Online VSUM - DataLock Virus

DataLock Virus

Virus Name: DataLock Aliases: DataLock 1.00, V920, DataLock-1043 V Status: Common Discovered: November, 1990 Symptoms: .EXE & COMMAND.COM file growth; decrease in system and available memory; file date/time changes; "out of file handles" errors Origin: United States Eff Length: 920 bytes Type Code: PRtEK - Parasitic Resident .EXE and COMMAND.COM Infector Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The DataLock, or V920, virus was isolated in many locations in the United States starting on November 1, 1990. This virus is a generic memory resident infector of .EXE files, but it will also infect COMMAND.COM if it is executed. The first time a program infected with the DataLock virus is executed, the virus will install itself memory resident at the top of free memory, but below the 640K DOS boundary. Infected systems will find that total system memory and available free memory will be 2,048 bytes less than is expected. Interrupt 21 will be hooked by the virus. After the virus is memory resident, any .EXE file that is executed will be infected by the virus. Infected files will have a file length increase of 920 bytes, and their date/time indicated in the disk directory will have been changed to the system date and time when the infection occurred. The virus is located at the end of infected files. The following text, indicating the virus's name, can be found at the end of all infected files: "DataLock version 1.00" DataLock activates after August, 1990. After this date, if DataLock is memory resident, it will prevent the user from opening files which have an extension ending with "BF". Attempts to open these files, such as .DBF files, will result in an "out of file handles" error. Known variant(s) of DataLock are: DataLock-828: This variant of DataLock is a minor variant of the original DataLock virus. It infects .EXE files as well as COMMAND.COM when they are executed. Infected programs increase in size by 828 to 1,048 bytes with the first infection, and 828 bytes with each reinfection of the file. This variant of DataLock will also add up to approximately 256 bytes to .COM files other than COMMAND.COM, though it does not infect them. These altered .COM files will have their file date and time in the DOS disk directory listing updated to the current system date and time when they were altered. One text string can be found at the very end of all infected files: "*10-03(HM)*" Origin: Calgary, Ontario, Canada October, 1993. DataLock-1043: This variant is a "bug-fixed" version of the original DataLock virus. It was isolated in the Washington DC/Virginia area of the United States by Brian Seborg in May, 1992. DataLock-1043 infects .COM and .EXE programs over 9K in size when they are executed or opened while the virus is memory resident. Infected .COM programs will have a file length increase of 1,043 bytes with the virus being located at the end of the file. Infected .EXE programs will have a file length increase of 1,043 bytes with the first infection of the file, and an additional 1,043 bytes with each reinfection of the file. The virus will not spread from .EXE files due to a bug in this variant. The text string found in the original virus has been removed. DataLock-1043 is destructive. It activates after being memory resident for one hour. At that time, it will overwrite drives A:, B:, and the second physical hard disk if it exists. Origin: USA April, 1992. DataLock-1740: DataLock-1740 is a later variant of the original DataLock virus. DataLock-1740 infects .COM and .EXE programs when they are executed while the virus is memory resident. Infected programs will have a file length increase of 1,740 bytes with the virus being located at the end of the file. The file length increase, however, will not be visible within the DOS disk directory listing when the virus is memory resident. The text strings visible within the viral code in all DataLock-1740 infected files are: "Hacker: NGUYEN HIEU VINH" "22 / 1A Truong Quoc Dung" "Phuong 10 Quan Ph Nhuan" "Thank Pho Ho Chi Minh" "South of Viet Nam" Programs infected with this virus will have the file date and time in the DOS disk directory listing set to "08-08-88 8:08a". The DOS CHKDSK program will return file allocation errors on all infected files when DataLock-1740 is memory resident. Origin: Viet Nam November, 1993. DataLock-D: This variant of DataLock is a minor variant of the original DataLock virus. Like the original virus, it adds 920 bytes to the .EXE files it infects. It will also infect COMMAND.COM if it is executed, but not other .COM programs. There are 10 bytes which differ from the original virus. Unlike the original virus, it will reinfect memory each time an infected program is executed. Origin: Unknown May, 1992.