 3029.
-. -, Traceback II.
-. -, Spanish.