Yankeedoodle
Yankeedoodle
Type File virus
Creator TP
Date Discovered 1989.09
Place of Origin Bulgaria
Source Language Assembly
Platform DOS
File Type(s) .com, .exe
Infection Length 2,885 to 2,899
Reported Costs

Yankeedoodle is a Bulgarian virus from 1989. It was coded by TP, who is the creator of the Vacsina virus. It is very similar to the Vacsina virus.

Behavior

When Yankeedoodle is executed, the virus becomes memory resident. The virus infects every .com and .exe file run, appending itself to the end of the file.

The virus plays the tune "Yankee Doodle" every day at 17:00 if it is in memory.

Variants

Yankeedoodle may itself be considered a variant of Vacsina. It is in most respects similar to Vacsina, with the exception of the payload, which plays "Yankee Doodle", instead of just a beep. Most variants by its original creator can be identified by the bytes at or near the end of the file (Yankeedoodle.2E will have the number 2E, hexadecimal for 46, as the second to last byte in the infected file).
There is one variant, Yankeedoodle.XPEH, that does not follow that pattern. This variant is 4,016 bytes long in infected files and 4,032 bytes in memory. It avoids infecting COMMAND.COM. It was discovered in 1992 May.

Name

Yankeedoodle is named for the tune it plays. In Bulgaria, it is called "TP44VIR". The virus has also been known as the "Five o'clock virus" because of its payload.

Sources

Patricia Hoffman. VSUM, Yankee Doodle Virus.

The TP Viruses

Vesselin Bontchev. The Bulgarian and Soviet Virus Factories. 1991

McAfee Antivirus. Yankee Doodle.Xpeh.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License