root@evecs.UUCP (- Admin) (05/08/89)
I do not know if this is realy a NEW virus, but this campus is now in the middle of a large infection. The virus is not destructive UNLESS the disk it is trying to infect is full (it needs one cluster -- 1024 bytes) HERE IS WHAT IT DOES: At some time a single character will start bouncing around the screen but you can still continue to do what ever you want. HERE IS HOW IT SPREADS: It loads into memory at boot time ONLY! (taking 2K of free memory) If you boot with a clean disk, you are safe. If you boot from an infected disk (hard drive or floopy) it will then stay in memory (until a warm reboot) and transfer its self to ANY disk (bootable or not) when ANY disk operation are done. Then if you boot that disk on another computer it will start transfering its self again. HERE IS HOW TO FIND IT: On your disk it marks its self as a bad cluster. BUT you can read it. (it picks the FIRST free empty sector, or picks a used one if your disk is full) In memory it takes up 2K (check your memory from a clean disk then the questionable disk) To find the sector in you disk do search of ALL sectors for FF 06 F3 7D 8B 1E F3 7D using something like Norton's NU If you find that and it is maked as BAD in the FAT then YOU HAVE IT. HOW TO KILL IT: You can do FILE by FILE back up then reformat the bad disk then restore the files (the virus is NOT part of a file it's part of the boot system) The long way (But it works well...and for hard drives) Make a floopy with the same version of the operating system you have on the bad disk make sure that SYS and NU and NDD are on the good disk BOOT the good disk...go into NDD do a "MAKE DISK BOOTABLE" from common fixes (to the bad disk) then do a SYS to the bad disk....YOU ARE DONE...the virus will no longer load....you should the go in to NU and unmark the fake BAD cluster (2 sectors) and zero the sectors REMEMBER: IT WILL INFECT ALL DISKS even if they are not bootable.... the virus can still infect a cleaned disk... flu-shot may detect it, but by the time you run it the BUG is already in memory and running.... If you find a better way to KILL it then please POST!! (and send me mail...) -- Andrew Lindh, a student at the University of Hartford -- Computer Science West Hartford, CT -- School Switchboard (203) 243-4100 -- ask for Math/CS BITNET: LINDH@HARTFORD.bitnet INTERNET: maby later.... UUCP: lindh@evecs.uucp also lindh@uhasun.uucp (and root@evecs.uucp)
hollen@eta.megatek.uucp (Dion Hollenbeck) (05/09/89)
From article <294@evecs.UUCP>, by root@evecs.UUCP (- Admin): > I do not know if this is realy a NEW virus, but this campus > is now in the middle of a large infection. > > The virus is not destructive UNLESS the disk it is trying to infect > is full (it needs one cluster -- 1024 bytes) > > HERE IS WHAT IT DOES: > At some time a single character will start bouncing around the screen > but you can still continue to do what ever you want. > Thanks for the info, but does anyone know how this virus originally was spread? Dion Hollenbeck (619) 455-5590 x2814 Megatek Corporation, 9645 Scranton Road, San Diego, CA 92121 seismo!s3sun!megatek!hollen ames!scubed/
root@evecs.UUCP (Andrew Lindh ) (05/09/89)
One more way to protect you self from the virus:
IT WILL NOT WRITE ON WRITE-PROTECTED DISK.
(but then you have the same porblem)
I have been informed that this "Ping-Pong" virus
is also called "The Italian Virus"
PLEASE NOTE:
I will NOT send you a copy of the virus!
===
For some more info about any virus call:
The Computer Virus Industry Assoc.
(408) 727-4559
--
Andrew Lindh, a student at the University of Hartford -- Computer Science
West Hartford, CT -- School Switchboard (203) 243-4100 -- ask for Math/CS
BITNET: LINDH@HARTFORD.bitnet INTERNET: maby later....
UUCP: lindh@evecs.uucp also lindh@uhasun.uucp (and root@evecs.uucp)root@evecs.UUCP (Andrew Lindh ) (05/10/89)
All you have to do is use SYS from a clean disk. but if it will not work then you must use NDD (Norton Disk Doctor) BUT....it still leaves a BAD Cluster (2 sectors = 1024 bytes = 1K) You can use a FAT editor to change it. -- Andrew Lindh, a student at the University of Hartford -- Computer Science West Hartford, CT -- School Switchboard (203) 243-4100 -- ask for Math/CS BITNET: LINDH@HARTFORD.bitnet INTERNET: maby later.... UUCP: lindh@evecs.uucp also lindh@uhasun.uucp (and root@evecs.uucp)
hollen@eta.megatek.uucp (Dion Hollenbeck) (05/11/89)
From article <296@evecs.UUCP>, by root@evecs.UUCP (Andrew Lindh ): > One more way to protect you self from the virus: > IT WILL NOT WRITE ON WRITE-PROTECTED DISK. > (but then you have the same porblem) > I have been informed that this "Ping-Pong" virus > is also called "The Italian Virus" Once again, HOW is this virus spread. What programs may it come in with. If you don't know exactly, how about a list of possibilities. Telling us all about a virus is very wonderful but knowing how it is spread can help it to be avoided, rather than looking for symptoms of infection and then trying to purge it from the system. Don't get me wrong, I really appreciate all the information so far, but I feel that the infection vector is the most important, and it has not been yet characterized. Dion Hollenbeck (619) 455-5590 x2814 Megatek Corporation, 9645 Scranton Road, San Diego, CA 92121 seismo!s3sun!megatek!hollen ames!scubed/