ciac-10.columbus-day-virus
4522c57a067159b62002226942b470d8cfaa278a722900b617005ceed220a94b
________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
CIAC
INFORMATION BULLETIN
________________________________________________________________
CIAC
Computer Incident Advisory Capability
Information Bulletin
September 22, 1989
Information about Columbus Day (Datacrime) Virus Affecting IBM PCs and
PC Compatibles
I. Executive Summary
On September 8, 1989 the DOE Computer Incident Advisory Capability
(CIAC) issued a notice about the Columbus Day Virus, also known as the
DATACRIME virus, which may attack MS-DOS (PC-DOS) personal computers.
Since that time CIAC has gathered considerable information1 and has
obtained and analyzed two versions of this virus.
The Columbus Day family of viruses will infect applications on IBM
Personal Computers (PCs) and Compatibles. Execution of an infected
program will cause the virus to replicate to other applications. When
the system date is between October 13th and December 31st of any year
and the computer has a hard disk, the virus strikes and displays the
message:
DATACRIME VIRUS
RELEASED: 1 March 1989
Simultaneously, the virus makes the hard disk unreadable. Recovery
after the virus has altered the disk is extremely difficult. The
enclosed procedures will help to assure non-interrupted use of
affected computers.
This memo contains recommendations that users of an IBM personal
computer or compatible computers (PC) may follow to prevent loss of
information due to this virus. Also included are technical procedures
on how to detect, protect, eradicate and recover from the Columbus Day
family of viruses. A survey form is provided to aid the CIAC team in
collecting data concerning the spread of this virus. It is requested
that this form be completed at each site and returned to CIAC as soon
as possible.
II. Detailed Information on the Columbus Day (DATACRIME) Virus
DATACRIME-V1(also known as the 1168 Virus, named for its length) and
DATACRIME-V2 (also known as the 1280 virus) are both closely related
Columbus Day Viruses with only minor changes. A related virus,
DATACRIME II, is currently being examined. This bulletin gives
details about what to expect from this family of viruses and makes
further recommendations for protecting your systems.
You may have seen a report about this topic on CNN or read about it in
your local newspaper. However, all indications at this time are that
these viruses are not as widespread as other viruses affecting IBM PCs
and PC compatibles. The Computer Virus Industry Association(CVIA)
reports that infections have been minimal. This data is collected
from reports by programs like VIRUSCAN, and represents a very large
sampling of the community. However, as with all viruses we should be
prepared. If the DATACRIME virus attacks your machine it could do
serious damage. Good backups are essential.
The DATACRIME (V1 and V2) family of viruses will infect one .COM file
each time an infected program is executed. DATACRIME II will infect
both .COM and .EXE files. It does this by searching the current
directory and all sub-directories on the "C:" drive for a file
to infect. If it fails to find a file, it will search other drives on
your machine for a candidate file. The virus will not infect any file
with "D" as the seventh letter of its name; thus, COMMAND.COM
will not be infected. Each time the virus is run it checks the
current date. If the date is between October 13th and December 31st
of any year and the computer has a hard disk it displays the message:
DATACRIME VIRUS
RELEASED: 1 March 1989
Simultaneously, the virus formats the first 8 tracks of cylinder 0 of
the hard disk. This will effectively destroy the partition table,
master boot track, the boot record, the File Allocation Table (FAT),
and a portion of the root directory. Recovery at this point will be
very difficult and will require a low level format1. Due to the way
the virus executes, it's behaviors range from no action, to
complete data loss of the hard disk. We stated in the previous memo
on the Columbus Day Virus that you may be able to do a partial
recovery with, for example, Disk Doctor, in Norton Utilities Version
4.5. As we examined the virus we determined that there is only a very
small chance of recovery by this method. Prevention and backups are
the best course.
The CIAC recommends that each PC user follow the procedures below:
First Backup your hard-disk - most importantly the data. These
viruses can't propagate through data files and you can always
restore your applications from the distribution disks, but if your
data is important to you, you should back it up now.
Now that you've backed up your data you can try to detect the
virus. Utilities that search files for particular ASCII strings are
ineffective, since the ASCII strings in the virus code are encrypted.
There are several methods you can use to detect this virus. The first
method, while labor intensive, doesn't require any special
software. Check for any increase in the size of your .COM or .EXE
files. The virus will not infect COMMAND.COM so examine other
executable files, for example, FORMAT.COM, CHKDSK.COM, FIND.EXE and
PRINT.COM.
Note that there are other reasons why the file size may not match.
For example, you may have updated to a newer version of a program, or
you are running Data Physician which changes the size of the file.
However, a size change should signal that you need to investigate
further.
Another possible method is to use a commercial product that will
detect these viruses. This includes products like Flu-Shot+,
VIRUSCAN, or Data Physician, which should report the existence of
these viruses as well as certain other viruses.
If you find you are infected but DATACRIME hasn't struck yet
DON'T PANIC. Do the following: Copy the infected files to a
diskette and clearly label it as a virus and protect this disk. We
need copies of all DATACRIME viruses that infect DOE machines so
please call the CIAC for instructions on how to handle this sample.
You must completely rid your machine of this virus. The procedure
below is believed to be necessary because current eradication programs
can not guarantee 100% recovery.
Again, make sure that you have backed up all your data. Ensure that
there are no system or application files (any file that ends in .COM
or .EXE) on your backup floppies. The next step will destroy all
information on the hard disk, so ensure that your backups and
distribution disks are safe. Follow the necessary procedures to
format your hard-drive. Seek expert assistance if you are not
familiar with how to carry out this procedure.
Now take out your original disks and write protect each one of them.
If you have a virus detection program that works, run it on the
application disks to ensure they are virus-free. Reinstall all of
your applications from the original virus-free distribution disks.
You should examine all of your floppies and backups that contain
applications or system files to prevent reinfection. Remember, one
infected file will reinfect your system.
The CIAC would like to survey all DOE sites for the Columbus Day
Viruses. We request that sites do random checks of your IBM PCs and
compatibles and report back by phone, fax or email using the enclosed
form. Should you find a virus, label your diskettes with the word
VIRUS and mail to:
CIAC, David S. Brown, L-542
P.O. Box 808
7000 East Ave.
Lawrence Livermore National Laboratory
Livermore, CA 94550
We want to prevent virsuses from becoming widespread. For questions
or for further information, please contact the CIAC staff:
CIAC
(415) 422-8193 or FTS 532-8193 ciac@tiger.llnl.gov
CIAC FAX
(415) 423-0913
David Brown
(415) 423-9878 or FTS 543-9878 brown@pantera.llnl.gov
Tom Longstaff
(415) 423-4416 or FTS 543-4416 longstaf@pantera.llnl.gov
Ana Maria De Alvare'
(415) 422-7007 or FTS 532-7007 anamaria@pantera.llnl.gov
Gene Schultz, Leader
(415) 422-8193 or FTS 532-8193 gschultz@pantera.llnl.gov
The CIAC would like to survey all DOE sites for the Columbus
Day/DATACRIME virus. We request that sites do random checks of their
PCs and report back by fax or email with the following information
whether or not a virus infection was detected:
Name _______________________________________ Phone____________________
Organization ____________________________________________________________
Address _________________________________________________________________
_________________________________________________________________________
Number of PCs tested ________________
Number of PCs infected by the DATACRIME virus ________________
Number of PCs infected by other viruses ______________________
Method(s) of Detection _______________________________________
Comments __________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________
Please send your survey results and any infected disks to:
CIAC
(415) 422-8193 or FTS 532-8193 ciac@tiger.llnl.gov
CIAC FAX
(415) 423-0913
David Brown
(415) 423-9878 or FTS 543-9878 brown@pantera.llnl.gov
Tom Longstaff
(415) 423-4416 or FTS 543-4416 longstaf@pantera.llnl.gov
Ana Maria De Alvare'
(415) 422-7007 or FTS 532-7007 anamaria@pantera.llnl.gov
Gene Schultz, Leader
(415) 422-8193 or FTS 532-8193 gschultz@pantera.llnl.gov
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed