Yankeedoodle | |
---|---|
Type | File virus |
Creator | TP |
Date Discovered | 1989.09 |
Place of Origin | Bulgaria |
Source Language | Assembly |
Platform | DOS |
File Type(s) | .com, .exe |
Infection Length | 2,885 to 2,899 |
Reported Costs |
Yankeedoodle is a Bulgarian virus from 1989. It was coded by TP, who is the creator of the Vacsina virus. It is very similar to the Vacsina virus.
Behavior
When Yankeedoodle is executed, the virus becomes memory resident. The virus infects every .com and .exe file run, appending itself to the end of the file.
The virus plays the tune "Yankee Doodle" every day at 17:00 if it is in memory.
Variants
Yankeedoodle may itself be considered a variant of Vacsina. It is in most respects similar to Vacsina, with the exception of the payload, which plays "Yankee Doodle", instead of just a beep. Most variants by its original creator can be identified by the bytes at or near the end of the file (Yankeedoodle.2E will have the number 2E, hexadecimal for 46, as the second to last byte in the infected file).
There is one variant, Yankeedoodle.XPEH, that does not follow that pattern. This variant is 4,016 bytes long in infected files and 4,032 bytes in memory. It avoids infecting COMMAND.COM. It was discovered in 1992 May.
Name
Yankeedoodle is named for the tune it plays. In Bulgaria, it is called "TP44VIR". The virus has also been known as the "Five o'clock virus" because of its payload.
Sources
Patricia Hoffman. VSUM, Yankee Doodle Virus.
Vesselin Bontchev. The Bulgarian and Soviet Virus Factories. 1991
McAfee Antivirus. Yankee Doodle.Xpeh.