kim@amdahl.amdahl.com (Kim DeVaughn) (10/04/87)
[ Some days you eat the line ... some days the line eat's you ... ]
The following was downloaded from the FAUG (First Amiga Users Group) BBS.
Seems like we've been spared such crap until now, but this highly disturbing
notice shows we are not immune to attacks on our machines by the "Dark Side
of the Force"!
Any further information on this (or other such nastiness) would be greatly
appreciated!
Doc, if you are reading this, *please* post the Sectorama program that I
emailed you several weeks ago ASAP!
/kim
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
The following is a thread from Compuserve:
=========================================================================
#: 87294 S3/Hot News & Rumors
02-Oct-87 02:41:08
Sb: #WARNING! Virus loose!
Fm: Larry Phillips/SYSOP 76703,4322
To: All
Well, it had to happen sooner or later. There are a variety of programs
that are variously known as Trojan Horses, Bombs, and Viruses. While Bombs
are generally destructive (as evidenced by their name), and Trojan Horses
are either destructive or for the purpose of theft of data, Viruses have
been known to be benign or malignant both. A Virus has shown up on the
Amiga, arriving from Europe, and coming from a group calling themselves
SCA. Since it is uncertain yet what its purpose is, that is, how
destructive it may or may not be, it will pay to check any disks you boot
from and kill the virus if found.
The method of propogation is as follows. An Amiga is booted with an
infected disk. All works normally, with no sign that anything is amiss. If
you then reboot the machine with the CTRL-Amiga-Amiga key using an
uninfected disk, the virus is transferred to the boot disk, and it too
becomes a "carrier", ready to pass it on, and so on.
The presence of the virus can be detected by looking at block 1 on a disk.
Normally, this will have random data or a pattern of data in it, but you
will be able to see the virus quite easily if it is there. Using Sectorama
(SEC.ARC in DL 9... DiskZap will not show it), look at block 1 (Cyl 0, Hd
0, Sector 1). If the virus is present, run INSTALL on the disk. INSTALL
will rewrite sectors 0 and 1, killing the virus. Then, AND MOST
IMPORTANTLY, TURN OFF the Amiga's power. If you have booted from an
infected disk, and have used INSTALL to kill the virus, rebooting without
powering off/on will only reinfect the disk.
There have been a couple of reports of a message showing up on the screen,
and one was followed by the disk being uniusable afterward, but I can't
confirm that it was trashed by the virus. The message was:
"Something wonderful has happened. Your AMIGA is alive !!! and, even
better,,,
Some of your disks are infected by a VIRUS !!!"
This is the same message that appears in block 1 of an infected disk.
Watch for it... stomp it out.
Regards, Larry.
============================================================================
#: 87306 S3/Hot News & Rumors
02-Oct-87 04:43:21
Sb: #87294-#WARNING! Virus loose!
Fm: Barry Massoni 73260,1413
To: Larry Phillips/SYSOP 76703,4322 (X)
Larry,
I`m not a programer or an expert, but I thought that re-booting the
system was supposed to clear the machines memory-how can the virus be
transmited?
Also, should someone without the ability to look at a disk in the way
you suggested run across this message will a cold reboot solve the problem
(so long as the "infected" disk is not used again)? Will initalizing an
"infected" disk (after a cold boot) remove the infection? (along with anything
else on the disk).
One more thing, don`t you think that this message is important enough
to go at the head of the forum-so that you see it when you enter the forum?
Barry
============================================================================
#: 87327 S3/Hot News & Rumors
02-Oct-87 16:17:58
Sb: #87306-WARNING! Virus loose!
Fm: Larry Phillips/SYSOP 76703,4322
To: Barry Massoni 73260,1413 (X)
Barry,
The memory is not only not cleared upon rebooting, but there is a way to
allow a program to survive a warm boot (CTRL-Amiga-Amiga). The virus
itself is contained in the "boot block", and when you boot from an
infected disk, installs itself in this manner. When you reboot with an
uninfected disk, the virus writes itself out to the boot block of that
disk, infecting it as well.
A cold reboot (power off, power on) will indeed remove it from the
memory. The problem is, you must know in advance that the disk you are
currently booted from is infected before you would think to go through
this procedure.
As for looking at the disk to determine if the virus is there, the
program to use is "Sectorama", which is in DL 9 as SEC.ARC. Perhaps
someone will come up with a program that will detect and kill the virus,
giving you a warning at the same time.
I do think it's important, and we will probably put it into one of the
Data Libraries and mention it in the short bulletin which everyone will
see upon entry to the forum.
Regards, Larry.
============================================================================
#: 87326 S3/Hot News & Rumors
02-Oct-87 16:17:55
Sb: #87294-#WARNING! Virus loose!
Fm: Alan Kaiser 70003,1677
To: Larry Phillips/SYSOP 76703,4322 (X)
Larry,
You mention an European group that likely does not ring a bell for many.
Do you know the source of the virus? Any specific suspects? Is it a
program or disk, do you think? And lastly, do you know if it can defeat
write protected disks?
Thanks, Alan
============================================================================
#: 87343 S3/Hot News & Rumors
02-Oct-87 20:33:02
Sb: #87326-#WARNING! Virus loose!
Fm: Larry Phillips/SYSOP 76703,4322
To: Alan Kaiser 70003,1677 (X)
Alan,
I don't know the disk it started on, though due to the nature of the
group, it likely came out originally on a stolen copy of a commercial
product. As with a real virus, it really doesn't matter, as it will spread
to any and all boot disks that it can. It is not contained in a named
program, but is part of the "boot block" that every bootable disk has. So
it doesn't help to watch out for a specific file.
I haven't tried it, but it is likely that the boot disk would be safe if
write protected.
Regards, Larry.
============================================================================
#: 87424 S3/Hot News & Rumors
03-Oct-87 16:59:12
Sb: #87343-WARNING! Virus loose!
Fm: Bill Leach 71330,2621
To: Larry Phillips/SYSOP 76703,4322
Larry:
I would have to be safe. Write protection is a hardware function
of the disk drive.
73,
bill
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
--
UUCP: kim@amdahl.amdahl.com
or: {sun,decwrl,hplabs,pyramid,ihnp4,uunet,oliveb,cbosgd,ames}!amdahl!kim
DDD: 408-746-8462
USPS: Amdahl Corp. M/S 249, 1250 E. Arques Av, Sunnyvale, CA 94086
CIS: 76535,25charles@hpcvcd.HP (Charles Brown) (10/08/87)
REQUEST: Someone who has a copy of the virus. Please check what happens when you boot from it and then warm boot from a protected disk. Do you get a requestor? If so, this may be a way to check for infection without special software. Can we feel safe that none of the Fish disks are infected? Charles Brown hplabs!hp-pcd!charles
fnf@mcdsun.UUCP (Fred Fish) (10/14/87)
In article <4410011@hpcvcd.HP> charles@hpcvcd.HP (Charles Brown) writes: >Can we feel safe that none of the Fish disks are infected? Just to be sure, I'll check all my masters. But as I understand it, to be active the virus has to be on a bootable disk. Since none of my disks are bootable, this wouldn't seem to be a problem. -Fred -- # Fred Fish hao!noao!mcdsun!fnf (602) 438-3614 # Motorola Computer Division, 2900 S. Diablo Way, Tempe, Az 85282 USA
schein@cbmvax.UUCP (Dan Schein CATS) (10/14/87)
In article <385@mcdsun.UUCP> fnf@mcdsun.UUCP (Fred Fish) writes: >In article <4410011@hpcvcd.HP> charles@hpcvcd.HP (Charles Brown) writes: >>Can we feel safe that none of the Fish disks are infected? > >Just to be sure, I'll check all my masters. But as I understand it, to >be active the virus has to be on a bootable disk. Since none of my >disks are bootable, this wouldn't seem to be a problem. > >-Fred > To be specific, the virus is becomes active when your system is started (warm or cold) from an infected disk. -- Dan Schein uucp: {ihnp4|rutgers}!cbmvax!schein Commodore Business Machines or: {allegra|burdvax}!cbmvax!schein 1200 Wilson Drive Bix: dschein Plink: cbmtelecom West Chester PA 19380 phone: (215) 431-9100 ext. 9542 +----------------------------------------------------------------------------+ All spelling mistakes are a result of my efforts to avoid education :-) +----------------------------------------------------------------------------+ Those who worked the hardest are the last to surrender -- Gary Ward