robjohn@OCDIS01.AF.MIL (Contractor Robert Johnson) (10/04/89)
Here is an extracted version of the Columbus Day Virus information. It should be probably be distributed to the widest possible audience. I have received this info from the AF OSI, but other agencies have also posted their own warnings. I would recommend that this be taken very seriously. Bob Johnson LOGDIS System Administrator Tinker Air Force Base, Oklahoma City (robjohn@ocdis01.af.mil) -------------------------------cut here------------------------------------ COLUMBUS DAY VIRUS UPDATE: 10/28/89 A virus has been found which will destroy the hard disk data on infected systems. It will activate if the date is greater than 12 October 1989. It supposedly trashes track 0 of the hard disk, requiring a low-level format to make the disk useable again. It is designed to avoid detection by popular "anti-virus" programs. Version 1 of the virus attacks .COM files, increasing the file length by 1168 bytes, and can be found by searching for the hex codes EB00B40ECD21B4. Version 2 of the virus attacks .COM files, increasing the file length by 1280 bytes, and can be found by searching for the hex codes 00568DB43005CD21. Version 3 of the virus attacks both .EXE and .COM files, increasing the .COM file lengths by 1514 bytes (and .EXE's a similar amount). For all 3 versions, check the file length of any suspected files against the original software. Use any kind of search program that allows hex searches to find version 1 or 2. It is still not known exactly how the virus reproduces. Currently, it is thought that certain public domain programs may carry the virus to new systems, and that BBS's are the primary means of distribution.