____________________________________________________
                                               C I A C
                     Computer Incident Advisory Capability
____________________________________________________
                                                            September 8, 1989

Notice of Columbus Day Virus
Affecting IBM PCs and PC Clones

The DOE Computer Incident Advisory Capability (CIAC) has learned 
that there is a Columbus Day Virus which may attack MS-DOS (PC-
DOS) personal computers on or after October 12 or October 13, 1989. 
Note that October 13 is a Friday the thirteenth. You should make the 
information in this notice available to appropriate personnel at your 
site so that the virus can be detected and eradicated.

The Columbus Day Virus has been isolated and may actually be one 
of a series of related viruses. It most closely resembles the DataCrime 
Virus. Contrary to speculation in a recent Federal Computing Weekly 
article, however, the Columbus Day Virus does not appear to be 
closely related to the Icelandic or West German virus. The Columbus 
Day Virus searches through the DOS directory for .COM files other 
than COMMAND.COM. It attaches to the end of a .COM file, which 
increases the size of the file by 1168 bytes. The virus infects any 
given .COM file only once. However, it will infect any uninfected .COM 
file that it encounters. If the virus executes, it will display the 
message:

DATACRIME VIRUS
RELEASED:l MARCH 1989

and then do a low-level format on track zero. Since this is the boot 
area of the disk, the hard disk will be unbootable.

Detection of this virus is difficult because ASCII strings in the virus 
code are encrypted. Therefore, utilities that search files for particular 
ASCII strings are useless. There are two methods you can use to 
detect this virus. The first method is to check for a size increase of 
1168 bytes in .COM files. Another possible method is to use 
VIRUSCAN*, (see below) which should report the existence of this 
virus as well as several other viruses. If a machine is infected, users 
must copy over all infected .COM files using their original .COM files. 
This must be accomplished at one sitting to prevent re-infection. You 
should also examine backups to see if they are infected. You should 
repeat whatever detection method you decide to use every time you 
load a new .COM file or database into your PC or PC clone.

If the boot sector is destroyed, it can be restored with Disk Doctor, a 
utility in Norton Utilities Version 4.5 (Advanced Edition). Note that a 
restoration is possible only if the Disk Doctor utility had been 
previously run.

The DOE Center for Computer Security at Los Alamos has recently 
published a pamphlet, "Computer Viruses and the Personal Computer 
User" (CCS-89-03). CIAC recommends that you read and follow the 
excellent guidelines contained in this pamphlet .

Because VIRUSCAN is produced and distributed by a commercial 
developer, CIAC cannot at this time send copies of this software 
directly to you. To obtain a copy of VIRUSCAN, you need to send $15 
with your name, address and phone number to:

McAfee Associates
4423 Cheeney St.
Santa Clara, CA 95054
Phone: (408) 988-3832

For further information contact David S. Brown at CIAC. David's 
phone is (415) 4239878 or (FTS) 533-9878. He can also be reached 
at the CIAC number, (415) 422-8193 or (FTS) 532-8193. David's e-
mail address is:

brown@pantera.llnl.gov

* - The University of California neither endorses VIRUSCAN nor 
guarantees the effectiveness of this software package. CIAC will test 
this package in the near future to determine whether it provides 
adequate detection of the Columbus Day virus.