____________________________________________________ C I A C Computer Incident Advisory Capability ____________________________________________________ September 8, 1989 Notice of Columbus Day Virus Affecting IBM PCs and PC Clones The DOE Computer Incident Advisory Capability (CIAC) has learned that there is a Columbus Day Virus which may attack MS-DOS (PC- DOS) personal computers on or after October 12 or October 13, 1989. Note that October 13 is a Friday the thirteenth. You should make the information in this notice available to appropriate personnel at your site so that the virus can be detected and eradicated. The Columbus Day Virus has been isolated and may actually be one of a series of related viruses. It most closely resembles the DataCrime Virus. Contrary to speculation in a recent Federal Computing Weekly article, however, the Columbus Day Virus does not appear to be closely related to the Icelandic or West German virus. The Columbus Day Virus searches through the DOS directory for .COM files other than COMMAND.COM. It attaches to the end of a .COM file, which increases the size of the file by 1168 bytes. The virus infects any given .COM file only once. However, it will infect any uninfected .COM file that it encounters. If the virus executes, it will display the message: DATACRIME VIRUS RELEASED:l MARCH 1989 and then do a low-level format on track zero. Since this is the boot area of the disk, the hard disk will be unbootable. Detection of this virus is difficult because ASCII strings in the virus code are encrypted. Therefore, utilities that search files for particular ASCII strings are useless. There are two methods you can use to detect this virus. The first method is to check for a size increase of 1168 bytes in .COM files. Another possible method is to use VIRUSCAN*, (see below) which should report the existence of this virus as well as several other viruses. If a machine is infected, users must copy over all infected .COM files using their original .COM files. This must be accomplished at one sitting to prevent re-infection. You should also examine backups to see if they are infected. You should repeat whatever detection method you decide to use every time you load a new .COM file or database into your PC or PC clone. If the boot sector is destroyed, it can be restored with Disk Doctor, a utility in Norton Utilities Version 4.5 (Advanced Edition). Note that a restoration is possible only if the Disk Doctor utility had been previously run. The DOE Center for Computer Security at Los Alamos has recently published a pamphlet, "Computer Viruses and the Personal Computer User" (CCS-89-03). CIAC recommends that you read and follow the excellent guidelines contained in this pamphlet . Because VIRUSCAN is produced and distributed by a commercial developer, CIAC cannot at this time send copies of this software directly to you. To obtain a copy of VIRUSCAN, you need to send $15 with your name, address and phone number to: McAfee Associates 4423 Cheeney St. Santa Clara, CA 95054 Phone: (408) 988-3832 For further information contact David S. Brown at CIAC. David's phone is (415) 4239878 or (FTS) 533-9878. He can also be reached at the CIAC number, (415) 422-8193 or (FTS) 532-8193. David's e- mail address is: brown@pantera.llnl.gov * - The University of California neither endorses VIRUSCAN nor guarantees the effectiveness of this software package. CIAC will test this package in the near future to determine whether it provides adequate detection of the Columbus Day virus.