Cruncher
Cruncher
Type File virus
Creator Masud Khafir
Date Discovered 1993.06
Place of Origin The Netherlands
Source Language
Platform DOS
File Type(s) .com
Infection Length 2,352 bytes*
Reported Costs

Cruncher is a .com infecting virus from 1993. It is probably most famous for the fact that it compresses the files that it infects. It was coded by Masud Khafir, coder of the first Windows virus, Winvir.

Behavior

When Cruncher is first executed, it installs itself near the top of memory, just below the DOS 640k boundary. Cruncher takes 2,352 bytes of memory. It infects .com programs as they are executed. It avoids COMMAND.COM. Most programs infected with this virus will decrease in size. Programs under 3 kilobytes may show a small increase in size.

The virus contains two text strings, "[ MK / Trident ]" and "Cruncher V1.0". THe first identifies its creator, Masud Khafir of the Dutch Trident hacker group. The second is the name of the virus.

Variants

The creator gave his variants version numbers, similar to other software. Cruncher 2.0 infects .exe files as well as .com. It takes 4,256 bytes in memory. Cruncher 2.1 asks for permission to become memory resident and infect files and takes up 5,056 bytes. They both contain relatively similar text, different only with regard to the copyright date:

  *** CRUNCHER V2.0 *** Automatic file compression utility
  Written by Masud Khafir of the TridenT group (c) 31/12/92
  Greetings to Fred Cohen, Light Avenger, and Teddy Matsumoto

In 2.1, the date is 23/8/93.

Name and Origin

Some texts contained in later variants of the Cruncher virus seem to suggest that this virus was coded much earlier than its discovery date would suggest. Cruncher 2.0 contains text strings indicating it was created on New Year's Eve.

The virus borrows some code from the freeware Diet compression program, coded by Teddy Matsumoto.

Other Facts

Most examples of potentially beneficial viruses have been with those that attack other viruses, like Denzuko. File-compressing viruses had been proposed, but never actually coded until Cruncher. While some view this virus as an example of a beneficial virus, others take a more cynical view of it as an attempt to get past virus scanners.

Masud Khafir describes Cruncher as one of the more difficult viruses he coded, along with Gotcha and Winvir.

Sources

Patricia Hoffman. Online VSUM, Cruncher Virus.

Trident. Interview with Masud Khafir.

Alan Solomon. A Guide to Evaluating Anti-Virus Software.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License