a-29.ciac-stealth-virus
0b89a716ab171c02c37dc215e4dac48b39c502e7f52240773cf55e735fa42ca7
________________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
CIAC
INFORMATION BULLETIN
________________________________________________________________________
The 4096 (4k, Stealth, IDF, etc.) Virus on MS DOS Computers
July 18, 1990, 1200 PST Number A-29
________________________________________________________________________
Name: 4096 virus (also known as the 4k, Stealth, IDF--Israel Defense
Forces, 100 years, Century, and Frodo virus)
Types: Two known versions (also see note 1 about Fish virus)
Platform: MS-DOS computers running DOS 3.x or 4.x ; does not appear to
infect files in DOS 2.x
Damage: Can damage files by destructive cross-linking
Symptoms: May slow system performance somewhat; may cause the system to
crash/hang, or may create hard disk errors; may write "FRODO LIVES"
on screen on or after September 22, 1990 (one variant only)
Detection: VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, IBM Scan, FPROT
Eradication: VIRHUNT, CodeSafe, FPROT, and others (contact CIAC for
information about these products)
_______________________________________________________________________
Critical 4096 Virus Facts
The 4096 (4k, Stealth, IDF--Israel Defense Forces, 100 years, Century,
or Frodo) virus is one of a new breed of viruses ("Phase II"
viruses--see note 2) that are so effective in masking their presence
that they are nearly invisible to the user. The 4096 virus infects
MS-DOS systems running DOS 3.x and 4.x. (Tests show that the 4096
virus is memory resident in DOS 2.x, but it will not infect files).
This virus infects programs when a user runs or closes an executable
file. The result is that the 4096 virus adds 4096 bytes to any .EXE or
.COM files that have been opened, as well as to COMMAND.COM.
(However, this virus disguises the size of infected files by causing
the original file length to be displayed.) After initial infection,
there are usually only subtle slowdowns in system performance. As more
files become infected by this virus, it can disrupt the File Allocation
Table (FAT), causing system crashes. The hard disk may also approach
its storage capacity, causing CHKDSK to indicate the following when an
infected executable file is run:
Allocation error - File size adjusted
There is a trigger date of September 22, 1990. On or after this date
the virus attempts to replace the original boot record with another
boot record. Other reports indicate that the 4096 virus is
unsuccessful in attempting to write the boot record. The result,
however, is that the system may crash. In one version of the 4096
virus the following message is also displayed on or after the trigger
date:
FRODO LIVES
The 4096 virus is very difficult to detect, even if it has infected
many files. There is logic to defeat detection on the basis of
increased file size, virus-initiated interrupts, and/or checksums.
The most current versions of virus detection packages such as VIRHUNT,
RESSCAN, CodeSafe, Vi-Spy, and IBM Scan are effective against the 4096
virus. If you find that your computer is infected by this virus, you
should turn your machine off, then boot from a clean floppy. Now run a
virus eradication program (e.g., VIRHUNT, CodeSafe, etc.) from a
non-infected, write-protected floppy disk. Alternately, you can use
DOS COPY to change the extension of an executable version of a virus
eradication program from .EXE to .DAT or some other similar extension.
This will assure that your renamed anti-virus program cannot become
infected. Virus Bulletin recommends an additional detection method for
DOS 3.x systems---set the time stamp ahead to January 1, 2044, create a
small file, then enter the DIR command. If the 4096 virus is present,
the file size will be 4K and the date will be January 1 of the year 100
(see note 3 below). In DOS 4.x systems the displayed date will be
January 1 of the year 99. Another detection method is to use Norton
Utilities or a similar disk management utility to show the actual size
of suspected files.
Note 1: The Fish virus is a modified, more sophisticated version of
the 4096 virus. It increases file sizes by either 8K or 4K.
Note 2: Other phase two viruses include the Alabama, Virus 101, 1260,
and Fish virus.
Note 3: The 4096 virus adds 100 to the year of file creation, but
since MS DOS normally displays only the last two digits of the
year, the virus is not normally detectable on the basis of year
of file creation. MS- DOS time stamps cannot exceed December
31, 2107. If the user sets the date to January 1, 2044, the
virus code increases the year by 100, causing an illegal date.
The number 100 is displayed instead.
Note 4: Basic information about the 4096 virus has been available
through the CIAC Bulletin Board (FELIX) and CIAC Bulletin
A-15 since the beginning of this year.
For additional information or assistance, please contact CIAC:
Eugene Schultz
(415) 422-8193 or (FTS) 532-8193
FAX: (415) 423-0913, (FTS) 543-0913 or (415) 422-4294
Send e-mail to:
ciac@tiger.llnl.gov
Ray Glath and Bill Kinney furnished a portion of the information in
this bulletin. Neither the United States Government nor the University
of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility
for the accuracy, completeness, or usefulness of any information,
product, or process disclosed, or represents that its use would not
infringe privately owned rights. Reference herein to any specific
commercial products, process, or service by trade name, trademark
manufacturer, or otherwise, does not necessarily constitute or imply
its endorsement, recommendation, or favoring by the United States
Government or the University of California. The views and opinions of
authors expressed herein do not necessarily state or reflect those of
the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.