kim@amdahl.amdahl.com (Kim DeVaughn) (10/04/87)
[ Some days you eat the line ... some days the line eat's you ... ] The following was downloaded from the FAUG (First Amiga Users Group) BBS. Seems like we've been spared such crap until now, but this highly disturbing notice shows we are not immune to attacks on our machines by the "Dark Side of the Force"! Any further information on this (or other such nastiness) would be greatly appreciated! Doc, if you are reading this, *please* post the Sectorama program that I emailed you several weeks ago ASAP! /kim vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv The following is a thread from Compuserve: ========================================================================= #: 87294 S3/Hot News & Rumors 02-Oct-87 02:41:08 Sb: #WARNING! Virus loose! Fm: Larry Phillips/SYSOP 76703,4322 To: All Well, it had to happen sooner or later. There are a variety of programs that are variously known as Trojan Horses, Bombs, and Viruses. While Bombs are generally destructive (as evidenced by their name), and Trojan Horses are either destructive or for the purpose of theft of data, Viruses have been known to be benign or malignant both. A Virus has shown up on the Amiga, arriving from Europe, and coming from a group calling themselves SCA. Since it is uncertain yet what its purpose is, that is, how destructive it may or may not be, it will pay to check any disks you boot from and kill the virus if found. The method of propogation is as follows. An Amiga is booted with an infected disk. All works normally, with no sign that anything is amiss. If you then reboot the machine with the CTRL-Amiga-Amiga key using an uninfected disk, the virus is transferred to the boot disk, and it too becomes a "carrier", ready to pass it on, and so on. The presence of the virus can be detected by looking at block 1 on a disk. Normally, this will have random data or a pattern of data in it, but you will be able to see the virus quite easily if it is there. Using Sectorama (SEC.ARC in DL 9... DiskZap will not show it), look at block 1 (Cyl 0, Hd 0, Sector 1). If the virus is present, run INSTALL on the disk. INSTALL will rewrite sectors 0 and 1, killing the virus. Then, AND MOST IMPORTANTLY, TURN OFF the Amiga's power. If you have booted from an infected disk, and have used INSTALL to kill the virus, rebooting without powering off/on will only reinfect the disk. There have been a couple of reports of a message showing up on the screen, and one was followed by the disk being uniusable afterward, but I can't confirm that it was trashed by the virus. The message was: "Something wonderful has happened. Your AMIGA is alive !!! and, even better,,, Some of your disks are infected by a VIRUS !!!" This is the same message that appears in block 1 of an infected disk. Watch for it... stomp it out. Regards, Larry. ============================================================================ #: 87306 S3/Hot News & Rumors 02-Oct-87 04:43:21 Sb: #87294-#WARNING! Virus loose! Fm: Barry Massoni 73260,1413 To: Larry Phillips/SYSOP 76703,4322 (X) Larry, I`m not a programer or an expert, but I thought that re-booting the system was supposed to clear the machines memory-how can the virus be transmited? Also, should someone without the ability to look at a disk in the way you suggested run across this message will a cold reboot solve the problem (so long as the "infected" disk is not used again)? Will initalizing an "infected" disk (after a cold boot) remove the infection? (along with anything else on the disk). One more thing, don`t you think that this message is important enough to go at the head of the forum-so that you see it when you enter the forum? Barry ============================================================================ #: 87327 S3/Hot News & Rumors 02-Oct-87 16:17:58 Sb: #87306-WARNING! Virus loose! Fm: Larry Phillips/SYSOP 76703,4322 To: Barry Massoni 73260,1413 (X) Barry, The memory is not only not cleared upon rebooting, but there is a way to allow a program to survive a warm boot (CTRL-Amiga-Amiga). The virus itself is contained in the "boot block", and when you boot from an infected disk, installs itself in this manner. When you reboot with an uninfected disk, the virus writes itself out to the boot block of that disk, infecting it as well. A cold reboot (power off, power on) will indeed remove it from the memory. The problem is, you must know in advance that the disk you are currently booted from is infected before you would think to go through this procedure. As for looking at the disk to determine if the virus is there, the program to use is "Sectorama", which is in DL 9 as SEC.ARC. Perhaps someone will come up with a program that will detect and kill the virus, giving you a warning at the same time. I do think it's important, and we will probably put it into one of the Data Libraries and mention it in the short bulletin which everyone will see upon entry to the forum. Regards, Larry. ============================================================================ #: 87326 S3/Hot News & Rumors 02-Oct-87 16:17:55 Sb: #87294-#WARNING! Virus loose! Fm: Alan Kaiser 70003,1677 To: Larry Phillips/SYSOP 76703,4322 (X) Larry, You mention an European group that likely does not ring a bell for many. Do you know the source of the virus? Any specific suspects? Is it a program or disk, do you think? And lastly, do you know if it can defeat write protected disks? Thanks, Alan ============================================================================ #: 87343 S3/Hot News & Rumors 02-Oct-87 20:33:02 Sb: #87326-#WARNING! Virus loose! Fm: Larry Phillips/SYSOP 76703,4322 To: Alan Kaiser 70003,1677 (X) Alan, I don't know the disk it started on, though due to the nature of the group, it likely came out originally on a stolen copy of a commercial product. As with a real virus, it really doesn't matter, as it will spread to any and all boot disks that it can. It is not contained in a named program, but is part of the "boot block" that every bootable disk has. So it doesn't help to watch out for a specific file. I haven't tried it, but it is likely that the boot disk would be safe if write protected. Regards, Larry. ============================================================================ #: 87424 S3/Hot News & Rumors 03-Oct-87 16:59:12 Sb: #87343-WARNING! Virus loose! Fm: Bill Leach 71330,2621 To: Larry Phillips/SYSOP 76703,4322 Larry: I would have to be safe. Write protection is a hardware function of the disk drive. 73, bill ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -- UUCP: kim@amdahl.amdahl.com or: {sun,decwrl,hplabs,pyramid,ihnp4,uunet,oliveb,cbosgd,ames}!amdahl!kim DDD: 408-746-8462 USPS: Amdahl Corp. M/S 249, 1250 E. Arques Av, Sunnyvale, CA 94086 CIS: 76535,25
charles@hpcvcd.HP (Charles Brown) (10/08/87)
REQUEST: Someone who has a copy of the virus. Please check what happens when you boot from it and then warm boot from a protected disk. Do you get a requestor? If so, this may be a way to check for infection without special software. Can we feel safe that none of the Fish disks are infected? Charles Brown hplabs!hp-pcd!charles
fnf@mcdsun.UUCP (Fred Fish) (10/14/87)
In article <4410011@hpcvcd.HP> charles@hpcvcd.HP (Charles Brown) writes: >Can we feel safe that none of the Fish disks are infected? Just to be sure, I'll check all my masters. But as I understand it, to be active the virus has to be on a bootable disk. Since none of my disks are bootable, this wouldn't seem to be a problem. -Fred -- # Fred Fish hao!noao!mcdsun!fnf (602) 438-3614 # Motorola Computer Division, 2900 S. Diablo Way, Tempe, Az 85282 USA
schein@cbmvax.UUCP (Dan Schein CATS) (10/14/87)
In article <385@mcdsun.UUCP> fnf@mcdsun.UUCP (Fred Fish) writes: >In article <4410011@hpcvcd.HP> charles@hpcvcd.HP (Charles Brown) writes: >>Can we feel safe that none of the Fish disks are infected? > >Just to be sure, I'll check all my masters. But as I understand it, to >be active the virus has to be on a bootable disk. Since none of my >disks are bootable, this wouldn't seem to be a problem. > >-Fred > To be specific, the virus is becomes active when your system is started (warm or cold) from an infected disk. -- Dan Schein uucp: {ihnp4|rutgers}!cbmvax!schein Commodore Business Machines or: {allegra|burdvax}!cbmvax!schein 1200 Wilson Drive Bix: dschein Plink: cbmtelecom West Chester PA 19380 phone: (215) 431-9100 ext. 9542 +----------------------------------------------------------------------------+ All spelling mistakes are a result of my efforts to avoid education :-) +----------------------------------------------------------------------------+ Those who worked the hardest are the last to surrender -- Gary Ward