4K (computer virus)

From Wikipedia, the free encyclopedia

4K

Common name	4K
Technical name	4K
Aliases	Frodo, IDF, Israeli Defence
Family	N/A
Classification	Virus
-Type	DOS
-Subtype	COM,EXE
Isolation	1990
-Point of Isolation	Unknown
-Point of Origin	Unknown
Author(s)	Unknown

4k is a computer virus which infects COM files and EXE files. The virus was one of the first to employ Stealth tactics, infected systems will hang, displaying the message Frodo Lives, on the 22 September, which is also the date of birth Bilbo Baggins, a character from the Lord of the rings.

[edit] External links

First appeared in 1989.

First U.S. specimen was contracted in Dallas, Tx and quarantined with verification given by antivirus professionals. Reporters and TV crews recorded this in the local area news in August 1990. It's trail led from Dallas to New York via a professional at a software firm creating software for lawyers. Virus firms had been tracking it previously in London a month or two before getting calls from New York. No specimens were quarantined or properly recorded in New York.

The virus did not state FRODO LIVES, as indicated, mainly due to changes in newer versions of DOS and BIOS, but the systems did "hang up" while booting after Sept 22 until the end of the calendar year. Reports to McAfee antivirus and Vi-Spy antivirus firms resulted in only one product properly detecting the virus, Vi-Spy. Raymond Glath of Phoenix, AZ, was the developer / owner of the Vi-Spy product which continued production until mid-release of Windows 95.

At that time it was a common thought that creators of virus programs and virus detectors were the same or related groups of people. It was also commonly belived that most people would never see a virus on a computer in their lifetime, that they were rare and uncommon. It quickly dispelled the old myths and created a few along the way. And forever established that virus detectors should become a part of the regular routine for users who shared data. This virus was spread without the aid of the Internet, it was ported between systems by floppy disks, AKA the "sneaker net".

The virus added itself to the system in a way which defied normal infection processes. Because of this, it was able to infect a system without using system subroutines, which is what most antivirus products were watching. This is how the virus received the additional name 'stealth'. Also, the infection process used a mathematical algorithm to determin the letters E-X-E & C-O-M. When a file was opened by the OS, the virus checked the extension of the file, and sometimes, other extension letters would be identified as a program file causing the virus to infect a data file and obviously corrupting its contents.

Because the virus appended itself to a file, without updating the disk FAT (File Allocation Table) as to the new file length, the system would cross-link files and fill up disks with allocation errors. This would damage programs and data alike. The description of the problems found while trying correct the 'stupid-looking errors' would cause most computer professionals to erase the system and start over. A few days later the problems would arise again. Diagnostic disks and installation disks used to fix the computer would commonly be infected with the virus and this would aid in the spread.

If it were not for these quirks in the virus, it is concievable that the world would have gone on another few years without dealing regularly with virus attacks. The story was broadcast on the Associated Press newswire in August 1990. Symantec released their antivirus product later that same year.

I have locally printed papers of the story as reported from my computer store, James Rich Computers in Corsicana, Texas. A technical reporter at Dallas Morning News - Richard Steinhart-Threlkeld who later became editor of a national computer magazine - reported the story. We were the first to call the virus 'stealth'. One of my employees described it as a 'stealth ninja' to a news reporter and that was shorted to 'stealth'.