U00254@HASARA5.BITNET ("Jacqueline Cote") (02/29/88)
Warning!!!!!!!!! A new Amiga virus has been detected warning!!!!!
The Virus is located on the bootblock (blocks 0&1) and will
result (sometimes) in your screen going blank and your computer
frozen up. It is NOT detected by SCA virus killing programs NOR
by Vcheck1.2. The ONLY program capable of detection is Vcheck1.9.
It will report a non-standard bootblock. the message on
block 0 is : > Virus by Byte Bandit in 9.87. Number of copies
and on block 1 : trackdisk.device.dos.library
the rest is gibberish
Install will kill the virus, that also copies itself to datadisks
Good luck!
'
Jacqueline Coteshimoda@rmi.UUCP (Markus Schmidt) (03/07/88)
Just a little more info about the BiteBandit Virus. Be careful, after a reasonable number of copies it starts to kill some data on the inserted disks. A friend of mine loste some important disks throgh this Markus (shimoda@rmi.uucp)
pl@tut.fi (Pertti Lehtinen) (03/11/88)
From article <907@rmi.UUCP>, by shimoda@rmi.UUCP (Markus Schmidt): > > Just a little more info about the BiteBandit Virus. > Be careful, after a reasonable number of copies it > starts to kill some data on the inserted disks. > A friend of mine loste some important disks throgh > this > I also have a disk inflected by this one. Interesting is that it inflects every writable disk inserted in machine. I have some diffulties to destroy it, because "install" doesn't for some reason wipe it. Vcheck1.9 sees it as nonstandard boot sector and it is very easy to spot, as text "Virus by bytebandit" is written at beginning. Pertti Lehtinen pl@tut.fi -- pl@tut.fi ! All opinions expressed above Pertti Lehtinen ! are preliminary and in subject N 61 26' E 23 50' ! to change without any further notice.
haitex@pnet01.cts.com (Wade Bickel) (03/14/88)
pl@tut.fi (Pertti Lehtinen) writes: >From article <907@rmi.UUCP>, by shimoda@rmi.UUCP (Markus Schmidt): >> >> Just a little more info about the BiteBandit Virus. >> Be careful, after a reasonable number of copies it >> starts to kill some data on the inserted disks. > > I also have a disk inflected by this one. > Interesting is that it inflects every writable disk > inserted in machine. I have some diffulties to destroy > it, because "install" doesn't for some reason wipe it. > > Vcheck1.9 sees it as nonstandard boot sector and it > is very easy to spot, as text "Virus by bytebandit" THIS COULD BECOME VERY UGLY IF WE DON'T STOP THIS ONE NOW! At least if it works the way I suspect. The following test sequence will confirm or deny my suspiscions. 1) Install an infected disk, and reboot. Is it now reinfected? 2) Do the same, only cold start. Still there? 3) Make a bootable test disk and make sure it is virus free. Copy the boot track from the infected disk to it (I hope you have a way to do this) and boot the disk. Then retry step 1. Same results? If you can check this out I'd be interested in the results. If my suspicions are correct I'll suggest a cure (you won't like it though), otherwise I'd rather not go into details. Thanks, Wade. PS: The install in step 3 must be done on a clean system. Make sure the system is still clean afterwards. UUCP: {cbosgd, hplabs!hp-sdd, sdcsvax, nosc}!crash!pnet01!haitex ARPA: crash!pnet01!haitex@nosc.mil INET: haitex@pnet01.CTS.COM
shimoda@rmi.UUCP (Markus Schmidt) (03/15/88)
Hi! I can't try the test Wade suggested since I don't (or better don't know that) I) have the virus. The friend of mine who loste the disk through it told me that it would spread through the diskchange, when you insert a disk and the drive activates. Not nice if it works this way. He is now using the following method: Use a nonstandardbootblock (like one with an into) and copy it to all disk. After some days you get used to it, seeing this when you boot and recognize at once that the bootblock has changed. C u Markus (shimoda@rmi.UUCP)
hrlaser@pnet02.cts.com (Harv Laser) (03/15/88)
Cross posted from the AmigaZone (on PeopleLink) this is one man's
experience with the Byte Bandit virus. Me, I've never seen the thing
myself, only the SCA variety. I've got a ring of garlic cloves around
my hard drive for now.....
--------------------------[begin cross post]-------------------------
February 29, 1987
Just got the Byte Bandit Virus from a commercial disk, straight out of the
box.
This is one nasty virus so I thought I would put up some of the features of
this virus that maybe you don't already know about. (Someone posted a notice
about 3 weeks ago about this one, but it was rather vague)
1. This virus seems to cause a total system crash within 10 minutes, EVERY
TIME.
2. IT IS NOT NECCESSARY TO BOOT FROM A DISK, FOR THAT DISK TO BECOME INFECTED!
That is, ANY write enabled disk will become infected as soon as it is
inserted into ANY drive. That's right, just inserting a write enabled
disk in df1: will cause that disk to become infected!!!!
3. The virus, once in the computer, will survive a warm boot and will still
infect disks upon boot up.
4. VCheck1.2 will not detect infected disks.
5. VCheck1.2 will not detect infected computers.
6. If your machine is infected then re-installing an infected disk WILL NOT
cure it because as soon as it is installed (Healed) it will be RE-INFECTED.
7. VirusX will recognize non-standard boot blocks such as the Byte Bandit
virus BUT NOT ALWAYS. If your machine is already infected and you put an
infected disk in any drive and that infected disk is write-enabled, VirusX
will NOT detect it!!! Otherwise VirusX will recognize it as a non-standard
boot block.
8. Don't worry, the only way for your computer to become infected is to BOOT
from an infected disk. A clean machine WILL NOT become infected if an
infected disk is inserted in a drive.
9. There is a very complicated countdown mechanism within the virus that keeps
track of how a particular disk became infected. The counter seems to be
placing new digits or letters within a few bytes of the DOS header. I
experimented with lots of disks by letting them become infected and then
looking at this area with a sector editor. There are at least 2 kinds of
counters. One is what I call first degree infection, that is infection
through rebooting the infected machine with a clean disk that is write-
enabled. Note that this disk need not be bootable originally, but will
become bootable once it is infected. The second counter (or way of
counting)
is for what I call second degree infections. These are disks that become
infected by inserting them into a drive of an infected machine while the
machine is running. At one point I kept inserting blank unformated disks
in df1: so that they would become infected and saw a "counter" go down
from "kp" down to "ke" in sequence for each additional disk that was
infected. There is alot of code further down the pages of the sector editor
and I would hate to think what might happen when a certain value is
reached.
I see this virus as being much more potent and contagious than the SCA virus.
This one was created to be destructive, and can be IF we are not careful.
A program like VirusX 1.01 that will detect non standard boot blocks is
helpful, but not infallible. I usually run my system from a recoverable
ram disk that contains my entire workbench disk. Every thing is assigned
to the ram disk so that I don't need my workbench disk in any drive. I feel
relitively safe so long as I know that my boot disk is clean. VirusX caught
that commercial disk as soon as I inserted it in df1:, I became suspicious
and checked it out. So long as a program can be run from my workbench then
I would feel safe. If it becomes neccessary to boot from another disk then
it would be wise to either know that the boot disk is clean or power down
after using. If you have to write to other disks then always be sure that
they have not become infected.
Hope this helps.
Dave Crane
OHS080
March 4, 1988
This file is to be read in conjunction with NewVirus.txt of Feb 29, 1988
Here's some more info on the new Byte Bandit virus. As I told you before,
I received this virus on a commercial disk, straight out of the box, direct
from the manufacturer.
Virus caused crashes.
In my last note I stated that the virus causes the Amiga to crash
within 10 minutes every time. This is not quite true. A newly infected
machine will NOT crash period. (as far as I can tell. Future generations
of the self replicated virus as it is passed onto other disks may act
differently) From the tests I have performed with this virus it would seem
that an infected machine will not crash UNTIL the virus has replicated
itself TWICE by FIRST DEGREE INFECTION.(I call first degree infection the
infection of another disk by re-booting an infected machine with a
write-enabled boot disk. The boot disk receives a first degree infection)
After the second disk has been infected the machine will run for about 5
minutes 30 seconds before crashing with a solid blue screen. I have
reproduced this effect many times with different generations of the virus.
The virus may be passed on many times by second degree infection,
without any effect on the source computer. Second degree infection is
infection by inserting ANY WRITE-ENABLED DISK into ANY DRIVE of an infected
machine WHILE it is already running. The inserted disk will receive second
degree infection.
Again I would like to say that the only way for a clean machine to
become infected is for that machine to be booted from an infected disk.
Merely inserting an infected disk into a drive will NOT infect the machine.
Dave Crane
OHS080
-------------------------[end cross post]------------------------------
Harv Laser, Sysop, the People/Link AmigaZone. Plink ID: CBM*HARV
UUCP: {ihnp4!scgvaxd!cadovax, rutgers!marque}!gryphon!pnet02!hrlaser
INET: hrlaser@pnet02.cts.com
"The man in the crowd with the multicolored mirrors on his hobnail boots"