ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ VIRUS REPORT ³ ³ 4096 virus ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Synonyms: Century Virus, IDF Virus, Stealth Virus, 100 Years Virus Date of Origin: January, 1990. Host Machine: PC compatibles. Increase in Size of Infected Files: 4096 bytes. Nature of Damage: Remains resident. Infects COMMAND.COM, COM, EXE, overlay files. Detected by: Scanv53+, F-Prot, IBM Scan, Pro-Scan. Removed by: CleanUp, Scan/D, F-Prot. See below. This virus is one of the most brutal ever developed, and no one seems to successfully recover from it. It infects COM, EXE, and overlay files, adding 4,096 bytes to their length. Once the virus is resident in memory, the increase in length will not appear in a directory listing, and it will infect any executable file that is opened, including those opened with the COPY or XCOPY command. Through FAT manipulation, the virus destroys files through a slow crosslinking process that would seem to be a hardware problem. If the virus is present in memory and you attempt to copy infected files, the new copy of the file will not be infected if the extension is neither COM nor EXE. Thus, one way to disinfect a system is as follows: * copy all the infected files to diskettes with a non-executable file extension. For instance, you might COPY *.EXE *.E and COPY *.COM *.C. * Shut the system off. Reboot from an uninfected and write-protected disk. * Delete any infected files and restore the backed up files to the original executable file names and extensions. (COPY *.C *.COM; COPY *.E *.EXE) This procedure will not save any cross-linked files, however. Some notes: * Systems infected with this virus may hang after September 22 of any year, due to a bug. This is the birthday of Bilbo and Frodo Baggin, in the Lord of the Rings. * The virus contains an unused boot sector, which if copied to the boot sector of a diskette, will produce the message "FRODO LIVES". ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º This document was adapted from the book "Computer Viruses", º º which is copyright and distributed by the National Computer º º Security Association. It contains information compiled from º º many sources. To the best of our knowledge, all information º º presented here is accurate. º º º º Please send any updates or corrections to the NCSA, Suite 309, º º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º º and upload the information: (202) 364-1304. Or call us voice at º º (202) 364-8252. This version was produced May 22, 1990. º º º º The NCSA is a non-profit organization dedicated to improving º º computer security. Membership in the association is just $45 per º º year. Copies of the book "Computer Viruses", which provides º º detailed information on over 145 viruses, can be obtained from º º the NCSA. Member price: $44; non-member price: $55. º º º º The document is copyright (c) 1990 NCSA. º º º º This document may be distributed in any format, providing º º this message is not removed or altered. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ  Downloaded From P-80 International Information Systems 304-744-2253