home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Crawly Crypt Collection 1
/
crawlyvol1.bin
/
utility
/
virus
/
peneciln
/
virus.doc
< prev
Wrap
Text File
|
1988-03-26
|
6KB
|
117 lines
A virus type program has been detected on ST disks circulating in
Europe. So far, I have heard no reports of one in the USA. However,
I am certain it is merely a matter of time before it happens.
The one reported is written into the boot sector of a disk, then
hooks itself into the ST's operating system. Each time a new disk
is inserted in the system, and the ST does a media change check, the
virus checks the floppy to see if it contains the virus in the boot sector.
If not, it writes the virus on the floppy. If it does, it leaves the floppy
alone. After some number of media change calls, the virus trashes the
directory and FATs of the disks in the system, wiping out anything on
the disks. I haven't heard about it hitting any hard disks yet.
The boot sector of an ST disk contains disk configuration information
(sides on disk, tracks, sectors per track, FAT size, etc.) which can,
and frequently does, vary from disk to disk. It also contains a serial
number which must vary from disk to disk, or you get deep trouble when
changing disks (GEMDOS won't know the disk changed).
But, that all fits in a small portion of the boot sector, within the
first 30 bytes.
Many format program leave all sorts of junk in the buffer they use to
write the boot sector (including the desktop). While this will also
vary, it is not harmful.
When should a disk contain an executable boot? Only if
1) It is designed to be a self booting disk (some games, commercial
software, alternate operating systems, etc.)
2) You have specifically placed a self-boot program on the disk (such
as a clock setter, RAMdisk loader, etc.)
Note that hard disk autoboot programs vary from supplier to supplier,
but generally do not expect any kind of boot code on a floppy. If your
hard disk boot does not care what disk is in the floppy drive, then
it doesn't need an executable boot on the floppy.
No other disk should contain self-booting code unless you are still
running with TOS in RAM (Is anyone really still doing this?).
The only other way I can think of a virus getting into an ST is in an
/AUTO folder program. If you have something in your /AUTO folder which
is spreading a virus, you are out of luck.
If a disk is MS-DOS compatible, it must contain certain MS-DOS data
to be useable, and the statements above do not apply.
With that in mind, I whipped up this disk sterilizer, which I named
(with tounge only slightly in cheek) PENICILN (Yes, I know that's not spelled
correctly, but you only get eight bytes :^> ). It will kill any kind of
virus I can imagine, and anything else in the boot sector. It reads the
boot sector, saves the disk serial number and configuration information,
wipes the rest of the boot sector clean, replaces the saved data, forces
a non-executable checksum, and re-writes the boot sector.
*** WARNING ***
This program is the equivalent of blind, deaf, and dumb flame thrower
approach to virus killing. It WILL kill anything in a boot sector. If you
use it on a disk which must contain a boot (games, etc. mentioned above)
you will destroy the disk. I therefore disclaim any responsibility for
the results of the use of this program.
The program is specified as a .TTP, so you can run it from a shell or the
desktop. It expects the input on the command line. It accepts an option of
"-m" to write an MS-DOS boot sector, or an option of "-k" to become keyboard
driven. Otherwise, it expects either "a" or "b" to name which floppy to use.
If you enter the drive name only (a or b), it will clean the boot sector on
the named drive and exit. If you specify -m, it writes an MS-DOS boot sector
on the named drive. If you enter -k, it enters a loop. Each time you press
"a" or "b", it will clean the disk in that drive. Any other keypress will
exit.
Note that this program will not alter anything other than the boot sector,
so any files or programs on the disk are safe and unaltered, regardless of
how the disk is formatted.
This program is designed specifically to thwart a virus. It forces a
read of the disk prior to clearing the boot sector, so if the virus has
infected your system, it will write itself to the floppy first. Then,
this program promptly wipes out the virus by clearing the boot sector.
If you have any reason to suspect that your system has the virus, take
the following steps:
1) Insert a blank (but formatted) disk into drive A.
2) Run this program.
3) Immediately power off your system before doing anything else.
4) Wait 15 seconds, then power on you system, with the same disk
still in drive A.
5) Run this program on every disk you own which does not have to be
self booting.
This sequence of steps first gets you a certain virus free disk to boot from.
Then, by powering off your system, you insure that the virus is not present
in your system's memory. Then, running the virus killer will eliminate
any copies of the virus on the rest of your disks.
Since I take this virus situation seriously, I am including the source
for the program so anyone can see exactly what it does before running it.
I also encourage everyone to distribute the program, with this accompanying
explanation, as widely and as quickly as possible.
Nothing like a shot of "peniciln" to keep a virus from spreading :^)
If anyone locates a virus disk, please send me a copy. I will disect the
virus, document what it does, and provide any necessary tools to kill it.
George R. Woodside Compuserve 76537,1342
5219 San Feliciano Dr. GEnie G.WOODSIDE
Woodland Hills, Ca. 91364
USENET: ..!{trwrb|philabs|csun|psivax}!ttidca!woodside
