*+*+*+*+*› Warning:    Computer    A.I.D.S.   At› Work  By Bill Pike, PAC› Reprinted by  THE  OL'  HACKERS  from› the STATUS  Newsletter-Vol.  7, Issue› 3- and with THANKS! ›               ****› PC  Disease-(Also  as  it  applies to› the  8 bit!)›             *********›       This article has  been  written› from  the  8-bit  view point. However› the same principles apply to the  ST.› › THE CONCLUSION:>>Always  suspect Menu› programs  and  ANY  pirated  program.› Also suspect programs that work  with› popular programs. All purchased disks› are write protected and an  error  in› writing  could  be  trapped  so   you› wouldn't  see  it happen if the error› occurred during the  booting  of  the› program,  as  the  drive  is  already› running.  However, if the disk wasn't› write  protected  the  program  would› write the virus. This would obviously› include  broken  programs  and   boot› disks  made  into files. Anyone could› sabotage a disk or file at anytime.›             ****›››   Well, we knew it was coming  sooner› or  later!  It  is  here  now!   Some› Phreakers  are  circulating  a  VIRUS› program  thru  BBSs.  There is also a› virus program that came out of Europe› and  is causing much havoc there. The› program   is  encoded  in  some  nice› looking, popular programs. These  are› probably  innocent  programs that may› have  been  around  for  awhile,  the› phreakers are too lazy and/or  stupid› to  write  something  new, other than› trying to upgrade the  virus  section› of a program, themselves.    ››   The  original program may run fine,› HOWEVER,   when  the  file  has  been› loaded or run,  the  virus  writes  a› program  to  the disk. The virus sits› inside the computer memory and  waits› for  a  disk  Input/Output operation.› Each time a disk  is  placed  in  the› drive  and  an Input/Output operation› is performed a copy of the  virus  is› written  to  the  disk.  If  a   file› containing  the virus goes along with› the program. This virus then sits  in› wait  on the disk, no it isn't listed› in the directory and may or  may  not› change    the    VTOC.    At     some› predetermined  later  time  the virus› goes to work and  may  wipe  out  the› directory  and  VTOC or it just might› FORMAT the entire  disk.  Some  virus› programs modify DOS so that the virus› program is appended to EVERY file  on› the disk when a file is loaded off of› the disk or transferred via modem.››   You can easily see that your  whole› library of programs could be rendered› infected   and   then  gone.  In  the› meantime   you  could  have  been  an› innocent   carrier   of   the   virus› infecting  your  friends  and others.› That is why the name of  the  article› is  COMPUTER  A.I.D.S. There are ways› of protecting yourself and others  as› well  as  cleaning  out  any existing› virus  programs  that  you  may  have› picked up.››   Atari owners have a  big  advantage› over other types of computers in that› the  disk  drive  is  a  smart-drive,› meaning   if   the   disk   is  write› protected the drive WILL NOT write to› or  format that disk. This is part of› the ROM instructions within the drive› itself and a virus cannot modify ROM.› However   there   is  a  modification› available to bypass this  feature.  I› would  suggest that it be removed for› obvious reasons. ›    Keeping  the  virus  out  of  your› library  is much easier than removing› it when it already  exists.  You  can› never  be  sure  that you have caught› every disk the virus has infected and› if  you  don't get all infected disks› it will just spread again. Now to the› cures:   › ›    #1. WRITE PROTECT your disks that › are not supposed to be  written  to. › If  you  want  to  write to a disk of› this type you can always  remove  the› tab  and  replace  it  when  you  are› done.››     #2.  The virus cannot survive a  › COLDSTART. Re-boot the computer  each› time with a KNOWN GOOD DOS disk after› switching the computer off then  back› on. If you are using a BOOT disk make› a copy of the original disk,  archive› the original and boot from the direct› copy, then reserve  any  other  disks› that may be written to by the program› as possible INFECTED. Don't use these  › disks  for any other purpose! NEVER  › use your archive disk for any purpose› other  than  to  make a copy for your› working disk. You  might  also  write› protect   your   working   copy,   if› possible. ››     #3. Here is a rather long one for   those who trade programs or down load› programs   from   BBSs.   Keep   your› downloads  or  trades  on  a separate› disk. Then load and run each program,› make  sure you don't use the original› or working copy of any  program  that› the file works with, use a test copy.› After  you  have  run  each  program,› format a blank disk,   using a  known› good  copy of DOS.  Then use a sector› editor to check the first  4  sectors› (0-3) of the disk of the suspect disk› against the freshly  formatted  disk.› If  these  don't  match,  one  of the› files on the disk was  a  virus.  You› can find the file by using a good DOS› and copying each file individually to› another  disk, then running that file› and comparing the boot sectors  (0-3)› to the formatted disk. You might also› wish  to  compare  all  file  lengths› including  the  DOS.SYS  and  DUP.SYS› files. If any file is    longer  than› the  original  file,  sus-    pect  a› virus.  There   are   a   couple   of› ANTIBIOTIC programs going around that› can usually detect a  virus  infected› file.  However,  as the Phreakers get› their hands on the antibiotics,  they› will find a way around them, so don't› trust them totally. ››     **STATUS Editor's Note:  This  of› course  is  just  a fad, and probably› started   as   a  joke.  But,  in  my› opinion, it is a  crime,  and  not  a› joking  matter!  It  is   surely   an› invasion  of  privacy,  destroying of› personal  property  and  a  downright› waste of programming talent. Liken it› if  you  will  to a visitor placing a› concealed time bomb  in  your  house,› due to explode at some future date or› event.   Or,   maybe    a    mechanic› programming your automobile to render› the ignition system inoperable  after› X number of starts. It behooves me to› think that an individual, or group of› individuals,  could get enjoyment out› of such dastardly  acts.  Suppose  an› individual,    knowingly    or   not,› uploaded an infected file  to  GEnie,› during  the  process  of  testing and› posting  the  entire  library  became› infected, with eventual system  crash› and  infection  of  every  one of the› systems  users...  it  could  happen.› Shouldn't the parties responsible for› these  virus  programs  be brought to› court, and  prosecuted  to  the  full› extent  of  the  law without leniency› for being demented?››    (OL' HACKERS EDITOR- I am in  full› agreement with the above remarks from› STATUS, and I hope it persuades  even› one  person  to stop this cruel joke,› which benefits NO ONE!)››   ***  Part II following: ***››              *******›       Computer AIDS II›       By Blair Davis For S.T.A.T.U.S.› Reprinted from STATUS Vol#7, Iss#4 by› THE OL' HACKERS and with THANKS!›              *******››   This  article  is a continuation of› the first computer aids article  seen› in  the  Status  Newsletter  about  2› months  ago.  As  of  June 19, 1988 I› have never  seen  any  of  the  virus› discussed in that article, however, I› have seen a new virus in the last few› days.  The following is a description› of this new virus and ways to  detect› it and others like it. This new virus› seems to affect linked  sector  DOS's› only  at this time, but I can see how› a different version of the  same  one› could  affect Sparta Dos.› ›   First a description of how it works› This virus does not append itself  to› any/all  binary files like many other› viruses do. Instead, it  first  finds› the  highest free sector, then writes› a copy of itself into that sector. It› then modifies the VTOC to protect its› sector. It then modifies the DOS boot› routine  to  invoke  itself  when the› disk is booted. ›    Second, what it does.› When the  disk is  first  booted  the› viruses  loads  into  Page   6   RAM.› It then counts th  number  of  sector› writes  and  decrements  a three byte› counter  both  in  page  6  and  it's› stolen   sector.  When  this  counter› reaches zero  it  then  destroys  the› disk.  This  counter  is set from the› jiffy clock, (bytes 180), each time a› new copy of the virus is written. Due› to a bug in the virus each time a new› disk is used in the drive, a new copy› of the virus may be written. This may› result  in  multiple  copies  of  the› virus  on  the  disk.  The  method of› resetting the counter time results in› what  are  apparently   random   disk› failures.›      Third, finding it.› Finding it is very easy, to  find  it› simply  count  the  number of sectors› used   by   ALL   the  files  in  the› directory, subtract that  total  from› the number of free sectors on a KNOWN› GOOD blank formatted disk of the same› DOS,  density  and  number  of sides.› Compare this to the  number  of  free› sectors  displayed  by  the   suspect› disk.  If  the  number   of   sectors› displayed by the suspect disk is less› than the number you  calculated,  you› probably  have  it. ››     Fourth, curing it.› At  this  time I  have not  yet found› a  way  to remove it from an infected› disk, however, there is a way to save› your  files.  To save your files, you› must first boot your  system  from  a› known  uninfected  DOS  disk.   Then,› using  the  copy  file function, (NOT› duplicate   disk   or  copy  multiple› files), copy each file except DOS.SYS› and  DUP.SYS  individually  to  a new› disk. Each file, (basic  only)  needs› to  be tested to see if it will write› the virus to a disk but object  files› should  be  clean.    By the time you› read this, I should have  uploaded  a› detector  program  to the STATUS BBS.› This program will  simply  count  the› free sectors and warn you if there is› a discrepancy. This  virus  may  have› been  around  for  a while as it does› not seem to  be  very  sophisticated.› Hopefully   this   detector   program› should help eliminate  this  type  of› virus  from our program libraries.   › › In conclusion, I must  say  that  the› only  way  to  prevent  the spread of› this virus is to boot your DOS off of› known  good  disks only. The virus is› only started from BASIC game programs› that  write  to the disk (as far as I› know!)››     -=-=-=-=- end -=-=-=-=-››