________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC INFORMATION BULLETIN ________________________________________________________________ CIAC Computer Incident Advisory Capability Information Bulletin September 22, 1989 Information about Columbus Day (Datacrime) Virus Affecting IBM PCs and PC Compatibles I. Executive Summary On September 8, 1989 the DOE Computer Incident Advisory Capability (CIAC) issued a notice about the Columbus Day Virus, also known as the DATACRIME virus, which may attack MS-DOS (PC-DOS) personal computers. Since that time CIAC has gathered considerable information1 and has obtained and analyzed two versions of this virus. The Columbus Day family of viruses will infect applications on IBM Personal Computers (PCs) and Compatibles. Execution of an infected program will cause the virus to replicate to other applications. When the system date is between October 13th and December 31st of any year and the computer has a hard disk, the virus strikes and displays the message: DATACRIME VIRUS RELEASED: 1 March 1989 Simultaneously, the virus makes the hard disk unreadable. Recovery after the virus has altered the disk is extremely difficult. The enclosed procedures will help to assure non-interrupted use of affected computers. This memo contains recommendations that users of an IBM personal computer or compatible computers (PC) may follow to prevent loss of information due to this virus. Also included are technical procedures on how to detect, protect, eradicate and recover from the Columbus Day family of viruses. A survey form is provided to aid the CIAC team in collecting data concerning the spread of this virus. It is requested that this form be completed at each site and returned to CIAC as soon as possible. II. Detailed Information on the Columbus Day (DATACRIME) Virus DATACRIME-V1(also known as the 1168 Virus, named for its length) and DATACRIME-V2 (also known as the 1280 virus) are both closely related Columbus Day Viruses with only minor changes. A related virus, DATACRIME II, is currently being examined. This bulletin gives details about what to expect from this family of viruses and makes further recommendations for protecting your systems. You may have seen a report about this topic on CNN or read about it in your local newspaper. However, all indications at this time are that these viruses are not as widespread as other viruses affecting IBM PCs and PC compatibles. The Computer Virus Industry Association(CVIA) reports that infections have been minimal. This data is collected from reports by programs like VIRUSCAN, and represents a very large sampling of the community. However, as with all viruses we should be prepared. If the DATACRIME virus attacks your machine it could do serious damage. Good backups are essential. The DATACRIME (V1 and V2) family of viruses will infect one .COM file each time an infected program is executed. DATACRIME II will infect both .COM and .EXE files. It does this by searching the current directory and all sub-directories on the "C:" drive for a file to infect. If it fails to find a file, it will search other drives on your machine for a candidate file. The virus will not infect any file with "D" as the seventh letter of its name; thus, COMMAND.COM will not be infected. Each time the virus is run it checks the current date. If the date is between October 13th and December 31st of any year and the computer has a hard disk it displays the message: DATACRIME VIRUS RELEASED: 1 March 1989 Simultaneously, the virus formats the first 8 tracks of cylinder 0 of the hard disk. This will effectively destroy the partition table, master boot track, the boot record, the File Allocation Table (FAT), and a portion of the root directory. Recovery at this point will be very difficult and will require a low level format1. Due to the way the virus executes, it's behaviors range from no action, to complete data loss of the hard disk. We stated in the previous memo on the Columbus Day Virus that you may be able to do a partial recovery with, for example, Disk Doctor, in Norton Utilities Version 4.5. As we examined the virus we determined that there is only a very small chance of recovery by this method. Prevention and backups are the best course. The CIAC recommends that each PC user follow the procedures below: First Backup your hard-disk - most importantly the data. These viruses can't propagate through data files and you can always restore your applications from the distribution disks, but if your data is important to you, you should back it up now. Now that you've backed up your data you can try to detect the virus. Utilities that search files for particular ASCII strings are ineffective, since the ASCII strings in the virus code are encrypted. There are several methods you can use to detect this virus. The first method, while labor intensive, doesn't require any special software. Check for any increase in the size of your .COM or .EXE files. The virus will not infect COMMAND.COM so examine other executable files, for example, FORMAT.COM, CHKDSK.COM, FIND.EXE and PRINT.COM. Note that there are other reasons why the file size may not match. For example, you may have updated to a newer version of a program, or you are running Data Physician which changes the size of the file. However, a size change should signal that you need to investigate further. Another possible method is to use a commercial product that will detect these viruses. This includes products like Flu-Shot+, VIRUSCAN, or Data Physician, which should report the existence of these viruses as well as certain other viruses. If you find you are infected but DATACRIME hasn't struck yet DON'T PANIC. Do the following: Copy the infected files to a diskette and clearly label it as a virus and protect this disk. We need copies of all DATACRIME viruses that infect DOE machines so please call the CIAC for instructions on how to handle this sample. You must completely rid your machine of this virus. The procedure below is believed to be necessary because current eradication programs can not guarantee 100% recovery. Again, make sure that you have backed up all your data. Ensure that there are no system or application files (any file that ends in .COM or .EXE) on your backup floppies. The next step will destroy all information on the hard disk, so ensure that your backups and distribution disks are safe. Follow the necessary procedures to format your hard-drive. Seek expert assistance if you are not familiar with how to carry out this procedure. Now take out your original disks and write protect each one of them. If you have a virus detection program that works, run it on the application disks to ensure they are virus-free. Reinstall all of your applications from the original virus-free distribution disks. You should examine all of your floppies and backups that contain applications or system files to prevent reinfection. Remember, one infected file will reinfect your system. The CIAC would like to survey all DOE sites for the Columbus Day Viruses. We request that sites do random checks of your IBM PCs and compatibles and report back by phone, fax or email using the enclosed form. Should you find a virus, label your diskettes with the word VIRUS and mail to: CIAC, David S. Brown, L-542 P.O. Box 808 7000 East Ave. Lawrence Livermore National Laboratory Livermore, CA 94550 We want to prevent virsuses from becoming widespread. For questions or for further information, please contact the CIAC staff: CIAC (415) 422-8193 or FTS 532-8193 ciac@tiger.llnl.gov CIAC FAX (415) 423-0913 David Brown (415) 423-9878 or FTS 543-9878 brown@pantera.llnl.gov Tom Longstaff (415) 423-4416 or FTS 543-4416 longstaf@pantera.llnl.gov Ana Maria De Alvare' (415) 422-7007 or FTS 532-7007 anamaria@pantera.llnl.gov Gene Schultz, Leader (415) 422-8193 or FTS 532-8193 gschultz@pantera.llnl.gov The CIAC would like to survey all DOE sites for the Columbus Day/DATACRIME virus. We request that sites do random checks of their PCs and report back by fax or email with the following information whether or not a virus infection was detected: Name _______________________________________ Phone____________________ Organization ____________________________________________________________ Address _________________________________________________________________ _________________________________________________________________________ Number of PCs tested ________________ Number of PCs infected by the DATACRIME virus ________________ Number of PCs infected by other viruses ______________________ Method(s) of Detection _______________________________________ Comments __________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ ___________________________________________________________________________ Please send your survey results and any infected disks to: CIAC (415) 422-8193 or FTS 532-8193 ciac@tiger.llnl.gov CIAC FAX (415) 423-0913 David Brown (415) 423-9878 or FTS 543-9878 brown@pantera.llnl.gov Tom Longstaff (415) 423-4416 or FTS 543-4416 longstaf@pantera.llnl.gov Ana Maria De Alvare' (415) 422-7007 or FTS 532-7007 anamaria@pantera.llnl.gov Gene Schultz, Leader (415) 422-8193 or FTS 532-8193 gschultz@pantera.llnl.gov