| Friday | |
|---|---|
| Type | Boot sector virus |
| Creator | |
| Date Discovered | 1987.11 |
| Place of Origin | South Africa |
| Source Language | |
| Platform | DOS |
| File Type(s) | .com |
| Infection Length | 419 bytes |
| Reported Costs | |
Friday, also known as Friday the 13th, is a .com-infecting virus from South Africa. Though it has a slightly similar payload, it is not related to the Jerusalem virus.
Behavior
When Friday is executed, it searches for two .com files on the C: drive and one on the A: drive (typically the floppy drive). It avoids files that will be more than 64 kilobytes after infection. It appends itself to the end of the file.
When the host program is run on any Friday the 13th, the program file is deleted.
The virus can be stopped by making .com files read-only, something later viruses were taught to ignore.
Variants
The Friday family produced a number of variants of note, mostly weighing in at around 400 to 500 bytes.
B, C and D
B will infect all .com files in the current directory. If the infected file is in the system path, it will infect all files there too. C is like B, but displays the message "We hope we haven't inconvenienced you" when the virus activates. D is between 418 and 432 bytes. It infects all .com files in the current directory except COMMAND.COM and updates their modified date to the time of infection.
Virus-B
As one of the earliest viruses (there were less than 15 families of virus in existence at the time) Friday was a subject of great interest. Virus-B was actually created by researchers without the destructive payload as a demonstration virus.
When executed, the virus infects all .com files in the current working directory. It displays the message "WARNING!!!! THIS PROGRAM IS INFECTED WITH VIRUS-B! IT WILL INFECT EVERY .COM FILE IN THE CURRENT SUBDIRECTORY!". The virus is between 542 and 555 bytes long. There will be no change to the time on the DOS DIR listing for an infected file.
540.C
This is a sub-variant of Virus-B. It is programmed to avoid detection by certain antivirus programs. It is 540 bytes long as its name suggests.
978
This sub-variant of Virus-B is 978 bytes long and like 540.C, attempts to avoid detection by certain antivirus products.
Enet 37
This variant is 613 bytes. it contains the following text:
ENET N§37 Virus benigno - Por EDGE BAND!
Realizado por un alumno del Enet 37 (?) 25/5/92
..Hmmm..
Te parece usar la computadora un Domingo?
Presiona una tecla.
QFresh
This variant originated in Sweden in June of 1992. It increases infected files by 615 to 628 bytes. This variant infects all .com files in the current directory. It manages to avoid modifying the program's date. It contains the text "ENET_INF", indicating some relation with the Enet 37 variant.
Effects
Friday was active in Britain as late as 1989. According to Alan Solomon, there were thousands of computers infected with it there.
The virus is now thought to be totally extinct, except for a few samples.
Sources
F-Secure, Friday the 13th.
Patricia Hoffman. Online V-SUM, Friday 13th Virus.
The Los Angeles Times, 'Friday 13th' Virus Fells Computers. 1989.01.13