________________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC INFORMATION BULLETIN ________________________________________________________________________ The 4096 (4k, Stealth, IDF, etc.) Virus on MS DOS Computers July 18, 1990, 1200 PST Number A-29 ________________________________________________________________________ Name: 4096 virus (also known as the 4k, Stealth, IDF--Israel Defense Forces, 100 years, Century, and Frodo virus) Types: Two known versions (also see note 1 about Fish virus) Platform: MS-DOS computers running DOS 3.x or 4.x ; does not appear to infect files in DOS 2.x Damage: Can damage files by destructive cross-linking Symptoms: May slow system performance somewhat; may cause the system to crash/hang, or may create hard disk errors; may write "FRODO LIVES" on screen on or after September 22, 1990 (one variant only) Detection: VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, IBM Scan, FPROT Eradication: VIRHUNT, CodeSafe, FPROT, and others (contact CIAC for information about these products) _______________________________________________________________________ Critical 4096 Virus Facts The 4096 (4k, Stealth, IDF--Israel Defense Forces, 100 years, Century, or Frodo) virus is one of a new breed of viruses ("Phase II" viruses--see note 2) that are so effective in masking their presence that they are nearly invisible to the user. The 4096 virus infects MS-DOS systems running DOS 3.x and 4.x. (Tests show that the 4096 virus is memory resident in DOS 2.x, but it will not infect files). This virus infects programs when a user runs or closes an executable file. The result is that the 4096 virus adds 4096 bytes to any .EXE or .COM files that have been opened, as well as to COMMAND.COM. (However, this virus disguises the size of infected files by causing the original file length to be displayed.) After initial infection, there are usually only subtle slowdowns in system performance. As more files become infected by this virus, it can disrupt the File Allocation Table (FAT), causing system crashes. The hard disk may also approach its storage capacity, causing CHKDSK to indicate the following when an infected executable file is run: Allocation error - File size adjusted There is a trigger date of September 22, 1990. On or after this date the virus attempts to replace the original boot record with another boot record. Other reports indicate that the 4096 virus is unsuccessful in attempting to write the boot record. The result, however, is that the system may crash. In one version of the 4096 virus the following message is also displayed on or after the trigger date: FRODO LIVES The 4096 virus is very difficult to detect, even if it has infected many files. There is logic to defeat detection on the basis of increased file size, virus-initiated interrupts, and/or checksums. The most current versions of virus detection packages such as VIRHUNT, RESSCAN, CodeSafe, Vi-Spy, and IBM Scan are effective against the 4096 virus. If you find that your computer is infected by this virus, you should turn your machine off, then boot from a clean floppy. Now run a virus eradication program (e.g., VIRHUNT, CodeSafe, etc.) from a non-infected, write-protected floppy disk. Alternately, you can use DOS COPY to change the extension of an executable version of a virus eradication program from .EXE to .DAT or some other similar extension. This will assure that your renamed anti-virus program cannot become infected. Virus Bulletin recommends an additional detection method for DOS 3.x systems---set the time stamp ahead to January 1, 2044, create a small file, then enter the DIR command. If the 4096 virus is present, the file size will be 4K and the date will be January 1 of the year 100 (see note 3 below). In DOS 4.x systems the displayed date will be January 1 of the year 99. Another detection method is to use Norton Utilities or a similar disk management utility to show the actual size of suspected files. Note 1: The Fish virus is a modified, more sophisticated version of the 4096 virus. It increases file sizes by either 8K or 4K. Note 2: Other phase two viruses include the Alabama, Virus 101, 1260, and Fish virus. Note 3: The 4096 virus adds 100 to the year of file creation, but since MS DOS normally displays only the last two digits of the year, the virus is not normally detectable on the basis of year of file creation. MS- DOS time stamps cannot exceed December 31, 2107. If the user sets the date to January 1, 2044, the virus code increases the year by 100, causing an illegal date. The number 100 is displayed instead. Note 4: Basic information about the 4096 virus has been available through the CIAC Bulletin Board (FELIX) and CIAC Bulletin A-15 since the beginning of this year. For additional information or assistance, please contact CIAC: Eugene Schultz (415) 422-8193 or (FTS) 532-8193 FAX: (415) 423-0913, (FTS) 543-0913 or (415) 422-4294 Send e-mail to: ciac@tiger.llnl.gov Ray Glath and Bill Kinney furnished a portion of the information in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.