Ontario III - Written by Death Angel

By the way - SBC virus should be known as the Ontario-II virus...

    This is my third attempt at a virus, and has several new and improved
features over previous versions.  This version has a much improved encryption
mechanism (only two constant bytes).  The random header generator seems to
work satisfactory and I have designated considerable code toward it (although
I wouldn't mind getting a copy of that mutating engine, it's probably alot
better).
    It also uses another technique in an effort to get the original
Int 13 location in order to avoid any hard disk write protection software
programs. 
    The virus takes exactly 5K of memory, and is located at the top of memory
using the usual methods.  From its first initiation it is resident in memory
at all times and monitors Int 21 (Of course).
    When the virus is first ran, it will place itself in high memory and
then infect your COMMAND.COM.  In case you have your COMMAND.COM on a drive
other then C:\ it will use the COMSPEC variable in the environment to find
the exact location of the COMMAND.COM that is being used.  When COMMAND.COM
is infected it will overwrite the stack portion so the absolute file size
is not changed.  
    The virus itself is 2048 bytes and appends exactly 2048 bytes onto all
infected files.  It will infect COM, EXE, OVL, and SYS files.  File sizes
are not changed on infected files when you do a DIR (and no chkdsk errors!).
Files are infected when they are either executed or opened for any reason.
SYS files are only infected when they are opened.  
    There are two main sources used by the virus to avoid detecting the
virus in memory.  First, the recognizition code used by the virus - whether
it is in memory or not, can only be successfully called by the virus itself.
Next, whenever anyone debugs an infected file, the virus will detect this
and remove the virus from the infected file (in memory) before passing
control back to DEBUG.  The file will still be infected and the person
debugging won't notice the entry point has been altered.
    The virus intercepts INT 24 and INT 13 on all infections to avoid the
most common method of detecting file viruses: "Write protect error".  It will
also turn off the READ-ONLY attributes on files it wants to infect.  It will
not infect system files such as IBMBIO.SYS and IO.SYS as they would cause
the system to instantly crash upon boot-up.  The file date is not altered
on infected files.  The file length of files are increased by exactly 2,048
bytes on all infects (not multiples of 16, etc).
    That's basically all there is to the virus.  The virus also contains a 
boot sector within its code (although it is infectous - It's never placed on
the boot sector - kinda like the 4096).  The virus does not do any dangerous
damage but can become a pest by taking up disk space.
    Also, I included a small trojan program that will write over every
sector on your hard disk with trash... I don't suggest you run it on your 
system!  The trojan is disguised as a FLI to MOD converter.

PLEASE DO NOT MODIFY THIS FILE.

THE POWER HOUSE BBS
[416] 692-4993