|
NCSA Virus Report #53
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
???????????????????????????????
? VIRUS REPORT ?
? Den Zuk ?
???????????????????????????????
Synonyms: Venezuelan, The Search.
Place of Origin: Indonesia?
Host Machine: PC compatibles.
Host Files: Remains resident. Infects floppy disk boot sector.
OnScreen Symptoms: a purple "DEN ZUK" graphic will appear after a
CTRL-ALT-DEL is performed if the system has a CGA, EGA, or VGA monitor
and an infected floppy in drive A:. The rather pretty graphic slides in
from the sides of the screen.
Increase in Size of Infected Files: n/a.
Nature of Damage: Affects system run-time operation. Corrupts or
overwrites boot sector of 360K floppies. The original causes no
intentional damage. Some variations may reformat a floppy disk after a
counter reaches a value of 5 to 10 (depending on the version.)
Detected by: Scanv56+, F-Prot, IBM Scan, Pro-Scan.
Removed by: MDisk, F-Prot, or the DOS SYS command.
Derived from: Ohio virus
Scan Code: FA 8C C8 8E D8 8E D0 BC 00 F0 FB B8 78 7C 50 C3. You can also
search at 03EH for BB 90 7C 53 C3 B9 B0 7C 51 C3.
Den Zuk (translation: "The Search") was written as an anti-virus
virus. Its target: Brain infections. When this virus finds a
Brain-infected diskette, it removes Brain and puts a copy of itself in
place. It also looks for old versions of itself and "upgrades" them if
necessary. The virus resides on track 40 on diskettes (normally 360K
diskettes only have tracks numbered 0-39), and thus takes up no usable
space.
The virus was designed as a boot sector infector that infects 360KB 5
1/4" floppies. It infects through any access to the host diskette. It can
survive a warm reboot. It will infect data (non-system) diskettes, which
in turn can pass on the infection if an accidental attempt to boot from
the data disk occurs.
Den Zuk has a bug which causes it to attempt to infect 3.5"
diskettes. This will overwrite the diskette's FAT and cause a read (or
write) failure. It cannot infect a hard disk, and will not attempt to do
so. If an infected system is rebooted from the hard disk, the virus will
de-activate. This is not the case with rebooting from a clean floppy -
which will become infected.
Den Zuk demonstrates what can (and will) go wrong with
anti-virus-viruses. The programmer did not anticipate 1.2M or 3.5"
diskettes. When the virus infects a disk of that type, it will destroy
data. Also, several "hacked" versions of this virus have been reported:
* One variant will disable the SYS command and destroy all data on
drive C: on (Friday) September 13, 1991.
* Another variant uses a counter which keeps track of how many times
the system has been rebooted. When the limit is reached (usually 5 to
10 reboots), the drive A: floppy is reformatted.
You may find the following text strings on infected disks:
Welcome to the
C l u b
<197>The HackerS<197>
Hackin'
All The Time
The HackerS
If the virus has successfully removed the Brain, the volume label of
infected diskettes may be changed to "Y.C.1.E.R.P.". The Den Zuk virus
will also remove an Ohio virus infection before infecting the diskette
with Den Zuk, presumably because the Ohio is the first draft and a bit
cruder than Den Zuk.
The Den Zuk virus was probably written by the same person as the Ohio
virus: the "Y.C.1.E.R.P." string is found in the Ohio virus, and the
viral code is similar in many respects.
??????????????????????????????????????????????????????????????????????
? This document was adapted from the book "Computer Viruses", ?
? which is copyright and distributed by the National Computer ?
? Security Association. It contains information compiled from ?
? many sources. To the best of our knowledge, all information ?
? presented here is accurate. ?
? ?
? Please send any updates or corrections to the NCSA, Suite 309, ?
? 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS ?
? and upload the information: (202) 364-1304. Or call us voice at ?
? (202) 364-8252. This version was produced May 22, 1990. ?
? ?
? The NCSA is a non-profit organization dedicated to improving ?
? computer security. Membership in the association is just $45 per ?
? year. Copies of the book "Computer Viruses", which provides ?
? detailed information on over 145 viruses, can be obtained from ?
? the NCSA. Member price: $44; non-member price: $55. ?
? ?
? The document is copyright © 1990 NCSA. ?
? ?
? This document may be distributed in any format, providing ?
? this message is not removed or altered. ?
??????????????????????????????????????????????????????????????????????
|
|
