FANDOM


Frodo is the first full stealth virus on DOS.

Behavior

When a file infected with Frodo is executed, the virus becomes memory resident. It infects any file that is accessed by the user that has a .com or .exe extension, appending itself to the end of that file. The virus will set the file's time stamp to an extra 100 years. It may also corrupt some data files.

If the user runs the DIR command while the virus is in memory, it will show all infected files with their original length. If there is any attempt to read an infected file, only the original file will be seen. CHKDSK may be able to detect inconsistencies in the length of an infected file as well

Payload

On September 22, Frodo attempts to place a trojan on boot sectors. This trojan displays the message "FRODO LIVES!" in large letters with a pattern moving around it. The code for placing the trojan contains many bugs and may cause the system to crash.

Name

Frodo gets its name from the text it displays. Frodo is the name of a character from Lord of the Rings. His birthday is September 22. It has also gone by the names 4096 for its size. Being the first stealth virus, it has also been called Stealth. Century and 100 years, or some variant on these two have been used as this virus sets an infected file's timestamp to 100 years in the future. Yet another name, IDF (Israeli Defense Force), was probably used because of the virus's origin in Israel.

Variants

The Fish virus is based on Frodo. It contains the text "COD SHARK CARP BASS TROUT FIN MUSKY SOLE FISH PIKE MACKEREL FISH TUNA FISH FI". It is 3,584 bytes long in a file and 4,096 bytes in memory.

Other Facts

Vesselin Bontchev said this was one of the easiest viruses to remove. All it required was for the user to type the commands "copy *.com nul" and "copy *.exe nul" then to shut down the computer to remove the virus from memory.

4K is a variant of this virus that is sometimes named as this virus. It's payload is supposed to be the same but it hangs the system instead.

References

Jim Bates. Reports collected and collated by PC-Virus Index, Frodo.

VIRUS REPORT, 4096 virus.

Stefan Tode. University Hamburg, Virus Test Center, FISH #6 Virus. 1991.02.12

F-Secure Antivirus, F-Secure Virus Descriptions : Frodo.

Symantec Antivirus, Frodo.Frodo.

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.