Virus Name: DataLock
Aliases: DataLock 1.00, V920, DataLock-1043
V Status: Common
Discovered: November, 1990
Symptoms: .EXE & COMMAND.COM file growth; decrease in system and
available memory; file date/time changes; "out of file
Origin: United States
Eff Length: 920 bytes
Type Code: PRtEK - Parasitic Resident .EXE and COMMAND.COM Infector
Detection Method: ViruScan, AVTK, F-Prot, NAV, Sweep,
IBMAV, NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: Delete infected files
The DataLock, or V920, virus was isolated in many locations in the
United States starting on November 1, 1990. This virus is a generic
memory resident infector of .EXE files, but it will also infect
COMMAND.COM if it is executed.
The first time a program infected with the DataLock virus is
executed, the virus will install itself memory resident at the top
of free memory, but below the 640K DOS boundary. Infected systems
will find that total system memory and available free memory will be
2,048 bytes less than is expected. Interrupt 21 will be hooked by
After the virus is memory resident, any .EXE file that is executed
will be infected by the virus. Infected files will have a file
length increase of 920 bytes, and their date/time indicated in the
disk directory will have been changed to the system date and time
when the infection occurred. The virus is located at the end of
infected files. The following text, indicating the virus's name, can
be found at the end of all infected files:
"DataLock version 1.00"
DataLock activates after August, 1990. After this date, if DataLock
is memory resident, it will prevent the user from opening files
which have an extension ending with "BF". Attempts to open these
files, such as .DBF files, will result in an "out of file handles"
Known variant(s) of DataLock are:
DataLock-828: This variant of DataLock is a minor variant of the
original DataLock virus. It infects .EXE files as well as
COMMAND.COM when they are executed. Infected programs
increase in size by 828 to 1,048 bytes with the first
infection, and 828 bytes with each reinfection of the file.
This variant of DataLock will also add up to approximately
256 bytes to .COM files other than COMMAND.COM, though it
does not infect them. These altered .COM files will have
their file date and time in the DOS disk directory listing
updated to the current system date and time when they were
altered. One text string can be found at the very end of
all infected files:
Origin: Calgary, Ontario, Canada October, 1993.
DataLock-1043: This variant is a "bug-fixed" version of the
original DataLock virus. It was isolated in the Washington
DC/Virginia area of the United States by Brian Seborg in
May, 1992. DataLock-1043 infects .COM and .EXE programs
over 9K in size when they are executed or opened while the
virus is memory resident. Infected .COM programs will have
a file length increase of 1,043 bytes with the virus being
located at the end of the file. Infected .EXE programs
will have a file length increase of 1,043 bytes with the
first infection of the file, and an additional 1,043 bytes
with each reinfection of the file. The virus will not
spread from .EXE files due to a bug in this variant. The
text string found in the original virus has been
removed. DataLock-1043 is destructive. It activates after
being memory resident for one hour. At that time, it will
overwrite drives A:, B:, and the second physical hard disk
if it exists.
Origin: USA April, 1992.
DataLock-1740: DataLock-1740 is a later variant of the original
DataLock virus. DataLock-1740 infects .COM and .EXE programs
when they are executed while the virus is memory resident.
Infected programs will have a file length increase of 1,740
bytes with the virus being located at the end of the file.
The file length increase, however, will not be visible within
the DOS disk directory listing when the virus is memory
resident. The text strings visible within the viral code in
all DataLock-1740 infected files are:
"Hacker: NGUYEN HIEU VINH"
"22 / 1A Truong Quoc Dung"
"Phuong 10 Quan Ph Nhuan"
"Thank Pho Ho Chi Minh"
"South of Viet Nam"
Programs infected with this virus will have the file date and
time in the DOS disk directory listing set to
"08-08-88 8:08a". The DOS CHKDSK program will return file
allocation errors on all infected files when DataLock-1740 is
Origin: Viet Nam November, 1993.
DataLock-D: This variant of DataLock is a minor variant of the
original DataLock virus. Like the original virus, it adds
920 bytes to the .EXE files it infects. It will also
infect COMMAND.COM if it is executed, but not other .COM
programs. There are 10 bytes which differ from the original
virus. Unlike the original virus, it will reinfect memory
each time an infected program is executed.
Origin: Unknown May, 1992.