Xref: utzoo alt.msdos.programmer:535 comp.binaries.ibm.pc.d:4867
Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!uunet!ingr!nijmeg!willemk
From: willemk@nijmeg.UUCP (willem kutschruiter)
Newsgroups: alt.msdos.programmer,comp.binaries.ibm.pc.d
Subject: Re: Friday the thirteenth virus
Message-ID: <2491@nijmeg.UUCP>
Date: 16 Oct 89 15:36:22 GMT
References: <1386@resource.Resource.COM> <8ZAvGiK00WB5MFOmtK@andrew.cmu.edu> <1989Oct13.150324.19152@sj.ate.slb.com>
Reply-To: willemk@nijmeg.UUCP (PUT YOUR NAME HERE)
Distribution: na
Organization: Intergraph European HQ, Nijmegen the Netherlands
Lines: 64

In article <1989Oct13.150324.19152@sj.ate.slb.com> poffen@sj.ate.slb.com (Russ Poffenberger) writes:
>Is anybody out there taking this Friday 13 virus seriously? Has anybody
>encountered it yet? What was the result?
>
>Just curious, it has been getting media hype the past couple of days, it was
>even on ABC news.
>
>Russ Poffenberger               DOMAIN: poffen@sj.ate.slb.com
>Schlumberger Technologies       UUCP:   {uunet,decwrl,amdahl}!sjsca4!poffen
>1601 Technology Drive		CIS:	72401,276
>San Jose, Ca. 95110
>(408)437-5254


The "DATACRIME I" virus is discovered in the Netherland firstime
somewhere in March 1989 on a BBS system.
There are two version speed out.
I do not know the difference between the versions.
I will breifly describe what it should do.
	- released on the 1st of March 1989
	- It will notify not when activated as follows
		- "DATACRIME VIRUS RELASED 1 MARCH 1989"
		- text is decoded in the program
	- It starts infecting other programs after the 1st of April
	- It infects on .COM files.
	- On and after Friday the 13th October it will format a couple
	  cylinders on the hard disk and destroy the FAT.

Due to the early discovery of the virus it did not spread out widely.
There was also a delete and detection program developed onder the name
" No-Crime"
Unfortunally the author of datacrime I got also a copy of this No-Crime program
and wrote an other virus called "DATACRIME II".

The difference between "I " and "II" are not that much.
Datacrime II starts a day earlier and is more complex so therefor more difficult
to detect.
Datacrime II infects  both .COM and .EXE files.
There is no starting date which kick off the infection.

Here are the signatures for the Datacrime virussen.
DATACRIME Ia	8b36010183ee038bc63d00007503e9fe00
DATACRIME Ib	8b36010183ee038bc63d00007503e90201

DATACRIME II	5e81ee030183fe00742a2e8a9403018dbc29018d8cea
		068d9c38012bcb

You can search your disk for the Hex strings to find out if you have an
an infected disk.

This is only interesting if you put back your system clock or if your 
system is not booted after the 12th of October.

Good Luck.
				Regards,


				Willem Kutschruiter.
				Intergraph EM B.V.
	 			P.O. Box 6552
				6503 GB Nijmegen, The Netherlands.
				Mp ingr!nijmeg!willemk

Hardware = software