|
Columbus Day Virus: Fact Sheet
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
Columbus Day Virus: A Fact Sheet (22)
Sept. 22, 1989
FACT SHEET
Columbus Day Computer Virus
Several reports of a new computer virus recently have been
published in the media and throughout the data processing
community. This virus has been referred to as "Columbus Day,"
"Friday the 13th," as well as "Datacrime I" or "Datacrime II." It
attacks IBM-compatible personal computers running the MS-DOS/PC-
DOS operating system. If activated, the virus will destroy disk
file directory information, making files and their contents
inaccessible. The following information has been compiled by
NIST, NCSC, and SEI from several sources and is being made
available for system managers to use in taking precautionary
measures.
NOTE: As with many viruses, there may be other, yet unidentified,
variants with different characteristics. Therefore, this
information is not guaranteed to be complete and accurate for all
possible variants.
NAMES OF VIRUS: Columbus Day, Friday the 13th, Datacrime I/II
EFFECT: Performs a low-level format of cylinder zero of the
hard disk on the target machine, thereby destroying the boot
sector and File Allocation Table (FAT) information. Upon
activation it may display a message similar to the following:
DATACRIME VIRUS RELEASED:1 MARCH 1989
TRIGGER: The virus is triggered by a system date 13 October or
later. (Note that 13 October 1989 is a Friday.)
CHARACTERISTICS: Several characteristics have been identified:.
1. The virus, depending on its variant, appends itself to .COM
files (except for COMMAND.COM), increasing the .COM file by
either 1168 or 1280 bytes. In addition, the Datacrime II variant
can infect .EXE files, increasing their size by 1514 bytes.
2. The 1168 byte version contains the hex string EB00B40ECD21B4.
3. The 1280 byte version contains the hex string
00568DB43005CD21.
This virus reportedly was released on 1 March 1989 in Europe. It
is unlikely that significant propagation could occur between the
release date and mid-October; therefore, U.S. systems should be
at a low risk for infection. If safe computing practices have
been followed, the risk should be practically nil. However,
managers believing their site may be at risk should consider
taking precautionary measures, including one or more of the
following actions:
1. Take full back-ups of all hard disks. If the disks are later
found to have been infected and attacked by the virus, lost data
can be recovered from the back-ups. Operating system and
application software can be restored from original media. A full
low-level disk format should be performed on the infected hard
disk prior to restoration procedures.
2. Consider using a commercial utility that can assist in
restoration of a disk directory and recovery of data. There are
a number of such utilities on the market. Note that these
utilities normally must be run prior to data loss to enable disk
and file restoration.
3. Avoid setting the system date to 13 October or later until
the systems have been checked for virus presence.
4. Attempt to determine if the virus is present in one or more
files through one of the following techniques:
a. If original file sizes are known, check for increased
sizes as noted above.
b. Use DEBUG or other utility to scan .COM and .EXE files
for the characteristic hexadecimal strings noted
earlier.
c. Copy all software to an isolated system and set the
system date to 13 October or later and run several
programs to see if the virus is triggered. If
activation occurs, all other systems will require virus
identification and removal.
d. Use a virus-detection tool to determine if this (or
another) virus is present.
Commercial products intended to detect or remove various computer
viruses are available from several sources. However, these
products are not formally reviewed or evaluated; thus, they are
not listed here. The decision to use such products is the
responsibility of each user or organization.
|
|
