|Place of Origin||Bulgaria|
|File Type(s)||.com, .exe|
|Infection Length||2,885 to 2,899|
When Yankeedoodle is executed, the virus becomes memory resident. The virus infects every .com and .exe file run, appending itself to the end of the file.
The virus plays the tune "Yankee Doodle" every day at 17:00 if it is in memory.
Yankeedoodle may itself be considered a variant of Vacsina. It is in most respects similar to Vacsina, with the exception of the payload, which plays "Yankee Doodle", instead of just a beep. Most variants by its original creator can be identified by the bytes at or near the end of the file (Yankeedoodle.2E will have the number 2E, hexadecimal for 46, as the second to last byte in the infected file).
There is one variant, Yankeedoodle.XPEH, that does not follow that pattern. This variant is 4,016 bytes long in infected files and 4,032 bytes in memory. It avoids infecting COMMAND.COM. It was discovered in 1992 May.
Yankeedoodle is named for the tune it plays. In Bulgaria, it is called "TP44VIR". The virus has also been known as the "Five o'clock virus" because of its payload.Yankeedoodle is named for the tune it plays. In Bulgaria, it is called "TP44VIR". The virus has also been known as the "Five o'clock virus" because of its payload.
Patricia Hoffman. VSUM, Yankee Doodle Virus.
Vesselin Bontchev. The Bulgarian and Soviet Virus Factories. 1991
McAfee Antivirus. Yankee Doodle.Xpeh.