Path: utzoo!yunexus!lethe!torsqnt!jarvis.csri.toronto.edu!mailrus!wuarchive!udel!haven!mimsy!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: frisk@rhi.hi.is (Fridrik Skulason) Newsgroups: comp.virus Subject: Ohio vs. Den Zuk (PC) Message-ID: <0002.8911161543.AA03334@ge.sei.cmu.edu> Date: 13 Nov 89 11:54:52 GMT Article-I.D.: ge.0002.8911161543.AA03334 Sender: Virus Discussion List Lines: 75 Approved: krvw@sei.cmu.edu It is obvious that the "Den Zuk" and "Ohio" viruses are somehow related, but the nature of their relationship has not been determined yet. "Ohio" was reported later, but there is a possibility that it is older than "Den Zuk". I said in an earlier note that a diskette infected with Ohio would be immune to infections by Brain and Den Zuk. This is not entirely correct. The diskette will be immune to infections by Brain, but when Den Zuk finds a "Ohio"-infected diskette, it will remove the virus and put a copy of itself there instead. As I have mentioned before, the "Ohio" virus contains the signature of the "Den Zuk", but it also contains some interesting text strings: V I R U S b y The Hackers Y C 1 E R P D E N Z U K O Bandung 40254 Indonesia (C) 1988, The Hackers Team.... Remember that Den Zuk puts the volume label Y.C.1.E.R.P on Brain-infected diskettes, when it removes the infection. (And yes, by the way, both viruses only infect diskettes, not hard disks). The "Den Zuk" virus contains the following text strings: Welcome to the C l u b --The HackerS-- Hackin' All The Time The HackerS On a more technical level, the viruses are very close. Both store the main part of the virus on track 40, starting at sector 33. (Remember that normal 360K diskettes have only tracks numbered 0..39 and sectors 1..9) They also hook INT 9, take action when Ctrl-Alt-Del is pressed and in both cases a true reboot can be produced by pressing Ctrl-Alt-F5. And of course - the "Ohio" virus has the same "bug" as "Den Zuk" - it can not infect other types of diskettes than 360K properly. A part of the "Den Zuk" virus may explain the relationship. The following code fragment is used to determine if a diskette should be infected or not. CMP [SIGN1],537CH ; Is current diskette infected ; with this version of Den Zuk ? JE BP0300 ; Yes, do not infect. CMP [SIGN2],0FAFAH ; No, but is it infected with ; (probably) an older version ? JE BP0280 ; Yes, update the virus. CMP [SIGN3],1234H ; No, but is it infected with Brain ? JNE BP0290 ; Yes, remove it. ; No, just infect. "Ohio" contains the signature FAFA in the specified location. My theory is that the "Ohio" virus is the missing "older version" of "Den Zuk", that it was written by the same authors as "Den Zuk", but earlier. The authors of Ohio released it to fight the Brain virus, but since it contained a number of bugs, the "Den Zuk" virus was later released to track it down. One final question. I understand that a variant of Dutch is spoken in some parts of Indonesia - do the words "Den Zuk" mean anything over there ? - -frisk