💾 Archived View for spam.works › mirrors › textfiles › virus › virus1.vir captured on 2023-06-16 at 21:05:38.
-=-=-=-=-=-=-
This is an update to my previous report dated September 6, 1989
on the DATACRIME Virus. Since my previous report, this virus has
become very visible in the public eye. Many articles have been
written, and many misunderstandings may have occurred. Hopefully
this report can clear up any misconceptions regarding this virus.
The virus WILL format cylinder 0 of a hard disk on or after
October 13, NOT October 12, as many articles have reported. The
Norton Utilities supposedly can spot the existance of this virus
on a hard disk; instructions follow this report. The program
"Viruscan" also supposedly can find this virus as well. I have
run the Norton Utilities on my hard disk, and it does not seem to
be infected. I do not have a copy of the virus to test whether
the Norton Utilities solution or Viruscan actually do work. I
am currently in the process of acquiring a copy of Viruscan.
The virus seems not to be very widespread...less than 50
occurrances of the virus have been noted in Europe and only 7
have been reported in the United States. (This information is
current as of September 11, 1989). No mention has been made of
the DATACRIME II virus within the past week in the VIRUS-L
distribution list. If you remember, this one is the virus which
supposedly affects both .COM and .EXE files. All the information
in this follow-up report is centering on the Datacrime Version 1
(1168) and the Datacrime Version 2 (1280) viruses.
The Department of Energy's Lawrence Livermore Labortories'
Computer Incident Advisory Capability (CIAC) concurs with the
fact that VIRUSCAN may be a possible method of detecting this
virus on a PC. CIAC also mentions that if track zero (the boot
sector) of the hard disk is destroyed by the virus, it can be
restored using Norton Utilities Version 4.5 Disk Doctor program
IF the Disk Doctor program was previously run on the infected
machine.
We in Reston are preparing to evaluate "Port of Entry" as a
potential anti-virus capability. This program is advertised as
being able to detect the existence of Datacrime and other viruses
within a computer system. If found appropriate, this product
will be sent out as soon as possible to the TMIS site offices.
Karen Pichnarczyk
Directions for checking for the existence of the Datacrime 1168 and
Datacrime 1280 viruses using Norton Utilities:
1. Type NU to run the Norton Utilities program from the DOS prompt.
2. Type E to Explore Disk from the Main Menu.
3. Type S to Search item/disk for data from the Explore Disk menu.
4. Type W for Where to search from the Search item/disk for data Menu.
5. Type A for All of DOS disk from the Where to Search Menu.
6. Type T for Text to search for from the Search item/disk for data menu.
7. Hit the TAB eky to put you in the window to search data, in hexadecimal
format.
8A. To search for the 1168 virus, type: (no spaces)
EB 00 B4 0E CD 21 B4
then hit the RETURN key
8B. To search for the 1280 virus, type: (no spaces)
00 56 8D B4 30 05 CD 21
then hit the RETURN key.
(you can only do 8A or 8B by itself, to check for one virus at a time)
9. Type S to start search from the Search item/disk for data Menu.
I searched a 20MG hard drive in about 15 minutes.
10. When the search is over, the computer will either place you directly at the
"Search item/disk for Data" menu or prompt for a keystroke to return to
this menu.
11. If the highlighted text is "(display found text)" you have the
specified virus on your hard disk. CONTACT SECURITY PERSONNEL
IMMEDIATELY. Do NOT touch another key on this machine.
If the highlighted text is "Leave search" then you do not have the
specified virus on your hard disk. You may either continue from step
6 or type an "L" to Leave the Search.
12. To back out of the Norton Utilities, type an R to the "Explore Disk Menu"
13. To finish backing out of the Utilities, type a Q to Quit the Norton
Utilities from the Main Menu.