VCL.Olympic -virus received a lot of publicity in the beginning of February, 1994. This was caused by the Olympic-theme activation routine of the virus, and the suspicions that the virus had infected the computer systems of the 1994 Winter Olympics in Lillehammer. In later checks this virus was not found in Lillehammer systems.
Disinfection & Removal
VCL.Olympic is written by a Swedish virus writing group Immortal Riot. This group is discussed more closely in another story in this Update Bulletin.
The VCL.Olympic is a normal COM file infector. The method used by the virus to search for the next file to be infected is not very efficient, though. Once the virus has infected a large number of the files on the hard disk, it might take half a minute for the virus to find a new victim file. Such a slowdown is likely to make the virus easier to spot.
The virus activates by random after the 12th of February - the 1994 Winter Olympics start on this date. At the time of activation, the virus draws the Olympic circles to the screen and displays some comments the Games. After this, it overwrites the first 256 sectors of the first hard disk in system. The virus also disables Ctrl-C and Ctrl- Break during the destruction routine. Finally, the machine is hanged. When an infected file is executed, the virus first decrypts its code. Then it starts to recursively search for suitable victim files, starting from the root directory of the current drive.
When the virus finds a file to infect, it first checks it's size to make sure the added virus code will not grow the file over the size limit of COM files, 64KB. Then it inspects the first bytes of the candidate file to see if it already contains a similar jump construct that the virus is about to insert to the beginning of file. If such structure is found, the virus considers the file to be already infected and starts to search for another victim.
The virus does not check for the 'MZ' or 'ZM' markers to distinguish EXE files. This means that the virus will corrupt EXE files that have been renamed to have a COM extension. When such a corrupted file is executed after infection, the virus will be able to spread further, but is unable to transfer control back to the original program. In most cases the machine will just crash.
The actual infection process consists of storing the original first three bytes of the file to the end of the file and replacing them with a jump to a decryption routine, which the virus also appends to the end of the file. An encrypted version of the virus code is also stored to the end of the file, before the decryption routine. The virus uses a single pseudo-random variable key based on the infection time to encrypt it's code.
VCL.Olympic is able to infect files which have the DOS read-only attribute turned on. It will also restore the date and time stamps of the infected files. However, infected files grow in size by 1440 bytes, and this is visible in the directory listing. The virus has no directory-stealth routines, since it does not stay resident.
VCL.Olympic has a one-in-ten chance to activate if the date is equal to or greater than the 12th of February. The current year is not tested, so the virus will activate in the future as well. If the virus does not activate, it will return the control back to the original program.
A lot of the code resembles the viruses generated by the VCL virus generator, up to the point of the standard VCL-like note; a short message in the end of the virus, which is not displayed at all. In this virus, the note text reads: "Olympic Aid(s) '94 (c) The Penetrate". This virus is probably based on VCL-created code, and has just been modified to avoid detection by some of the most popular scanners.