Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!uakari.primate.wisc.edu!ginosko!usc!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: RADAI1%HBUNOS.BITNET@VMA.CC.CMU.EDU (Y. Radai)
Newsgroups: comp.virus
Subject: The DataCrime viruses (PC)
Message-ID: <0003.8910051947.AA15786@ge.sei.cmu.edu>
Date: 5 Oct 89 15:13:10 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 24
Approved: krvw@sei.cmu.edu


  In August, Alan Roberts, David Chess, and Kelly Goen discussed the
DataCrime II virus on VIRUS-L, but only from one point of view: that
it's encrypted and that the decryption code includes a routine which
prevents looking at the code with a single-step utility.  Unless I
missed something, none of them thought of telling us anything else
concerning how DC-2 differs from the original DC.  Much later,
however, we did learn several additional differences, for example:
(1) DC-2 infects EXE as well as COM files.
(2) It increases file size by 1514 bytes.
(3) Whereas DC avoids infecting COM files whose 7th letter is "D"
(thus avoiding infection of COMMAND.COM), DC-2 avoids infecting COM
files whose 2nd letter is "B" (presumably so as not to infect
IBMBIO.COM and IBMDOS.COM).

  So far, so good.  But I have since discovered that there was one
very important difference which (again, assuming that I haven't missed
anything) was not mentioned by anyone on the List: Whereas DC per-
forms its damage (low-level format of cylinder 0 of the hard disk) on
any day between Oct 13 and Dec 31 of any year, DC-2 does it on any day
between Jan 1 and Oct 12, except on Sundays!

                                          Y. Radai
                                          Hebrew Univ. of Jerusalem