bill@cbmvax.UUCP (Bill Koester CATS) (12/24/87)
The following is a letter I received from the supposed author of
the SCA virus! I thought some of you might find it interesting.
----------------------------------------------------------------------------
SCA Virus Technical Support
Switzerland / Europe
Bill Koester (CATS)
C.B.M.
1200 Wilson Drive
West Chester PA 19380
SCA's Amiga Virus Protector - the ultimate cure!
Dear Mr Koester,
Some days ago I read your Article from October 27 on usenet, in which you
are searching for Virus-infected disks.
I'm the author of the Virus (!), and I think I should tell you some info
about it. It was intended to be a really harmless Virus, which doesn't kill
any software! I programmed it because a friend (also a programmer) told me it
was impossible to make a virus on the Amiga. I didn't believe this and as you
can see it's not very difficult to make a virus. I put it on some disks
(with "pirate software" on them). but I never thought the virus would be
spread all over the world within 3 months!
There's only one problem: The number of programs which use the boot-block
of the disk, and as a result of this are killed by the Virus, is getting
higher and higher! So I decided to create the Official SCA Virus Protector !!
With this program you can protect all your disks against the virus, that
means the virus will never copy itself on a protected disk! I think if all
the software houses and public-domain-copy-services use it, the problem
can be solved. You can find the Virus Protector on the disk I enclosed. It
is public domain, so you can give it to anyone you want! (Perhaps it will be
on Workbench 1.3 or on a Fred Fish disk soon??!!) I think the program is
easy to use, as it has built-in instructions.
Some features of the Virus-Protector V1.0:
. Examine a disk (shows whether a disk in infected and, if it is, displays
the generation of the virus, that's how many times the virus copied itself
before it came to your disk)
. Kill Virus (like the CLI Install command, use this to heal infected disks)
. Protect a disk (to protect all disks which are not infected. Works with
all programs currently on the market!)
As you probably know, the virus will be deactivated if you press the left
mouse-button while resetting the computer (the screen will turn green for
some seconds).
I hope the Virus Protector can help you solve the problems my virus caused
If you want more infos (or source-codes) just place a message on the Usenet.
(I don't know whether it would be wise if I gave you my right address...)
Sincerely
SCA
PS: Excuse my bad English, but here in Switzerland we speak German!
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Bill Koester -- CBM >>Amiga Technical Support<<
UUCP ...{allegra|burdvax|rutgers|ihnp4}!cbmvax!bill
PHONE (215) 431-9355
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Pleese desrigard eny spealing airors!!!!!!!!!!!
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=bill@cbmvax.UUCP (Bill Koester CATS) (12/24/87)
In article <3007@cbmvax.UUCP> bill@cbmvax.UUCP (Bill Koester CATS) writes: > > The following is a letter I received from the supposed author of >the SCA virus! I thought some of you might find it interesting. >---------------------------------------------------------------------------- >SCA Virus Technical Support >Switzerland / Europe > > >Bill Koester (CATS) >C.B.M. >1200 Wilson Drive >West Chester PA 19380 > > >SCA's Amiga Virus Protector - the ultimate cure! > >Dear Mr Koester, > > Some days ago I read your Article from October 27 on usenet, in which you >are searching for Virus-infected disks. This is still true!! If anyone finds what they think is a new virus PLEASE send me a copy at this address: Bill Koester (CATS) Commodore International Ltd. 1200 Wilson Drive West Chester, PA 19380 > I'm the author of the Virus (!), and I think I should tell you some info >about it. It was intended to be a really harmless Virus, which doesn't kill >any software! I programmed it because a friend (also a programmer) told me it >was impossible to make a virus on the Amiga. I didn't believe this and as you >can see it's not very difficult to make a virus. I put it on some disks >(with "pirate software" on them). but I never thought the virus would be >spread all over the world within 3 months! > > There's only one problem: The number of programs which use the boot-block >of the disk, and as a result of this are killed by the Virus, is getting >higher and higher! So I decided to create the Official SCA Virus Protector !! >With this program you can protect all your disks against the virus, that >means the virus will never copy itself on a protected disk! I think if all I have already tested this program against the new virus the SCA virus protector will NOT find or protect against the new strain of virus!! >the software houses and public-domain-copy-services use it, the problem >can be solved. You can find the Virus Protector on the disk I enclosed. It >is public domain, so you can give it to anyone you want! (Perhaps it will be Do you really expect me to dristribute a program written by the author of the virus? Get real! If I had source I might think about it, but no promises. My phone number is (215) 431-9355, Lets Rap! >on Workbench 1.3 or on a Fred Fish disk soon??!!) I think the program is ^ Ha!!!! >easy to use, as it has built-in instructions. > >Some features of the Virus-Protector V1.0: > >. Examine a disk (shows whether a disk in infected and, if it is, displays >the generation of the virus, that's how many times the virus copied itself >before it came to your disk) > >. Kill Virus (like the CLI Install command, use this to heal infected disks) > >. Protect a disk (to protect all disks which are not infected. Works with >all programs currently on the market!) But does NOT work for the new strain of virus!! > > As you probably know, the virus will be deactivated if you press the left >mouse-button while resetting the computer (the screen will turn green for >some seconds). > > > I hope the Virus Protector can help you solve the problems my virus caused >If you want more infos (or source-codes) just place a message on the Usenet. Well, here is my message. I might consider using modifying your program but only if I have source. You know how to reach me. Why not prove your good intentions and send me source for both the virus protector and the virus? >(I don't know whether it would be wise if I gave you my right address...) Why, do you think I would post it to usenet????? > > > Sincerely > > SCA >PS: Excuse my bad English, but here in Switzerland we speak German! -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Bill Koester -- CBM >>Amiga Technical Support<< UUCP ...{allegra|burdvax|rutgers|ihnp4}!cbmvax!bill PHONE (215) 431-9355 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Pleese desrigard eny spealing airors!!!!!!!!!!! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
ejkst@cisunx.UUCP (Eric J. Kennedy) (12/26/87)
In article <3008@cbmvax.UUCP>, bill@cbmvax.UUCP (Bill Koester CATS) writes: > In article <3007@cbmvax.UUCP> bill@cbmvax.UUCP (Bill Koester CATS) writes: ...Long message and responses deleted... > > I hope the Virus Protector can help you solve the problems my virus caused > >If you want more infos (or source-codes) just place a message on the Usenet. > > Well, here is my message. I might consider using modifying your program > but only if I have source. You know how to reach me. Why not prove your > good intentions and send me source for both the virus protector and the > virus? NO, PLEASE! Maybe the author claims it wasn't hard, but I'll bet that there are a lot of malicious people who know enough to modify the virus to do something destructive, but not enough to write it themselves. Please keep the source to yourself. I'll sleep better at night. > > Sincerely > > SCA > Bill Koester -- CBM >>Amiga Technical Support<< (No, Bill, I'm not flaming you. In fact it might be a good idea for CATS to get ahold of the source. I just don't want it public. ) Eric Kennedy
hansb@ariel.unm.edu (Hans Bechtel) (12/27/87)
CONGRATULATIONS!!!
I have just come across my FIRST experience with the virus today!
Even here in Albuquerque, NM we are not safe!
Luckly, I ALWAYS keep my disks write-protected, (bootable),
and I was able to track it down to the very disk where it came from
in the bunch that I have. I had only used 4 disks that day, so
I just installed them all!
I guess that not all people have had such an easy experience as
I have.
could everybody that has been afflicted by the virus send me
email, so I can post a summary of how many people have been
afflicted, and also send me your city and state where you
live so I can post the vicinity of where the virus is
most prominent? Thanks, and have an excellent holiday!
Hans Bechtel
"we are the three amigas!"
---ans@well.UUCP (Anne Schweizer) (12/27/87)
NEW VIRUS --------- There is a new Virus around, coming from Germany, I supose. It arrived here in Switzerland recently. This Virus can't be thrown out of your Amiga with helding down mousbuttons down while booting, you have to switch of your amiga !. And this virus isn't harmless anymore ! It trashes your disk while reading files !!! -Anne.
Doug_B_Erdely@cup.portal.com (12/28/87)
Where did the virus come from? And *WHO* is the gent responsible for it?? - Doug - Douglas_B_Erdely@sun.cup.portal.com
bill@cbmvax.UUCP (Bill Koester CATS) (12/28/87)
In article <6028@cisunx.UUCP> ejkst@cisunx.UUCP (Eric J. Kennedy) writes: >In article <3008@cbmvax.UUCP>, bill@cbmvax.UUCP (Bill Koester CATS) writes: >> In article <3007@cbmvax.UUCP> bill@cbmvax.UUCP (Bill Koester CATS) writes: > >...Long message and responses deleted... > >NO, PLEASE! Maybe the author claims it wasn't hard, but I'll bet that >there are a lot of malicious people who know enough to modify the virus >to do something destructive, but not enough to write it themselves. >Please keep the source to yourself. I'll sleep better at night. > >(No, Bill, I'm not flaming you. In fact it might be a good idea for >CATS to get ahold of the source. I just don't want it public. ) > >Eric Kennedy Believe me if I get the source to the Virus it would not go any further than my locked cabinet!! There is still only one copy of the dissassembled Virus and no one else has seen that either. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Bill Koester -- CBM >>Amiga Technical Support<< UUCP ...{allegra|burdvax|rutgers|ihnp4}!cbmvax!bill PHONE (215) 431-9355 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Pleese desrigard eny spealing airors!!!!!!!!!!! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
bill@cbmvax.UUCP (Bill Koester CATS) (12/29/87)
In article <2182@cup.portal.com> Doug_B_Erdely@cup.portal.com writes: >Where did the virus come from? >And *WHO* is the gent responsible for it?? >- Doug - >Douglas_B_Erdely@sun.cup.portal.com The Virus apparently came from switzerland. The letter had "LUFTPOST PAR AVION VIA AEREA". The author never gave a name or address but he did say he was from switzerland. Read the letter I posted and you will know as much about him as I do. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Bill Koester -- CBM >>Amiga Technical Support<< UUCP ...{allegra|burdvax|rutgers|ihnp4}!cbmvax!bill PHONE (215) 431-9355 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Pleese desrigard eny spealing airors!!!!!!!!!!! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
bill@cbmvax.UUCP (Bill Koester CATS) (12/29/87)
In article <2116@charon.unm.edu> hansb@ariel.UUCP (Hans Bechtel) writes: >I have just come across my FIRST experience with the virus today! >could everybody that has been afflicted by the virus send me >email, so I can post a summary of how many people have been >afflicted, and also send me your city and state where you >live so I can post the vicinity of where the virus is >most prominent? Thanks, and have an excellent holiday! YIKES! You could be in for alot of email. If you do get a list I would like to see it posted. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Bill Koester -- CBM >>Amiga Technical Support<< UUCP ...{allegra|burdvax|rutgers|ihnp4}!cbmvax!bill PHONE (215) 431-9355 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Pleese desrigard eny spealing airors!!!!!!!!!!! =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
cmcmanis%pepper@Sun.COM (Chuck McManis) (12/30/87)
In article <2116@charon.unm.edu> hansb@ariel.UUCP (Hans Bechtel) writes: |>CONGRATULATIONS!!! |>I have just come across my FIRST experience with the virus today! ... |>could everybody that has been afflicted by the virus send me |>email, so I can post a summary of how many people have been |>afflicted, and also send me your city and state where you |>live so I can post the vicinity of where the virus is |>most prominent? ... Hans please don't post this stuff, all we need are some swiss swine swaggering over their 'accomplishments.' Realize that there are commercial programs that have been delayed and possibly even cancelled because this virus wiped out backups and masters alike. About the only use of the above information I could sanction would be to use it to backtrack the source to the puppies who started it and then get the president to ok saturation bombing of the area. --Chuck McManis uucp: {anywhere}!sun!cmcmanis BIX: cmcmanis ARPAnet: cmcmanis@sun.com These opinions are my own and no one elses, but you knew that didn't you.
rouaix@inria.UUCP (Francois Rouaix) (12/30/87)
In article <4862@well.UUCP>, ans@well.UUCP (Anne Schweizer) writes: > NEW VIRUS > There is a new Virus around, coming from Germany, I supose. ^^^^ Well, again!!! FLAME ON I'm beginning to get tired with all this fuss about Viruses. The point is: 1- You may be contaminated only by a bootable disk 2- Commercial software are not contaminated when sealed under the original package... 3- PD disks are generally not bootable, and the official ones are healthy. I think I will leave the conclusion to your bright minds. FLAME OFF If you got to the same conclusion that I draw, you will notice that indeed the pirates that originally wrote the Virus are helping Software producers by making pirated copies unsafe. I wish we could stop this discussion about viruses. And finally, to CATS : DON'T DISTRIBUTE this so-called Virus Protector. -- *- Francois Rouaix // When the going gets tough, * *- rouaix@inria.inria.fr \X/ the guru goes meditating... * *- SYSOP of Sgt. Flam's Lonely Amigas Club. (33) (1) 39-55-84-59 (Videotext) *
wtm@neoucom.UUCP (Bill Mayhew) (12/31/87)
<< some swiss swine swaggering >>
^^^^^
OK, my nerves are pretty raw over the virus, but I'd like to ask
that we try not to hurt the feelings of our freinds all around the
world.
I doubt that Chuck was implying anything nasty about people from
Switzerland in general (I hope). It just happens to be likely that
the particular swine (virus author) is from there.
I just goes to show that one must be very careful in constructing
one's phrases, lest they be misinterpreted (miscompiled??), as any
programmer is aware.
Good alliteration, though.
Peace and happiness in the New Year,
--Bill
PS: I don't have any vested interest in Switzerland, bu the US has
enough image problems already we don't need to offend another
country.mccarrol@topaz.rutgers.edu (<MC>) (01/01/88)
]FLAME ON ] I'm beginning to get tired with all this fuss about Viruses. ] The point is: ] 1- You may be contaminated only by a bootable disk ] 2- Commercial software are not contaminated when sealed under ] the original package... ] 3- PD disks are generally not bootable, and the official ones are ] healthy. ]I think I will leave the conclusion to your bright minds. ]FLAME OFF ] ] If you got to the same conclusion that I draw, you will notice ] that indeed the pirates that originally wrote the Virus are ] helping Software producers by making pirated copies unsafe. ] You're VERY wrong. I just got screwed over by a virus. How? I got fish disk#63, and a modified MicroEmacs 3.8i. We used my friends boot disk, and I was showing him some source code to one of my programs on MY boot disk. I just lost 3 weeks worth of work to a virus, and I wasn't pirating ANYTHING. ] I wish we could stop this discussion about viruses. ] And finally, to CATS : DON'T DISTRIBUTE this so-called Virus Protector. No, PLEASE distribute it. There are a LOT of innocent victims of these rotten things. ]*- Francois Rouaix <MC> -- "It is a principle of the music/to repeat the theme |Mark C. Carroll Repeat/and repeat again/as the pace mounts. /------/Rutgers U CS Student The theme/is difficult/but no more difficult |ARPA :CARROLL@AIM.RUTGERS.EDU than the facts to be/resolved"-WC Williams |Usenet:mccarrol@topaz.rutgers.edu
lamb@thumper.bellcore.com (John W. Lamb) (01/01/88)
In article <597@inria.UUCP>, rouaix@inria.UUCP (Francois Rouaix) writes: > The point is: > 1- You may be contaminated only by a bootable disk > 2- Commercial software are not contaminated when sealed under > the original package... > 3- PD disks are generally not bootable, and the official ones are > healthy. > I think I will leave the conclusion to your bright minds. > > If you got to the same conclusion that I draw, you will notice > that indeed the pirates that originally wrote the Virus are > helping Software producers by making pirated copies unsafe. > > And finally, to CATS : DON'T DISTRIBUTE this so-called Virus Protector. Consider the following scenario: Pirate A comes by infected disks in some less than honest manner. The virus spreads throughout his collection and, before he discovers it, he gives copies of infected public domain disks to non-pirate B. A has no idea that the disks are infected and B has no idea that A is a pirate. All of a sudden, B discovers that some of his copy protected software no longer works and finds out that his friends who received copies of infected disks from him are having the same problem. Since A, B and the others share lots of PD software, it is impossible to tell who started the problem. Shall we then penalize B and his non-pirate friends by withholding the virus protector from them? I for one would rather see the virus protector in the hands of the pirates. Thank you, CATS, for the prompt development and distribution of this program.
bill@cbmvax.UUCP (Bill Koester CATS) (01/01/88)
In article <597@inria.UUCP> rouaix@inria.UUCP (Francois Rouaix) writes: > > If you got to the same conclusion that I draw, you will notice > that indeed the pirates that originally wrote the Virus are > helping Software producers by making pirated copies unsafe. > Good point! > I wish we could stop this discussion about viruses. > And finally, to CATS : DON'T DISTRIBUTE this so-called Virus Protector. > Never intended to. Unfortunately it can be found on many BBS's. Remeber the SCA virus protector will not protect against or detect any of new virus's so it is useless anyway!! -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Bill Koester (CATS) >>Commodore Amiga Technical Support<< Commodore International Ltd. UUCP ..{allegra|burdvax|rutgers|ihnp4}!cbmvax!bill PHONE (215) 431-9355
carolyn@cbmvax.UUCP (Carolyn Scheppner CATS) (01/01/88)
In article <597@inria.UUCP> rouaix@inria.UUCP (Francois Rouaix) writes: >[] > >FLAME ON > I'm beginning to get tired with all this fuss about Viruses. > > The point is: > 1- You may be contaminated only by a bootable disk As far as we know. We still have not been sent samples of these new viruses. > 2- Commercial software are not contaminated when sealed under > the original package... Not necessarily true. We have heard rumors that there are some commercial shrink-wrapped products that may be infected. I have no names or definite information on that, but there is a possibility that this could be true. The products could have been infected during development or testing, and unknowingly gone to production carrying the infection. > 3- PD disks are generally not bootable, and the official ones are > healthy. I have also heard that there may be some freely redistributable bootable demos which are infected. >I think I will leave the conclusion to your bright minds. >FLAME OFF > > If you got to the same conclusion that I draw, you will notice > that indeed the pirates that originally wrote the Virus are > helping Software producers by making pirated copies unsafe. This is a bit simplistic. I'm sure the pirates are capable of using a Virus Checker and the CLI Install program. > I wish we could stop this discussion about viruses. I think it's important to discuss it, be aware of new strains, and make all users and developers aware of what they must do to protect themselves and their customers. I never casually boot with unfamiliar disks. I won't soft-boot my disks in someone else's machine without write-protecting them. And I don't use pirated software. I generally have one boot disk for each of my Amigas, and that's what I boot with. But I got infected. It was a total surprise and I have no idea how it happened. I was finished putting together a VCheck1.2 disk for European distribution, and decided to copy VCheck1.2 to my hard disk in case I ever needed it. Then I wasn't sure I had copied it to a PATH'd directory so I typed "VCheck1.2" to see if DOS could find the command. Well, DOS found it, and it printed Your machine is INFECTED with VIRUS!!! I checked my boot disk, and it was infected. The only thing I can figure is maybe somebody used one of my Amigas on a weekend or while I was away somewhere, and then rebooted the machine with my un-write-protected boot disk when they were done. I now keep my boot disks write protected at all times. Fortunately, because I always boot with the same disks, I only found one other disk that was infected. Others are not so lucky. > And finally, to CATS : DON'T DISTRIBUTE this so-called Virus Protector. If thought it was clear from Bill's postings that we will not distribute the SCA Virus Protector because: a. We don't have the source b. It only protects against the original Virus BTW - Let's not start a flame war about this, but I truly believe that the SCA people thought their virus was a cute but harmless hack, and are sorry that it caused damage they didn't foresee. But I would like to strangle the vicious immature jerks who knowingly created new strains of the virus AFTER it was shown to be dangerous. Some commercial developers have offered substantial sums of money towards the apprehension and prosecution of these people, and I hope they get caught. -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Carolyn Scheppner -- CATS >>Commodore Amiga Technical Support<< UUCP ...{allegra,ihnp4,rutgers}!cbmvax!carolyn PHONE 215-431-9180 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
trb@stag.UUCP ( Todd Burkey ) (01/01/88)
In article <3064@cbmvax.UUCP> carolyn@cbmvax.UUCP (Carolyn Scheppner CATS) writes: >If thought it was clear from Bill's postings that we will not distribute >the SCA Virus Protector because: > > a. We don't have the source > b. It only protects against the original Virus Wouldn't it be simple to check for a virus that lodges itself in the OS and/or boot sectors by writing a simple CRC routine (two-level to allow byte isolation). The routine would simply checksum specific sectors (or offset sectors) against know values. Of course, this wouldn't safeguard against virus's or trojan horses that stick themselves inside of auto-run executables (or whatever the equivalent is on the Amiga). Since we have the full OS on ROM on the ST, I tend to worry more about the Trojan horse problem (i.e. I have a very full hard disk and something like 250 disks of PD software...) -Todd Burkey trb@stag.UUCP
jim@coplex.UUCP (Jim Sewell) (01/02/88)
Actually, there is a quite reasonable way for legitimate users to get bitten by a virus. Consider Person A is the local users group's PD Librarian. Person B is a pirate who is also active in the club and does find many PD programs that are legitimate. Well, when Person B gives an infected disk to the PD Librarian, the entire club stands a chance to be infected. I don't think this is too far out to consider possible, and only requires one pirate. The other club members may not even know he is a pirate, but will still be infected. By the way, I agree with others that virus writers should be hung and am quite saddened by the name they make for us honest folk. Jim Sewell "Make knowledge free!"
bryce@hoser.berkeley.edu (Bryce Nesbitt) (01/02/88)
In article <297@stag.UUCP> trb@stag.UUCP ( Todd Burkey ) writes: > >Wouldn't it be simple to check for a virus that lodges itself in >the OS and/or boot sectors by writing a simple CRC routine (two-level >to allow byte isolation). No it would not. One of the capabilities of such a virus it to infect the sector read commands. When you check to see if the boot-block is "normal" the smart virus could just return a "normal" block. >Since we have the full OS on ROM on the ST, I tend to worry more about >the Trojan horse problem. The Amiga virus is still a problem on the Amiga 500 and 2000, both of which have the OS in ROM. The way the virus gets started is in the "boot block" of a disk. This contains some code that is executed. Normally it will bring in the default DOS (AmigaDOS, usually). Sort of like infecting a file in the "auto" folder on the ST, but somewhat worse. The Amiga virus survives reseting the machine. To draw the same Atari ST analogy, it would then search any new disks put in any drive for "Auto" folders and infect them as well. The *ONLY* way to clean a system is to turn OFF the machine, WAIT, then put a VIRGIN boot disk in (Preferably one that has never had it's write protect notch enabled, ever). The Workbench disk that came with the machine would be a good choice. At this point you can cycle any number of disks through, cleaning them with an "Install df0:" command from the CLI. Remember, only bootable disks are vulnerable. As a precaution that dates way before this virus hit, I use only one boot disk, and keep it write protected any time I am not writing to it. Even this is really not good enough... someone could run a "Trojan horse" demo that would seem to exit cleanly but actually leave a worm in the system. This worm would patiently wait until the boot disk is unprotected. It is easy to see how a person could loose an entire stack of backups to the virus... hmmm, that one is bad... I'll try this one. Bad also?? Hmmm... I'll try this one. Viruses are a problem that can infect any of the current crop of computers. The Amiga, Mac, ST, Apple IIgs, Coleco Adam, Mindset, and IBM PS divided-by 2 all are quite vulnerable. -------- PS: Some people may not have noticed this, but the first SCA virus is destructve in a least two ways: 1> Destroys "custom" boot blocks. 2> Writes to an absolute memory address. The address is usually in the middle of the Supervisor stack, and does no harm. If $C00000 memory is installed the address is in the middle of free memory. Since all boot block code is by nature relocatable, the virus authors could have inserted the code, leaving the block mostly intact. They also could have dynamically found an address to use, and perhaps made it permanent with "ROM Tags in ram". Such sloppy code, for shame! :-| -------- ** The above information may be used in any way except for improving or creating viruses. |\ /| . Ack! (NAK, SOH, EOT) {o O} . bryce@hoser.berkeley.EDU -or- ucbvax!hoser!bryce (or try "cogsci") (") U "Your theory is crazy... but not crazy enought to be true." -Niels Bohr
haitex@pnet01.cts.com (Wade Bickel) (01/02/88)
mccarrol@topaz.rutgers.edu (<MC>) writes: >] that indeed the pirates that originally wrote the Virus are >] helping Software producers by making pirated copies unsafe. >] > You're VERY wrong. I just got screwed over by a virus. How? I >got fish disk#63, and a modified MicroEmacs 3.8i. We used my friends >boot disk, and I was showing him some source code to one of my >programs on MY boot disk. I just lost 3 weeks worth of work to a >virus, and I wasn't pirating ANYTHING. > >] I wish we could stop this discussion about viruses. >] And finally, to CATS : DON'T DISTRIBUTE this so-called Virus Protector. > > No, PLEASE distribute it. There are a LOT of innocent victims >of these rotten things. > > >]*- Francois Rouaix > > <MC> Seems to me your freind had a pirated disk, so be angry with him! Kind of like modern love huh, you can't be too careful about what goes where or you end up un-healthy. Oh for the good old days! :-) Thanks, Wade. UUCP: {cbosgd, hplabs!hp-sdd, sdcsvax, nosc}!crash!pnet01!haitex ARPA: crash!pnet01!haitex@nosc.mil INET: haitex@pnet01.CTS.COM
ejkst@cisunx.UUCP (Eric J. Kennedy) (01/03/88)
In article <597@inria.UUCP>, rouaix@inria.UUCP (Francois Rouaix) writes: > FLAME ON > I'm beginning to get tired with all this fuss about Viruses. > The point is: > 1- You may be contaminated only by a bootable disk > 2- Commercial software are not contaminated when sealed under > the original package... > 3- PD disks are generally not bootable, and the official ones are > healthy. > I think I will leave the conclusion to your bright minds. > FLAME OFF The obvious conclusion you want me to make: only software PIRATES can get the virus. Right. I'll bet you believe only homosexuals get AIDS, too. And since I don't smoke, I'll *never* get lung cancer... Wise up. > -- > > *- Francois Rouaix // When the going gets tough, * > *- rouaix@inria.inria.fr \X/ the guru goes meditating... * > *- SYSOP of Sgt. Flam's Lonely Amigas Club. (33) (1) 39-55-84-59 (Videotext) * Eric Kennedy
trb@stag.UUCP ( Todd Burkey ) (01/04/88)
In article <22368@ucbvax.BERKELEY.EDU> bryce@hoser.berkeley.edu (Bryce Nesbitt) writes: >In article <297@stag.UUCP> trb@stag.UUCP ( Todd Burkey ) writes: >> >>Wouldn't it be simple to check for a virus that lodges itself in >>the OS and/or boot sectors by writing a simple CRC routine (two-level >>to allow byte isolation). > >No it would not. One of the capabilities of such a virus it to infect the >sector read commands. When you check to see if the boot-block is "normal" >the smart virus could just return a "normal" block. > I was thinking that the check program would operate at a bit lower level than that. It should go out and intercept the disk i/o routines themselves. This would 'take away' the vectors from the virus if it already had them. Maybe one check of such a program would be to just examine where all the current potentially 'interesting' vectors are being redirected to and inform the user if anything is being trapped. Luckily this isn't a multi-user, distributed environment. Anyone remember the virus's that plagued the Sperry and CDC computers in the middle-late 70's (here in MN on the educational systems anyway)? Most of those were somewhat comical...except for the time I found that one of the user's directories had had every file replaced with a copy of startrek. -Todd Burkey trb@stag.UUCP
peter@sugar.UUCP (Peter da Silva) (01/04/88)
I don't mean to be insensitive or anything, but this whole thing is beginning to sound like a discussion of AIDS. One guy says you should never have anything to do with "those people" (in this case, pirates). Another says it's OK so long as you're not one of "those people" yourself. Then you have the paranoids refusing to "do it" (trade PD or other software) at all. And of course there's the recommendations that you wear your write protect tabs at all times... And now that the cat is out of the bag there will be variant viruses hiding in other places than the boot block. Just like the IBM world. I think the Amiga version of CHK4BOMB is likely to be a LOT harder than the IBM version... you could start, I guess, looking for the strings "hddisk.device" or "trackdisk.device" in programs. Then hardwired references to "DH0:" and "JH0:". But I don't think that's going to be enough... It's enough to make you want to switch to UNIX. -- -- Peter da Silva `-_-' ...!hoptoad!academ!uhnix1!sugar!peter -- Disclaimer: These U aren't mere opinions... these are *values*.
alex@.UUCP (Alex Laney) (01/13/88)
In article <37487@sun.uucp>, cmcmanis%pepper@Sun.COM (Chuck McManis) writes: > > ... About the only > use of the above information I could sanction would be to use it to > backtrack the source to the puppies who started it and then get the > president to ok saturation bombing of the area. It didn't work in "Return of The Living Dead", which I humbly suggest, shows the effect of a similar 'Virus', only on humans ... -- Alex Laney alex@xicom.UUCP ...utzoo!dciem!nrcaer!xios!xicom!alex Xicom Technologies, 205-1545 Carling Av., Ottawa, Ontario, Canada We may have written the SNA software you use. The opinions are my own.