*+*+*+*+*¢ Warning: Computer A.I.D.S. At¢ Work By Bill Pike, PAC¢ Reprinted by THE OL' HACKERS from¢ the STATUS Newsletter-Vol. 7, Issue¢ 3- and with THANKS! ¢ ****¢ PC Disease-(Also as it applies to¢ the 8 bit!)¢ *********¢ This article has been written¢ from the 8-bit view point. However¢ the same principles apply to the ST.¢ ¢ THE CONCLUSION:>>Always suspect Menu¢ programs and ANY pirated program.¢ Also suspect programs that work with¢ popular programs. All purchased disks¢ are write protected and an error in¢ writing could be trapped so you¢ wouldn't see it happen if the error¢ occurred during the booting of the¢ program, as the drive is already¢ running. However, if the disk wasn't¢ write protected the program would¢ write the virus. This would obviously¢ include broken programs and boot¢ disks made into files. Anyone could¢ sabotage a disk or file at anytime.¢ ****¢¢¢ Well, we knew it was coming sooner¢ or later! It is here now! Some¢ Phreakers are circulating a VIRUS¢ program thru BBSs. There is also a¢ virus program that came out of Europe¢ and is causing much havoc there. The¢ program is encoded in some nice¢ looking, popular programs. These are¢ probably innocent programs that may¢ have been around for awhile, the¢ phreakers are too lazy and/or stupid¢ to write something new, other than¢ trying to upgrade the virus section¢ of a program, themselves. ¢¢ The original program may run fine,¢ HOWEVER, when the file has been¢ loaded or run, the virus writes a¢ program to the disk. The virus sits¢ inside the computer memory and waits¢ for a disk Input/Output operation.¢ Each time a disk is placed in the¢ drive and an Input/Output operation¢ is performed a copy of the virus is¢ written to the disk. If a file¢ containing the virus goes along with¢ the program. This virus then sits in¢ wait on the disk, no it isn't listed¢ in the directory and may or may not¢ change the VTOC. At some¢ predetermined later time the virus¢ goes to work and may wipe out the¢ directory and VTOC or it just might¢ FORMAT the entire disk. Some virus¢ programs modify DOS so that the virus¢ program is appended to EVERY file on¢ the disk when a file is loaded off of¢ the disk or transferred via modem.¢¢ You can easily see that your whole¢ library of programs could be rendered¢ infected and then gone. In the¢ meantime you could have been an¢ innocent carrier of the virus¢ infecting your friends and others.¢ That is why the name of the article¢ is COMPUTER A.I.D.S. There are ways¢ of protecting yourself and others as¢ well as cleaning out any existing¢ virus programs that you may have¢ picked up.¢¢ Atari owners have a big advantage¢ over other types of computers in that¢ the disk drive is a smart-drive,¢ meaning if the disk is write¢ protected the drive WILL NOT write to¢ or format that disk. This is part of¢ the ROM instructions within the drive¢ itself and a virus cannot modify ROM.¢ However there is a modification¢ available to bypass this feature. I¢ would suggest that it be removed for¢ obvious reasons. ¢ Keeping the virus out of your¢ library is much easier than removing¢ it when it already exists. You can¢ never be sure that you have caught¢ every disk the virus has infected and¢ if you don't get all infected disks¢ it will just spread again. Now to the¢ cures: ¢ ¢ #1. WRITE PROTECT your disks that ¢ are not supposed to be written to. ¢ If you want to write to a disk of¢ this type you can always remove the¢ tab and replace it when you are¢ done.¢¢ #2. The virus cannot survive a ¢ COLDSTART. Re-boot the computer each¢ time with a KNOWN GOOD DOS disk after¢ switching the computer off then back¢ on. If you are using a BOOT disk make¢ a copy of the original disk, archive¢ the original and boot from the direct¢ copy, then reserve any other disks¢ that may be written to by the program¢ as possible INFECTED. Don't use these ¢ disks for any other purpose! NEVER ¢ use your archive disk for any purpose¢ other than to make a copy for your¢ working disk. You might also write¢ protect your working copy, if¢ possible. ¢¢ #3. Here is a rather long one for those who trade programs or down load¢ programs from BBSs. Keep your¢ downloads or trades on a separate¢ disk. Then load and run each program,¢ make sure you don't use the original¢ or working copy of any program that¢ the file works with, use a test copy.¢ After you have run each program,¢ format a blank disk, using a known¢ good copy of DOS. Then use a sector¢ editor to check the first 4 sectors¢ (0-3) of the disk of the suspect disk¢ against the freshly formatted disk.¢ If these don't match, one of the¢ files on the disk was a virus. You¢ can find the file by using a good DOS¢ and copying each file individually to¢ another disk, then running that file¢ and comparing the boot sectors (0-3)¢ to the formatted disk. You might also¢ wish to compare all file lengths¢ including the DOS.SYS and DUP.SYS¢ files. If any file is longer than¢ the original file, sus- pect a¢ virus. There are a couple of¢ ANTIBIOTIC programs going around that¢ can usually detect a virus infected¢ file. However, as the Phreakers get¢ their hands on the antibiotics, they¢ will find a way around them, so don't¢ trust them totally. ¢¢ **STATUS Editor's Note: This of¢ course is just a fad, and probably¢ started as a joke. But, in my¢ opinion, it is a crime, and not a¢ joking matter! It is surely an¢ invasion of privacy, destroying of¢ personal property and a downright¢ waste of programming talent. Liken it¢ if you will to a visitor placing a¢ concealed time bomb in your house,¢ due to explode at some future date or¢ event. Or, maybe a mechanic¢ programming your automobile to render¢ the ignition system inoperable after¢ X number of starts. It behooves me to¢ think that an individual, or group of¢ individuals, could get enjoyment out¢ of such dastardly acts. Suppose an¢ individual, knowingly or not,¢ uploaded an infected file to GEnie,¢ during the process of testing and¢ posting the entire library became¢ infected, with eventual system crash¢ and infection of every one of the¢ systems users... it could happen.¢ Shouldn't the parties responsible for¢ these virus programs be brought to¢ court, and prosecuted to the full¢ extent of the law without leniency¢ for being demented?¢¢ (OL' HACKERS EDITOR- I am in full¢ agreement with the above remarks from¢ STATUS, and I hope it persuades even¢ one person to stop this cruel joke,¢ which benefits NO ONE!)¢¢ *** Part II following: ***¢¢ *******¢ Computer AIDS II¢ By Blair Davis For S.T.A.T.U.S.¢ Reprinted from STATUS Vol#7, Iss#4 by¢ THE OL' HACKERS and with THANKS!¢ *******¢¢ This article is a continuation of¢ the first computer aids article seen¢ in the Status Newsletter about 2¢ months ago. As of June 19, 1988 I¢ have never seen any of the virus¢ discussed in that article, however, I¢ have seen a new virus in the last few¢ days. The following is a description¢ of this new virus and ways to detect¢ it and others like it. This new virus¢ seems to affect linked sector DOS's¢ only at this time, but I can see how¢ a different version of the same one¢ could affect Sparta Dos.¢ ¢ First a description of how it works¢ This virus does not append itself to¢ any/all binary files like many other¢ viruses do. Instead, it first finds¢ the highest free sector, then writes¢ a copy of itself into that sector. It¢ then modifies the VTOC to protect its¢ sector. It then modifies the DOS boot¢ routine to invoke itself when the¢ disk is booted. ¢ Second, what it does.¢ When the disk is first booted the¢ viruses loads into Page 6 RAM.¢ It then counts th number of sector¢ writes and decrements a three byte¢ counter both in page 6 and it's¢ stolen sector. When this counter¢ reaches zero it then destroys the¢ disk. This counter is set from the¢ jiffy clock, (bytes 180), each time a¢ new copy of the virus is written. Due¢ to a bug in the virus each time a new¢ disk is used in the drive, a new copy¢ of the virus may be written. This may¢ result in multiple copies of the¢ virus on the disk. The method of¢ resetting the counter time results in¢ what are apparently random disk¢ failures.¢ Third, finding it.¢ Finding it is very easy, to find it¢ simply count the number of sectors¢ used by ALL the files in the¢ directory, subtract that total from¢ the number of free sectors on a KNOWN¢ GOOD blank formatted disk of the same¢ DOS, density and number of sides.¢ Compare this to the number of free¢ sectors displayed by the suspect¢ disk. If the number of sectors¢ displayed by the suspect disk is less¢ than the number you calculated, you¢ probably have it. ¢¢ Fourth, curing it.¢ At this time I have not yet found¢ a way to remove it from an infected¢ disk, however, there is a way to save¢ your files. To save your files, you¢ must first boot your system from a¢ known uninfected DOS disk. Then,¢ using the copy file function, (NOT¢ duplicate disk or copy multiple¢ files), copy each file except DOS.SYS¢ and DUP.SYS individually to a new¢ disk. Each file, (basic only) needs¢ to be tested to see if it will write¢ the virus to a disk but object files¢ should be clean. By the time you¢ read this, I should have uploaded a¢ detector program to the STATUS BBS.¢ This program will simply count the¢ free sectors and warn you if there is¢ a discrepancy. This virus may have¢ been around for a while as it does¢ not seem to be very sophisticated.¢ Hopefully this detector program¢ should help eliminate this type of¢ virus from our program libraries. ¢ ¢ In conclusion, I must say that the¢ only way to prevent the spread of¢ this virus is to boot your DOS off of¢ known good disks only. The virus is¢ only started from BASIC game programs¢ that write to the disk (as far as I¢ know!)¢¢ -=-=-=-=- end -=-=-=-=-¢¢
