VCL.Olympic -virus received a lot of publicity in the beginning of
February, 1994. This was caused by the Olympic-theme activation
routine of the virus, and the suspicions that the virus had
infected the computer systems of the 1994 Winter Olympics in
Lillehammer. In later checks this virus was not found in
Lillehammer systems.
VCL.Olympic is written by a Swedish virus writing group Immortal Riot.
This group is discussed more closely in another story in this Update
Bulletin.
The VCL.Olympic is a normal COM file infector. The method used by the
virus to search for the next file to be infected is not very
efficient, though. Once the virus has infected a large number of the
files on the hard disk, it might take half a minute for the virus to
find a new victim file. Such a slowdown is likely to make the virus
easier to spot.
The virus activates by random after the 12th of February - the 1994
Winter Olympics start on this date. At the time of activation, the
virus draws the Olympic circles to the screen and displays some
comments the Games. After this, it overwrites the first 256 sectors of
the first hard disk in system. The virus also disables Ctrl-C and Ctrl-
Break during the destruction routine. Finally, the machine is hanged.
When an infected file is executed, the virus first decrypts its code.
Then it starts to recursively search for suitable victim files,
starting from the root directory of the current drive.
When the virus finds a file to infect, it first checks it's size to
make sure the added virus code will not grow the file over the size
limit of COM files, 64KB. Then it inspects the first bytes of the
candidate file to see if it already contains a similar jump construct
that the virus is about to insert to the beginning of file. If such
structure is found, the virus considers the file to be already
infected and starts to search for another victim.
The virus does not check for the 'MZ' or 'ZM' markers to distinguish
EXE files. This means that the virus will corrupt EXE files that have
been renamed to have a COM extension. When such a corrupted file is
executed after infection, the virus will be able to spread further,
but is unable to transfer control back to the original program. In
most cases the machine will just crash.
The actual infection process consists of storing the original first
three bytes of the file to the end of the file and replacing them with
a jump to a decryption routine, which the virus also appends to the
end of the file. An encrypted version of the virus code is also stored
to the end of the file, before the decryption routine. The virus uses
a single pseudo-random variable key based on the infection time to
encrypt it's code.
VCL.Olympic is able to infect files which have the DOS read-only
attribute turned on. It will also restore the date and time stamps of
the infected files. However, infected files grow in size by 1440
bytes, and this is visible in the directory listing. The virus has no
directory-stealth routines, since it does not stay resident.
VCL.Olympic has a one-in-ten chance to activate if the date is equal
to or greater than the 12th of February. The current year is not
tested, so the virus will activate in the future as well. If the virus
does not activate, it will return the control back to the original
program.
A lot of the code resembles the viruses generated by the VCL virus
generator, up to the point of the standard VCL-like note; a short
message in the end of the virus, which is not displayed at all. In
this virus, the note text reads: "Olympic Aid(s) '94 (c) The
Penetrate". This virus is probably based on VCL-created code, and has
just been modified to avoid detection by some of the most popular
scanners.
