Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: ttidca.TTI.COM!hollombe%sdcsvax@ucsd.edu (The Polymath)
Newsgroups: comp.virus
Subject: Re: October 12/13 (PC)
Message-ID: <0009.8909281133.AA14331@ge.sei.cmu.edu>
Date: 26 Sep 89 19:07:49 GMT
Sender: Virus Discussion List 
Lines: 30
Approved: krvw@sei.cmu.edu

In article <0006.8909251230.AA29228@ge.sei.cmu.edu> ttidca.TTI.COM!hollombe%sdc
svax@ucsd.edu (The Polymath) writes:
}}I'm the editor of our university's computing newletter.  I need to
}}know how users can detect the October 12/13 virus ahead of time.  Is
}}there a way at all?  ...
}
}How about backing up the hard disk, then setting the system date ahead to
}October 13 and re-booting?

Since posting this, I've been advised that some viruses are designed
to detect and avoid this test.  They do so by keeping track of date
increments to make sure they occur one day at a time.  Typically, they
store a week's worth of dates, possibly more.

Assuming a one week buffer, you'd have to implement the sequence
"increment date, re-boot, run infected program" at least 8 times to
bypass such a check.

It's getting nasty out there.

}[Ed. Sounds (to me) kind of like testing to see if the mines in an
}inert minefield are "ert" by having someone walk through it. :-)]

I did say to back up the hard drive first.  That way you can resurrect
your mine tester if it happens to step on an "ert" mine. (-:

The Polymath (aka: Jerry Hollombe, hollombe@ttidca.tti.com)  Illegitimis non
Citicorp(+)TTI                                                 Carborundum
3100 Ocean Park Blvd.   (213) 452-9191, x2483
Santa Monica, CA  90405 {csun|philabs|psivax}!ttidca!hollombe