This is an update to my previous report dated September 6, 1989 on the DATACRIME Virus. Since my previous report, this virus has become very visible in the public eye. Many articles have been written, and many misunderstandings may have occurred. Hopefully this report can clear up any misconceptions regarding this virus. The virus WILL format cylinder 0 of a hard disk on or after October 13, NOT October 12, as many articles have reported. The Norton Utilities supposedly can spot the existance of this virus on a hard disk; instructions follow this report. The program "Viruscan" also supposedly can find this virus as well. I have run the Norton Utilities on my hard disk, and it does not seem to be infected. I do not have a copy of the virus to test whether the Norton Utilities solution or Viruscan actually do work. I am currently in the process of acquiring a copy of Viruscan. The virus seems not to be very widespread...less than 50 occurrances of the virus have been noted in Europe and only 7 have been reported in the United States. (This information is current as of September 11, 1989). No mention has been made of the DATACRIME II virus within the past week in the VIRUS-L distribution list. If you remember, this one is the virus which supposedly affects both .COM and .EXE files. All the information in this follow-up report is centering on the Datacrime Version 1 (1168) and the Datacrime Version 2 (1280) viruses. The Department of Energy's Lawrence Livermore Labortories' Computer Incident Advisory Capability (CIAC) concurs with the fact that VIRUSCAN may be a possible method of detecting this virus on a PC. CIAC also mentions that if track zero (the boot sector) of the hard disk is destroyed by the virus, it can be restored using Norton Utilities Version 4.5 Disk Doctor program IF the Disk Doctor program was previously run on the infected machine. We in Reston are preparing to evaluate "Port of Entry" as a potential anti-virus capability. This program is advertised as being able to detect the existence of Datacrime and other viruses within a computer system. If found appropriate, this product will be sent out as soon as possible to the TMIS site offices. Karen Pichnarczyk Directions for checking for the existence of the Datacrime 1168 and Datacrime 1280 viruses using Norton Utilities: 1. Type NU to run the Norton Utilities program from the DOS prompt. 2. Type E to Explore Disk from the Main Menu. 3. Type S to Search item/disk for data from the Explore Disk menu. 4. Type W for Where to search from the Search item/disk for data Menu. 5. Type A for All of DOS disk from the Where to Search Menu. 6. Type T for Text to search for from the Search item/disk for data menu. 7. Hit the TAB eky to put you in the window to search data, in hexadecimal format. 8A. To search for the 1168 virus, type: (no spaces) EB 00 B4 0E CD 21 B4 then hit the RETURN key 8B. To search for the 1280 virus, type: (no spaces) 00 56 8D B4 30 05 CD 21 then hit the RETURN key. (you can only do 8A or 8B by itself, to check for one virus at a time) 9. Type S to start search from the Search item/disk for data Menu. I searched a 20MG hard drive in about 15 minutes. 10. When the search is over, the computer will either place you directly at the "Search item/disk for Data" menu or prompt for a keystroke to return to this menu. 11. If the highlighted text is "(display found text)" you have the specified virus on your hard disk. CONTACT SECURITY PERSONNEL IMMEDIATELY. Do NOT touch another key on this machine. If the highlighted text is "Leave search" then you do not have the specified virus on your hard disk. You may either continue from step 6 or type an "L" to Leave the Search. 12. To back out of the Norton Utilities, type an R to the "Explore Disk Menu" 13. To finish backing out of the Utilities, type a Q to Quit the Norton Utilities from the Main Menu.