100 lines
4.1 KiB
Plaintext
100 lines
4.1 KiB
Plaintext
|
|
Columbus Day Virus: A Fact Sheet (22)
|
|
|
|
|
|
Sept. 22, 1989
|
|
|
|
FACT SHEET
|
|
|
|
Columbus Day Computer Virus
|
|
|
|
Several reports of a new computer virus recently have been
|
|
published in the media and throughout the data processing
|
|
community. This virus has been referred to as "Columbus Day,"
|
|
"Friday the 13th," as well as "Datacrime I" or "Datacrime II." It
|
|
attacks IBM-compatible personal computers running the MS-DOS/PC-
|
|
DOS operating system. If activated, the virus will destroy disk
|
|
file directory information, making files and their contents
|
|
inaccessible. The following information has been compiled by
|
|
NIST, NCSC, and SEI from several sources and is being made
|
|
available for system managers to use in taking precautionary
|
|
measures.
|
|
|
|
NOTE: As with many viruses, there may be other, yet unidentified,
|
|
variants with different characteristics. Therefore, this
|
|
information is not guaranteed to be complete and accurate for all
|
|
possible variants.
|
|
|
|
NAMES OF VIRUS: Columbus Day, Friday the 13th, Datacrime I/II
|
|
EFFECT: Performs a low-level format of cylinder zero of the
|
|
hard disk on the target machine, thereby destroying the boot
|
|
sector and File Allocation Table (FAT) information. Upon
|
|
activation it may display a message similar to the following:
|
|
DATACRIME VIRUS RELEASED:1 MARCH 1989
|
|
|
|
TRIGGER: The virus is triggered by a system date 13 October or
|
|
later. (Note that 13 October 1989 is a Friday.)
|
|
|
|
CHARACTERISTICS: Several characteristics have been identified:.
|
|
|
|
1. The virus, depending on its variant, appends itself to .COM
|
|
files (except for COMMAND.COM), increasing the .COM file by
|
|
either 1168 or 1280 bytes. In addition, the Datacrime II variant
|
|
can infect .EXE files, increasing their size by 1514 bytes.
|
|
|
|
2. The 1168 byte version contains the hex string EB00B40ECD21B4.
|
|
|
|
3. The 1280 byte version contains the hex string
|
|
00568DB43005CD21.
|
|
|
|
This virus reportedly was released on 1 March 1989 in Europe. It
|
|
is unlikely that significant propagation could occur between the
|
|
release date and mid-October; therefore, U.S. systems should be
|
|
at a low risk for infection. If safe computing practices have
|
|
been followed, the risk should be practically nil. However,
|
|
managers believing their site may be at risk should consider
|
|
taking precautionary measures, including one or more of the
|
|
following actions:
|
|
|
|
1. Take full back-ups of all hard disks. If the disks are later
|
|
found to have been infected and attacked by the virus, lost data
|
|
can be recovered from the back-ups. Operating system and
|
|
application software can be restored from original media. A full
|
|
low-level disk format should be performed on the infected hard
|
|
disk prior to restoration procedures.
|
|
|
|
2. Consider using a commercial utility that can assist in
|
|
restoration of a disk directory and recovery of data. There are
|
|
a number of such utilities on the market. Note that these
|
|
utilities normally must be run prior to data loss to enable disk
|
|
and file restoration.
|
|
|
|
3. Avoid setting the system date to 13 October or later until
|
|
the systems have been checked for virus presence.
|
|
|
|
4. Attempt to determine if the virus is present in one or more
|
|
files through one of the following techniques:
|
|
|
|
a. If original file sizes are known, check for increased
|
|
sizes as noted above.
|
|
|
|
b. Use DEBUG or other utility to scan .COM and .EXE files
|
|
for the characteristic hexadecimal strings noted
|
|
earlier.
|
|
|
|
c. Copy all software to an isolated system and set the
|
|
system date to 13 October or later and run several
|
|
programs to see if the virus is triggered. If
|
|
activation occurs, all other systems will require virus
|
|
identification and removal.
|
|
|
|
d. Use a virus-detection tool to determine if this (or
|
|
another) virus is present.
|
|
|
|
Commercial products intended to detect or remove various computer
|
|
viruses are available from several sources. However, these
|
|
products are not formally reviewed or evaluated; thus, they are
|
|
not listed here. The decision to use such products is the
|
|
responsibility of each user or organization.
|
|
|