frisk@rhi.hi.is (Fridrik Skulason) (11/13/89)
It is obvious that the "Den Zuk" and "Ohio" viruses are somehow related,
but the nature of their relationship has not been determined yet. "Ohio"
was reported later, but there is a possibility that it is older than
"Den Zuk".
I said in an earlier note that a diskette infected with Ohio would be
immune to infections by Brain and Den Zuk. This is not entirely
correct. The diskette will be immune to infections by Brain, but when
Den Zuk finds a "Ohio"-infected diskette, it will remove the virus and
put a copy of itself there instead.
As I have mentioned before, the "Ohio" virus contains the signature of
the "Den Zuk", but it also contains some interesting text strings:
V I R U S
b y
The Hackers
Y C 1 E R P
D E N Z U K O
Bandung 40254
Indonesia
(C) 1988, The Hackers Team....
Remember that Den Zuk puts the volume label Y.C.1.E.R.P on
Brain-infected diskettes, when it removes the infection.
(And yes, by the way, both viruses only infect diskettes, not hard
disks).
The "Den Zuk" virus contains the following text strings:
Welcome to the
C l u b
--The HackerS--
Hackin'
All The Time
The HackerS
On a more technical level, the viruses are very close. Both store the main
part of the virus on track 40, starting at sector 33. (Remember that normal
360K diskettes have only tracks numbered 0..39 and sectors 1..9) They also
hook INT 9, take action when Ctrl-Alt-Del is pressed and in both cases
a true reboot can be produced by pressing Ctrl-Alt-F5.
And of course - the "Ohio" virus has the same "bug" as "Den Zuk" - it can
not infect other types of diskettes than 360K properly.
A part of the "Den Zuk" virus may explain the relationship. The following
code fragment is used to determine if a diskette should be infected or not.
CMP [SIGN1],537CH ; Is current diskette infected
; with this version of Den Zuk ?
JE BP0300 ; Yes, do not infect.
CMP [SIGN2],0FAFAH ; No, but is it infected with
; (probably) an older version ?
JE BP0280 ; Yes, update the virus.
CMP [SIGN3],1234H ; No, but is it infected with Brain ?
JNE BP0290 ; Yes, remove it.
; No, just infect.
"Ohio" contains the signature FAFA in the specified location.
My theory is that the "Ohio" virus is the missing "older version" of
"Den Zuk", that it was written by the same authors as "Den Zuk", but
earlier. The authors of Ohio released it to fight the Brain virus, but
since it contained a number of bugs, the "Den Zuk" virus was later
released to track it down.
One final question. I understand that a variant of Dutch is spoken in
some parts of Indonesia - do the words "Den Zuk" mean anything over
there ?
- -friskdave@uunet.UU.NET (Dave Horsfall) (11/22/89)
frisk@rhi.hi.is (Fridrik Skulason) writes: | As I have mentioned before, the "Ohio" virus contains the signature of | the "Den Zuk", but it also contains some interesting text strings: | | V I R U S | b y | The Hackers | Y C 1 E R P | D E N Z U K O | Bandung 40254 | Indonesia | | (C) 1988, The Hackers Team.... | | Remember that Den Zuk puts the volume label Y.C.1.E.R.P on | Brain-infected diskettes, when it removes the infection. Just a long shot, but "YC1ERP" happens to be a legitimate Amateur Radio (ham radio) callsign allocated to Indonesia... I don't have access to an International Callbook just now. Perhaps someone would like to check this out! Dave Horsfall (VK2KFU), Alcatel STC Australia, dave@stcns3.stc.oz.AU dave%stcns3.stc.oz.AU@uunet.UU.NET, ...munnari!stcns3.stc.oz.AU!dave