The Search of Den Zuk

Oleh

The Search for Den Zuk
Fridrik Skulason
Virus Bulletin, February 1991, pp.7-8
ISSN 0956-9979
February 1991

INVESTIGATION

Seek and Destroy
Who is Y.C.1.E.R.P?

The virus known as Den Zuk was discovered over two years ago, and infections have occasionally been reported since then. It is a boot sector virus with one major effect and one, probably unintentional, harmful side-effect.

One of the earliest reports of the virus came from Venezuela - leading to the incorrect conclusion that it was written there. The virus was instead written in Indonesia, where several related viruses are known to exist. It contains the following text message, which is not displayed.

         Welcome to the
            C l u b
        --The HackerS--
            Hackin'
          All The Time

          The HackerS

On a computer infected with this virus, pressing Ctrl-Alt-Del will not result in a simple reboot. If the computer has a colour display, it will display a picture on the screen for a fraction of a second. The picture shows the text "DENZUKO" and an unknown logo. Pressing Ctrl-Alt-F5 will reboot the computer, without displaying this picture. Ironically, the screen-effect eases detection and reduces the virus' chance of spreading.


Seek and Destroy

It had been thought that "Den Zuk" meant "The search", a reference to the ability of the virus to seek out and destroy copies of the Brain virus. If it finds a Brain-infected diskette, it removes the infection and replaces it with a copy of itself.

Normal 360 Kbyte disks only have tracks numbered from 0 to 39, but this virus was the first to use track 40 on diskettes - a practice which is now becoming more common. The author did not cater for 1.2 Mbyte or 3.5 inch diskettes on which track 40 is used. On these diskettes, the virus will overwrite that track, possibly damaging data or programs stored there.

The volume label "(c) Brain" on a Brain-infected diskette is changed to `Y.C.1.E.R.P' - A mysterious text - but it turned out to lead directly to the author.

Den Zuk also removes another virus - which was (correctly) assumed to be an older version of itself. This variant was discovered much later, and is generally known as `Ohio'.

It is closely related to the Den Zuk virus, but it contains different text messages:

           V I R U S
              b y
          The Hackers
          Y C 1 E R P
         D E N Z U K O
         Bandung 40254
           Indonesia

 (C) 1988, The Hackers Team....

Who is Y.C.1.E.R.P?

To a radio-amateur, `YC1ERP' looks like a call-sign. Reference to the International Callbook revealed that this call-sign had been allocated to a person in Bandung, Indonesia.

There was no proof that this person was the author of the virus - it was also possible that the genuine virus writer bore a grudge against him, and included his call-sign in the virus to discredit him.

Obviously, the easiest way to discover whether this person was indeed the author was simply to ask him. A polite letter was sent to the Indonesian radio-amateur, asking whether he was the author or not.

His reply is published here verbatim and in its entirety.



Bandung, September 20, 1990

Dear Mr. Skulason,

First, I want to introduce myself too.

Name: Denny Yanuar Ramdhani

D.O.B.: January 16. 1964

Address: Jl. Ancol Timur XII/10, Bandung 40254, Indonesia

Occupation: -Student at PAT-Komputer Institut Teknologi Bandung.

-Freelance System-Programmer.

I want to explain about names which related with viruses.

Den Zuko is from Denny Zuko, my nickname. (from 'Danny Zuko', John Travolta's name at 'Grease' the movie !)
Hackers is from Hackers Technology, my hackers club.
YC1ERP is my amateur radio callsign
And about two viruses, DEN ZUKO and HACKERS:

The viruses were first Indonesian viruses. The designer and author is me. Viruses name is DEN ZUKO and HACKERS (not DEN ZUK and HACKER). Created on March 1988 in Bandung, Indonesia (not Venezuela, as reported in New York Times ?) The viruses were my experiment in PC operating system, low-level language, how fast its spread, and just to "say hello" to other hackers/computer users in my city (when they pressed Ctrl-Alt-Del !). I never thought or expected its spread nationwide and then worldwide. So, I was really surprised when I read 'Tempo' (Indonesian weekly news magazine) which reported about 'Den Zuk' virus (quoted from New York Times) attacked USA, cominf from Venezuela, but I'm sure it was Den Zuko. And what made me really sure it was my virus, when I checked diskette which invected by Denzuko virus with Turbo AntiVirus, IBM VirScan and Mc Afee Accociates Scanner, its reported the diskette contains 'Den Zuk' virus.The viruses have 2 versions:

Ver.1: - DenZuko, the color is white, the shadow is red - Hackers Technology (text explode),
Ver.2: - DenZuko, color is red, without shadow. - Hackers, color is white ('K' is red) shadow is cyan.

Version 2 will replace version 1 and Brain virus if find, and it has immunization for version 1 and Brain. Version 1 will replace & immunize Brain virus (Pakistani Brain) The viruses have stadium level counter at 2nd sector (sector 022H) track 028H, offset 03H (1 word). So, we can count the approximation of the virus population.

Version 1 identification is hexadimal (1 word) 0FAFAh (offset 02Bh) " 2 " " " " 0537Ch (offset 040h)

About other viruses from Indonesia:

The others are modification from Den Zuko or Hackers (except file-invected-virus, like Amoeba and Mystik). Some of virus researcher, Iknow them, but I don't have their address.

For more information, maybe you can get them, if you contacy Mr P.M.Winarno, he is the editor of MikroData and InfoKomputer Magazine. His complete address is:


P. M. Winarno
Editor Mikrodata
Jl Palerah Selatan 22 Lt. 3
Jakarta 10270
Indonesia
Phone 62-021-5483008 ext 3211,3212
If you contact him, say hi from me. Oo, I almost forget some information:

Before stadium level 3 the viruses will not show DENZUKO or HACKERS logo, and will not change label to Y.C.1.E.R.P.
There is a secret keys Crtl-Alt-F5, if you press them, the computer will reboot without show the logo.
The others which modified from version 1 of mine, destroyed by version 2 and decreased the population.
Location of the others various at track 028H, 029H, head 0 or 1.
If you want to put my statement and publish it, you can take it from this letter, all or portion of it is up to you. I have some questions too:

Who send you information about Indonesian viruses ?
How can you get my address, from amateur radio callbook, from one of my viruses at track 027H, sector 022H or else ?
Why 'Hacker' = 'Ohio' ? I never give or put 'Ohio' in HACKERS.
When did you get 'DENZUKO' or 'HACKER' and what is the stadium-level counter number (track 028h, head 0, sector 022h, offset 03h (1 word) ?

Sincerely


-- -- d e n n y -- --


(DENNY YANUAR RAMDHANI)



Komentar

Posting Komentar

Postingan populer dari blog ini

In depth review of Chinesium "Bulldozer" H55 Board (ZX-H55M V1.41) / Review mendalam mobo cina "Bulldozer" H55 (ZX-H55M V1.41)

Oleh
Gambar
Review: We are discussing about the specifications, bios, and verdict, regarding should you buy this or not| Kita membahas speknya, biosnya, dan kesimpulannya, apakah worth to buy atau tidak. This mainboard in Chinese language also known as: 山寨芯片组主板 / 山寨主板 (Shānzhài xīnpiàn zǔ zhǔbǎn / Shānzhài zhǔbǎn) translated to: Shanzhai chipset motherboard / Shanzhai motherboard. This mobo is made by Shenzhen Hongdafeng i guess ENGLISH Chinesium motherboard that I bought at 17th Sept. 2021. Warranty already over (1yr warranty, purchase 2020?) No box, no cd, no manual, backpanel+mobo only. (Apparently after looking, it's same with Zebronics H55) Chipset used: H57 (salvaged from prebuilt like Dell maybe?). Those H55 chinesium boards may use H57 or H55 depending on e-waste pull stocks. They are near same anyway. 4 Phase VRM Max RAM: 8GB (Dual rank/Dual sided, 4GB per slot, two slots in total. Trait shared with LGA 775 DDR3). FOR XEON: 16 GB (Dual rank/Dual sided, 8GB per slot, there are 2 slots.
Selengkapnya »

Hanmi Micronics/Micronics

Oleh
Gambar
       BTW from now on I would translate some namuwiki page  for computer parts only. I do not deal with KPop articles unless if they're related to PC parts. Some grammars are fixed, and I used google translate + PAPAGO.  Namu wiki's work is available under  CC BY-NC-SA 2.0 KR  . (However, except for some documents and illustrations for which the license is specified) https://namu.wiki/w/마이크로닉스
Selengkapnya »

Download NFS Carbon and Underground 1 arcade version

Oleh
Gambar
New link: https://archive.org/details/need-for-speed-underground-arcade-edition  and  https://archive.org/details/need-for-speed-carbon-arcade-edition There are special and obscure NFS versions that's so rare, it doesn't get known. They are the Need For Speed arcade version, those are 2 games made by Global VR and EA. It loosely based upon PC version. There are 2 of those hidden gem: NFS Underground 1 Arcade https://www.ign.com/articles/2005/02/16/need-for-speed-underground-heads-to-arcades NFS Underground 1 Arcade version. This version is of course loosely based upon Need For Speed Underground 1 PC. This version has so many special and extra features, some of them are: 8 AI Opponents, ❗ Framerate display,  ❗ Gran Turismo styled camera,  ❗ And many more. Technical specifications for arcade cabinet are (gathered from GlobalVR site): Windows XP Embedded (SP2 or SP3?) Pentium 4, Motherboard is either MSI H61M-P32 or DFI PS35-BL. For h61 maybe the pentiu
Selengkapnya »