|Place of Origin||Netherlands?|
|File Type(s)||.com, .exe*|
|Infection Length||1168 Bytes|
Datacrime is a file infecting virus from early 1989. It caused a great deal of hysteria that year, but ended up causing very little if any damage. It overwrites parts of the hard disk and displays a message.
Datacrime is introduced to a computer when an infected file is transferred to it and executed. When an infected file is executed, it searches available disks in the order C:, D:, A:, B: for .com files. It avoids any file which has the letter "D" as its seventh letter, probably as a measure to avoid infecting COMMAND.COM. The virus infects one .com file in a current directory each time it is executed.
The virus replaces the first three bytes of the target program's code with its own code pointing to the virus body, which appends itself to the end of the file. The original three bytes of the program are stored in the virus body.
If an infected file is run on or after October 13, the virus displays the encrypted text: "DATACRIME VIRUS' 'RELEASED: 1 MARCH 1989". It then formats the first 9 tracks of the hard drive. The formatting function contains several bugs.
Variants of Datacrime differ very little from the original. The first variant of the virus, Datacrime.1280, was only a few bytes longer than the original.
This virus is 1,480 bytes long and can infect .exe files. It replaces the original message with "DATACRIME II VIRUS". Only the first 42 bytes are left unencrypted and the message is separately encrypted. The bugs in the formatting function have been fixed.
This version is 1,514 bytes long and mostly similar to Datacrime.II. The first 56 bytes of the virus are encrypted and the message encryption is not separate from the rest of the virus. The message has been changed to "* DATACRIME II VIRUS *".
Datacrime was one of the early viruses that received a significant deal of media hype, similar to Michelangelo. It started in March of 1989 when a man by the name of "Fred Vogel" (reportedly a common name in the Netherlands) reported the virus to a researcher in Britain. Fred Vogel knew the name was Datacrime and believed it might trigger on the 13th of the following month.
The virus was disassembled to examine its inner workings and a write-up was published. It was determined that the virus would not spread very far because it could not become memory resident. This write-up was republished in several magazines and newspapers, and was distorted and embellished in some of them. Many reported the virus trigger date as October 12 and named it the "Columbus Day virus" and a few even suggested that it had been coded by angry Norwegians who thought that the recognition for discovering America should go to their own Erik Thorvaldsson.
There was enough hype over the virus that a Datacrime detecting program was distributed in the Netherlands from Dutch police stations for about 1 US dollar. That program was defective, producing many false positives, and had to be recalled for a second version. This, in addition to the long lines outside of Dutch police stations added to the hysteria over the virus. No one was certain if anyone really had the virus.
Fear of this virus was a small factor in IBM's decision to release its antivirus program, which had previously been only for the company's internal use. In addition, the much more prevalent Jerusalem virus was set to trigger on the same day as Datacrime, and the company decided that it would be bad for public relations if a great deal of data was destroyed on one day.
The creators of the virus obviously intended "Datacrime" to be the name of the virus. That was the name that was used by nearly all antivirus products. "Columbus Day" was used by some magazines and newspapers because of the alleged trigger date, but no antivirus product uses this name.
- AhnLab: Datacrime.1168
- Avast: Datacrime-1168
- BitDefender: DataCrime.1168.A
- ClamAV: Datacrime-1168
- F-Prot: DataCrime.1168.A
- F-Secure: Virus.DOS.Datacrime.1168.a
- Kaspersky: Virus.DOS.Datacrime.1168.a
- Microsoft: Virus:DOS/Datacrime_1168.A
- Panda: DataCrime.1168.A
- Sophos: Datacrime-1168
- Symantec: DataCrime.1168 (1)
- TrendMicro: DATACRIME
Michael Reinschmiedt, University of Hamburg, Virus Test Center. Reports collected and collated by PC-Virus Index, DATACRIME SERIES. 1990.02.14
Kaspersky Antivirus. Viruslist.com, Virus.DOS.Datacrime.1168.a.
F-Secure Antivirus, F-Secure Virus Descriptions : DataCrime.
Dr. Alan Solomon. A Brief History of PC Viruses. Dr. Solomon: 1989 - Datacrime.