U00254@HASARA5.BITNET ("Jacqueline Cote") (02/29/88)
Warning!!!!!!!!! A new Amiga virus has been detected warning!!!!! The Virus is located on the bootblock (blocks 0&1) and will result (sometimes) in your screen going blank and your computer frozen up. It is NOT detected by SCA virus killing programs NOR by Vcheck1.2. The ONLY program capable of detection is Vcheck1.9. It will report a non-standard bootblock. the message on block 0 is : > Virus by Byte Bandit in 9.87. Number of copies and on block 1 : trackdisk.device.dos.library the rest is gibberish Install will kill the virus, that also copies itself to datadisks Good luck! ' Jacqueline Cote
shimoda@rmi.UUCP (Markus Schmidt) (03/07/88)
Just a little more info about the BiteBandit Virus. Be careful, after a reasonable number of copies it starts to kill some data on the inserted disks. A friend of mine loste some important disks throgh this Markus (shimoda@rmi.uucp)
pl@tut.fi (Pertti Lehtinen) (03/11/88)
From article <907@rmi.UUCP>, by shimoda@rmi.UUCP (Markus Schmidt): > > Just a little more info about the BiteBandit Virus. > Be careful, after a reasonable number of copies it > starts to kill some data on the inserted disks. > A friend of mine loste some important disks throgh > this > I also have a disk inflected by this one. Interesting is that it inflects every writable disk inserted in machine. I have some diffulties to destroy it, because "install" doesn't for some reason wipe it. Vcheck1.9 sees it as nonstandard boot sector and it is very easy to spot, as text "Virus by bytebandit" is written at beginning. Pertti Lehtinen pl@tut.fi -- pl@tut.fi ! All opinions expressed above Pertti Lehtinen ! are preliminary and in subject N 61 26' E 23 50' ! to change without any further notice.
haitex@pnet01.cts.com (Wade Bickel) (03/14/88)
pl@tut.fi (Pertti Lehtinen) writes: >From article <907@rmi.UUCP>, by shimoda@rmi.UUCP (Markus Schmidt): >> >> Just a little more info about the BiteBandit Virus. >> Be careful, after a reasonable number of copies it >> starts to kill some data on the inserted disks. > > I also have a disk inflected by this one. > Interesting is that it inflects every writable disk > inserted in machine. I have some diffulties to destroy > it, because "install" doesn't for some reason wipe it. > > Vcheck1.9 sees it as nonstandard boot sector and it > is very easy to spot, as text "Virus by bytebandit" THIS COULD BECOME VERY UGLY IF WE DON'T STOP THIS ONE NOW! At least if it works the way I suspect. The following test sequence will confirm or deny my suspiscions. 1) Install an infected disk, and reboot. Is it now reinfected? 2) Do the same, only cold start. Still there? 3) Make a bootable test disk and make sure it is virus free. Copy the boot track from the infected disk to it (I hope you have a way to do this) and boot the disk. Then retry step 1. Same results? If you can check this out I'd be interested in the results. If my suspicions are correct I'll suggest a cure (you won't like it though), otherwise I'd rather not go into details. Thanks, Wade. PS: The install in step 3 must be done on a clean system. Make sure the system is still clean afterwards. UUCP: {cbosgd, hplabs!hp-sdd, sdcsvax, nosc}!crash!pnet01!haitex ARPA: crash!pnet01!haitex@nosc.mil INET: haitex@pnet01.CTS.COM
shimoda@rmi.UUCP (Markus Schmidt) (03/15/88)
Hi! I can't try the test Wade suggested since I don't (or better don't know that) I) have the virus. The friend of mine who loste the disk through it told me that it would spread through the diskchange, when you insert a disk and the drive activates. Not nice if it works this way. He is now using the following method: Use a nonstandardbootblock (like one with an into) and copy it to all disk. After some days you get used to it, seeing this when you boot and recognize at once that the bootblock has changed. C u Markus (shimoda@rmi.UUCP)
hrlaser@pnet02.cts.com (Harv Laser) (03/15/88)
Cross posted from the AmigaZone (on PeopleLink) this is one man's experience with the Byte Bandit virus. Me, I've never seen the thing myself, only the SCA variety. I've got a ring of garlic cloves around my hard drive for now..... --------------------------[begin cross post]------------------------- February 29, 1987 Just got the Byte Bandit Virus from a commercial disk, straight out of the box. This is one nasty virus so I thought I would put up some of the features of this virus that maybe you don't already know about. (Someone posted a notice about 3 weeks ago about this one, but it was rather vague) 1. This virus seems to cause a total system crash within 10 minutes, EVERY TIME. 2. IT IS NOT NECCESSARY TO BOOT FROM A DISK, FOR THAT DISK TO BECOME INFECTED! That is, ANY write enabled disk will become infected as soon as it is inserted into ANY drive. That's right, just inserting a write enabled disk in df1: will cause that disk to become infected!!!! 3. The virus, once in the computer, will survive a warm boot and will still infect disks upon boot up. 4. VCheck1.2 will not detect infected disks. 5. VCheck1.2 will not detect infected computers. 6. If your machine is infected then re-installing an infected disk WILL NOT cure it because as soon as it is installed (Healed) it will be RE-INFECTED. 7. VirusX will recognize non-standard boot blocks such as the Byte Bandit virus BUT NOT ALWAYS. If your machine is already infected and you put an infected disk in any drive and that infected disk is write-enabled, VirusX will NOT detect it!!! Otherwise VirusX will recognize it as a non-standard boot block. 8. Don't worry, the only way for your computer to become infected is to BOOT from an infected disk. A clean machine WILL NOT become infected if an infected disk is inserted in a drive. 9. There is a very complicated countdown mechanism within the virus that keeps track of how a particular disk became infected. The counter seems to be placing new digits or letters within a few bytes of the DOS header. I experimented with lots of disks by letting them become infected and then looking at this area with a sector editor. There are at least 2 kinds of counters. One is what I call first degree infection, that is infection through rebooting the infected machine with a clean disk that is write- enabled. Note that this disk need not be bootable originally, but will become bootable once it is infected. The second counter (or way of counting) is for what I call second degree infections. These are disks that become infected by inserting them into a drive of an infected machine while the machine is running. At one point I kept inserting blank unformated disks in df1: so that they would become infected and saw a "counter" go down from "kp" down to "ke" in sequence for each additional disk that was infected. There is alot of code further down the pages of the sector editor and I would hate to think what might happen when a certain value is reached. I see this virus as being much more potent and contagious than the SCA virus. This one was created to be destructive, and can be IF we are not careful. A program like VirusX 1.01 that will detect non standard boot blocks is helpful, but not infallible. I usually run my system from a recoverable ram disk that contains my entire workbench disk. Every thing is assigned to the ram disk so that I don't need my workbench disk in any drive. I feel relitively safe so long as I know that my boot disk is clean. VirusX caught that commercial disk as soon as I inserted it in df1:, I became suspicious and checked it out. So long as a program can be run from my workbench then I would feel safe. If it becomes neccessary to boot from another disk then it would be wise to either know that the boot disk is clean or power down after using. If you have to write to other disks then always be sure that they have not become infected. Hope this helps. Dave Crane OHS080 March 4, 1988 This file is to be read in conjunction with NewVirus.txt of Feb 29, 1988 Here's some more info on the new Byte Bandit virus. As I told you before, I received this virus on a commercial disk, straight out of the box, direct from the manufacturer. Virus caused crashes. In my last note I stated that the virus causes the Amiga to crash within 10 minutes every time. This is not quite true. A newly infected machine will NOT crash period. (as far as I can tell. Future generations of the self replicated virus as it is passed onto other disks may act differently) From the tests I have performed with this virus it would seem that an infected machine will not crash UNTIL the virus has replicated itself TWICE by FIRST DEGREE INFECTION.(I call first degree infection the infection of another disk by re-booting an infected machine with a write-enabled boot disk. The boot disk receives a first degree infection) After the second disk has been infected the machine will run for about 5 minutes 30 seconds before crashing with a solid blue screen. I have reproduced this effect many times with different generations of the virus. The virus may be passed on many times by second degree infection, without any effect on the source computer. Second degree infection is infection by inserting ANY WRITE-ENABLED DISK into ANY DRIVE of an infected machine WHILE it is already running. The inserted disk will receive second degree infection. Again I would like to say that the only way for a clean machine to become infected is for that machine to be booted from an infected disk. Merely inserting an infected disk into a drive will NOT infect the machine. Dave Crane OHS080 -------------------------[end cross post]------------------------------ Harv Laser, Sysop, the People/Link AmigaZone. Plink ID: CBM*HARV UUCP: {ihnp4!scgvaxd!cadovax, rutgers!marque}!gryphon!pnet02!hrlaser INET: hrlaser@pnet02.cts.com "The man in the crowd with the multicolored mirrors on his hobnail boots"