ciac-02.columbus-day-virus
6bec8c3099b146f3743efc03b9fdc44cf028aa3c5b229cd10e1e8cd60d6a3481
____________________________________________________
C I A C
Computer Incident Advisory Capability
____________________________________________________
September 8, 1989
Notice of Columbus Day Virus
Affecting IBM PCs and PC Clones
The DOE Computer Incident Advisory Capability (CIAC) has learned
that there is a Columbus Day Virus which may attack MS-DOS (PC-
DOS) personal computers on or after October 12 or October 13, 1989.
Note that October 13 is a Friday the thirteenth. You should make the
information in this notice available to appropriate personnel at your
site so that the virus can be detected and eradicated.
The Columbus Day Virus has been isolated and may actually be one
of a series of related viruses. It most closely resembles the DataCrime
Virus. Contrary to speculation in a recent Federal Computing Weekly
article, however, the Columbus Day Virus does not appear to be
closely related to the Icelandic or West German virus. The Columbus
Day Virus searches through the DOS directory for .COM files other
than COMMAND.COM. It attaches to the end of a .COM file, which
increases the size of the file by 1168 bytes. The virus infects any
given .COM file only once. However, it will infect any uninfected .COM
file that it encounters. If the virus executes, it will display the
message:
DATACRIME VIRUS
RELEASED:l MARCH 1989
and then do a low-level format on track zero. Since this is the boot
area of the disk, the hard disk will be unbootable.
Detection of this virus is difficult because ASCII strings in the virus
code are encrypted. Therefore, utilities that search files for particular
ASCII strings are useless. There are two methods you can use to
detect this virus. The first method is to check for a size increase of
1168 bytes in .COM files. Another possible method is to use
VIRUSCAN*, (see below) which should report the existence of this
virus as well as several other viruses. If a machine is infected, users
must copy over all infected .COM files using their original .COM files.
This must be accomplished at one sitting to prevent re-infection. You
should also examine backups to see if they are infected. You should
repeat whatever detection method you decide to use every time you
load a new .COM file or database into your PC or PC clone.
If the boot sector is destroyed, it can be restored with Disk Doctor, a
utility in Norton Utilities Version 4.5 (Advanced Edition). Note that a
restoration is possible only if the Disk Doctor utility had been
previously run.
The DOE Center for Computer Security at Los Alamos has recently
published a pamphlet, "Computer Viruses and the Personal Computer
User" (CCS-89-03). CIAC recommends that you read and follow the
excellent guidelines contained in this pamphlet .
Because VIRUSCAN is produced and distributed by a commercial
developer, CIAC cannot at this time send copies of this software
directly to you. To obtain a copy of VIRUSCAN, you need to send $15
with your name, address and phone number to:
McAfee Associates
4423 Cheeney St.
Santa Clara, CA 95054
Phone: (408) 988-3832
For further information contact David S. Brown at CIAC. David's
phone is (415) 4239878 or (FTS) 533-9878. He can also be reached
at the CIAC number, (415) 422-8193 or (FTS) 532-8193. David's e-
mail address is:
brown@pantera.llnl.gov
* - The University of California neither endorses VIRUSCAN nor
guarantees the effectiveness of this software package. CIAC will test
this package in the near future to determine whether it provides
adequate detection of the Columbus Day virus.