| Alias: | DATACRIME 1280, 1280 |
| Strain: | DATACRIME |
| detected when: | --- |
| where: | --- |
| Classification: | Link-virus (extending), direct action |
| Length: | .COM file: filelength increases by 1280 byte |
Preconditions | |
| Operating System(s): | MS-DOS |
| Version/Release: | 2.xx upward |
| Computer model(s): | IBM-PC, XT, AT and compatibles |
| Caroname: | DataCrime.1280 |
Attributes | |
| Easy identification: | --- |
Type of Infection: | System: no infection. .COM file: Link-virus, increases COM files by 1280 Byte. A .COM- File is recognized as being infected if the time entry of the last program modification shows the fol- lowing particularities: the last signi- ficant three bytes of the minutes are the same as the seconds. Bit 4,5 of the seconds will be set to zero. For example: (H=Hours, M=Minutes, S=Seconds) H H H H H M M M M M M S S S S S ? ? ? ? ? ? ? ? 1 0 1 ? ? ? ? ? will be changed to H H H H H M M M M M M S S S S S ? ? ? ? ? ? ? ? 1 0 1 0 0 1 0 1 .EXE file: no infection. |
| Infection Technique: | |
| Infection Trigger: | Every time the virus runs it looks for one other uninfected .COM- file using the DOS-func- tions Findfirst/Findnext in the current directory or any lower directory. If there is no file that can be infected the virus looks at the drive C: D: A: B: (in this order). |
| Storage Media affected: | |
| Interrupts hooked: | Int 24 (only when infecting a file) |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent Damage: the virus shows the message "DATACRIME VIRUS RELEASED: 1 MARCH 1989" then the first hard disk will be formatted (track 0, all heads). If formatting is finished the speaker will beep (endless loop). |
| Damage Trigger: | if the Clock device is October the 13th or later (any year). |
| Particularities: | 1. The message "DATACRIME... 1989" is encrypted. 2. The virus detects a hard disk if the segment of INT 41 is not zero. 3. Cause of a mistake in the code the virus will not use it's format buffer. 4. Cause of a missing segment override the INT24 can not be restored every time. 5. If the 7th letter of the programname is a 'D', the program will not be infected (e.g. COMMAND.COM). |
| Similarities: | The differences between Datacrime Ia and Ib are minimal. |
Agents | |
| Countermeasures: | --- |
| Standard means: | --- |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, FRG |
| Classification by: | Michael Reinschmiedt |
| Documentation by: | Michael Reinschmiedt |
| Date: | 14-Feb-1990 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg