Columbus Day Virus: A Fact Sheet (22)

Sept. 22, 1989

B/W Text Mode


Columbus Day Computer Virus

Several reports of a new computer virus recently have been published in the media and throughout the data processing community. This virus has been referred to as "Columbus Day," "Friday the 13th," as well as "Datacrime I" or "Datacrime II." It attacks IBM-compatible personal computers running the MS-DOS/PC- DOS operating system. If activated, the virus will destroy disk file directory information, making files and their contents inaccessible. The following information has been compiled by NIST, NCSC, and SEI from several sources and is being made available for system managers to use in taking precautionary measures.

NOTE: As with many viruses, there may be other, yet unidentified, variants with different characteristics. Therefore, this information is not guaranteed to be complete and accurate for all possible variants.

NAMES OF VIRUS: Columbus Day, Friday the 13th, Datacrime I/II EFFECT: Performs a low-level format of cylinder zero of the hard disk on the target machine, thereby destroying the boot sector and File Allocation Table (FAT) information. Upon activation it may display a message similar to the following: DATACRIME VIRUS RELEASED:1 MARCH 1989

TRIGGER: The virus is triggered by a system date 13 October or later. (Note that 13 October 1989 is a Friday.)

CHARACTERISTICS: Several characteristics have been identified:.

1. The virus, depending on its variant, appends itself to .COM files (except for COMMAND.COM), increasing the .COM file by either 1168 or 1280 bytes. In addition, the Datacrime II variant can infect .EXE files, increasing their size by 1514 bytes.

2. The 1168 byte version contains the hex string EB00B40ECD21B4.

3. The 1280 byte version contains the hex string 00568DB43005CD21.

This virus reportedly was released on 1 March 1989 in Europe. It is unlikely that significant propagation could occur between the release date and mid-October; therefore, U.S. systems should be at a low risk for infection. If safe computing practices have been followed, the risk should be practically nil. However, managers believing their site may be at risk should consider taking precautionary measures, including one or more of the following actions:

1. Take full back-ups of all hard disks. If the disks are later found to have been infected and attacked by the virus, lost data can be recovered from the back-ups. Operating system and application software can be restored from original media. A full low-level disk format should be performed on the infected hard disk prior to restoration procedures.

2. Consider using a commercial utility that can assist in restoration of a disk directory and recovery of data. There are a number of such utilities on the market. Note that these utilities normally must be run prior to data loss to enable disk and file restoration.

3. Avoid setting the system date to 13 October or later until the systems have been checked for virus presence.

4. Attempt to determine if the virus is present in one or more files through one of the following techniques:

a. If original file sizes are known, check for increased sizes as noted above.

b. Use DEBUG or other utility to scan .COM and .EXE files for the characteristic hexadecimal strings noted earlier.

c. Copy all software to an isolated system and set the system date to 13 October or later and run several programs to see if the virus is triggered. If activation occurs, all other systems will require virus identification and removal.

d. Use a virus-detection tool to determine if this (or another) virus is present.

Commercial products intended to detect or remove various computer viruses are available from several sources. However, these products are not formally reviewed or evaluated; thus, they are not listed here. The decision to use such products is the responsibility of each user or organization.