rl1b+@ANDREW.CMU.EDU ("Robert A. Locke") (09/27/89)
The following is a reprint without permission from Infoworld on September 11, 1989. My apologies to the magazine but I thought this was too important. "DOS Virus Will Erase Disks on Columbus Day" by Mark Stephens DOS users who think viruses are problems only for the Macintosh and Unix communities had better think again, according to computer security specialists, who said that a network-transferable DOS virus may erase thousands of hard disks on October 12. Dubbed the Datacrime 89 or Columbus Day Virus, the virus or viruses (there may be two) attach themselves to .COM files, according to Tom Patterson, a computer security specialist with Centel Federal Systems Inc., a systems integrator based in Reston, Virginia. "The virus is self-propagating and encrypted," Patterson said. "It works its way through subdirectories, and disks on a system and can be transferred across networks, by modems, or by floppy disks. When the system clock says it is October 12, the virus erases track 0, destroying the hard disk directory." Centel is working on a program to detect the virus, but there is no hope for developing software to eliminate it, Patterson said. "We've set up a security lab here to check all PCs and incoming software. The virus does not attach itself to COMMAND.COM files, or any file with "d" in the seventh position. Files that have been infected are generally increased in size by 1,168 or 1,280 bytes." But the only way to know for sure whether a system is infected is to back up the hard disk, then set the system clock forward. "Don't set it straight to October 12 - the virus is too smart for that," Patterson said. "We can trigger it by setting the clock to October 1, then bumping it ahead one day at a time to October 12." Just because a PC proves virus-free today does not mean that it will not be infected between now and October 12, Patterson warned. "The scary part of this virus is the networking aspect," said Rolf Lang, president of the Systems Security Group at LTG Inc., in Fairfax, Virginia. "There is no way of knowing how many thousands of PCs are already infected, and how many thousands of gigabytes of data will be lost on October 12 because people have not taken precaution against this threat." Information about the virus, also called the Icelandic virus, is available from Centel Federal Systems at (800) 843-4850. [ end of article ] [ I have called Centel and they are sending me the information through the mail. I will let everyone know what I find. I also want to remind people that I have little control over the files put in the Info-DEC-Micro archives, so it is possible that some of the files could be infected. If you discover that some of them are, please notify me immediately so I can remove the files and send an appropriate warning over the net. - ed. ] --Rob Locke Info-DEC-Micro List/File Maintainer ------- Arpanet: rl1b+@andrew.cmu.edu USNail : 53 Echo Drive North Bitnet : rl1b@ANDREW (mail only) Darien, CT 06820 Fidonet: Rob Locke (1:129/15) USA