David.M..Chess.CHESS@YKTVMV (10/05/89)
> DC-2 does it on any day > between Jan 1 and Oct 12, except on Sundays! That's not true for the sample that I've seen. I suspect someone's just misreading the code (it's easy to do; that area is rather convoluted). It could be a new variant, of course, but if it really *did* do its damage between Jan 1 and Oct 12, wouldn't it have basically Gone Off by now? I think your source is just misinformed. There does seem to be a day-of-the-week check in there, but I'm not sure what it does at the moment (not damaging on Sundays is possible, but I wouldn't want to promise anyone!). In summary, the important differences that I know of between the DataCrime (1168 and 1280 strains) and the DataCrime II are that the II: - Makes COM files 1514 bytes longer when it infects them - Also infects EXE files - Stores itself garbled on disk (except for the degarbler) - Has a slightly different message ("* DATACRIME II VIRUS *") Otherwise, it's the same beast, with the same damage conditions. Of course there may be more variants that I haven't seen! DC
RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU (Y. Radai) (10/05/89)
In August, Alan Roberts, David Chess, and Kelly Goen discussed the
DataCrime II virus on VIRUS-L, but only from one point of view: that
it's encrypted and that the decryption code includes a routine which
prevents looking at the code with a single-step utility. Unless I
missed something, none of them thought of telling us anything else
concerning how DC-2 differs from the original DC. Much later,
however, we did learn several additional differences, for example:
(1) DC-2 infects EXE as well as COM files.
(2) It increases file size by 1514 bytes.
(3) Whereas DC avoids infecting COM files whose 7th letter is "D"
(thus avoiding infection of COMMAND.COM), DC-2 avoids infecting COM
files whose 2nd letter is "B" (presumably so as not to infect
IBMBIO.COM and IBMDOS.COM).
So far, so good. But I have since discovered that there was one
very important difference which (again, assuming that I haven't missed
anything) was not mentioned by anyone on the List: Whereas DC per-
forms its damage (low-level format of cylinder 0 of the hard disk) on
any day between Oct 13 and Dec 31 of any year, DC-2 does it on any day
between Jan 1 and Oct 12, except on Sundays!
Y. Radai
Hebrew Univ. of Jerusalemjr@ncrsecp.Copenhagen.NCR.dk (Jakob Riis) (10/24/89)
In article <0002.8910062006.AA22699@ge.sei.cmu.edu> David.M..Chess.CHESS@YKTVMV writes: >> DC-2 does it on any day >> between Jan 1 and Oct 12, except on Sundays! >That's not true for the sample that I've seen. I suspect someone's >just misreading the code (it's easy to do; that area is rather >convoluted). It could be a new variant, of course, but if it really >*did* do its damage between Jan 1 and Oct 12, wouldn't it have >basically Gone Off by now? I think your source is just misinformed. You might both be right ! The de-assembled code I've seen shows that its fairly easy to trim DCII to go off anytime you would like it - in fact you can de-arm it yourself by setting the day check equal 8 ! (but I guess I would rather re-install the original programs). If I don't remember wrong the newly dreaded Columbus day Virus was such a re-programming of DCII. Just my 2 cents worth, _____________________________________________________________________________ Jakob Riis | Jakob.Riis@Copenhagen.NCR.dk NCR Corporation | or Systems Engineering Copenhagen | ..!uunet!mcvax!dkuug!ncrsecp!jakob.riis - --------------------------------------------------------------------------- ! A plucked goose doesn't lay golden eggs ! - ---------------------------------------------------------------------------