icsu8053@caesar.cs.montana.edu (Craig Pratt) (02/14/90)
In article <9906@ttidca.TTI.COM> you write: >In article <28923@brunix.UUCP> rjd@cs.brown.edu (Rob Demillo) writes: >...[edited]... >>This is directly from the horse's mouth, as it were...the statement >>was issued by SoftLogik, Inc. to the ST Report. It the statement it >>is refered to as the "key virus." (Anyone hear of this?) Any of the >>anti-virus programs should take care of it, but Soft Logik is, >>of course, exchanging disks if you are nervous. > >The "KEY" virus is the most widespread virus in the USA. That is >because it displays no symptoms, it only spreads. It represents >two dangers: >1) It spreads to every disk that passes through the ST while the >virus is active, thus wiping out existing executable boot sectors >on disks which must have them. This can render a disk which must >be self-booting useless. > >2) It is called the "KEY" virus because, once installed in a >system, it checks every passing disk for a "KEY" value in the >boot sector. If it locates one, it will cause the execution of >whatever code is on that disk, even if the machine is not being >powered up or reset at the time the "KEY" disk is located. There >have been no episodes of a "KEY" disk being located reported, to >date. That doesn't mean they don't exist. That only means that >I haven't heard of them, or the victim of whatever the "KEY" did >was not aware of the cause (which is quite likely, if such an event >has occurred). > >Every virus killer I've seen (or written, of course) will eradicate >this virus. > >-- >* George R. Woodside - Citicorp/TTI - Santa Monica, CA * >* Path: woodside@ttidca * >* or: ..!{philabs|csun|psivax}!ttidca!woodside * I just ran into this virus yesterday and it is not even in the general sense harmless! It ate two of my disks last night before I could isolate it and kill it. I figured the first disk, my WordPerfect document disk, had gone bad but the second disk made me suspicious so I ran the *excellent* vkiller program on it and discovered that I had the key virus on both the dead disks and some "undead" disks as well. I tried to recover these disks with Norton utilities, which always has recovered all but a few of the files on a toasted disk; it would have nothing to do with it. It created some files but they were bits and pieces of multiple files. I've devoted this evening attempting to figure out what happened. I took one disk which still had the "harmless" key virus on it and copied just the files off. I also installed the hospital utilities just to see if they worked - it did very well. Anyway, I then made this the test disk and formatted a new blank disk. I discovered that when I booted off the "undead" disk, it suddenly became dead and gave a read error on the disk. When I inserted the control disk, which had tested safe, and pressed retry, it didn't do anything. When I displayed information on the control disk, it read and probably wrote to the disk. I ran vkiller. It couldn't read the test virus disk and said the control disk now had a virus. By determination and disk switching, I finally got the test disk to read. It said it was virused, had eight sides and 119538576 bytes total of disk space. By examinig the sectors, I discovered that Key had written over the directory sectors of the disk. It was very dead. So, it would seem that the key virus is *NOT* *HARMLESS*. All I can say is install the hospital programs and hope and pray that the bozo/moron/idiot scumball/50 caret moron(s) who wrote this virus doesn't make one that messes with my hard drive. It would be time to play "Hunt down & destroy the pesky little virus hacker" (New...from Nintendo!). A tremendous Thank You to George Woodside for his excellent vkiller program! Craig Pratt BitNet: Craig.Pratt@msu3.oscs.montana.edu GEnie: C.PRATT4 (not here often) "The ships hung in the air in exactly the same way that bricks don't" Douglas Adams, _The_Hitchhiker's_Guide_to_the_Galaxy_
krieg@jupiter.uucp (Andrew Krieg) (02/14/90)
I have been infected by a virus. Using VKILLER 2.2 I have learned that I have the 'Key' virus that everyone is talking about. It is waiting for a certain disk to be inserted before it does its damage. Thankfully, I never inserted that disk. By the spread of the virus (about 25 of my disks) I have determined that I have had the virus for about 3 weeks. Now, I probably still have the program that generated the virus in the first place. Is there any way to test for that? I'd like to determine where I picked it up from. -- ========================================================================= = Andrew Krieg 2to1 Keeper Marvel Historian = = G.E. Medical Systems - CT - New Berlin, WI = = USENET: krieg@jupiter.med.ge.com = ========================================================================= = "Big clocks are never wrong!!" - Bob Newhart in _Cold Turkey_ = =========================================================================
woodside@ttidca.TTI.COM (George Woodside) (02/16/90)
In article <3117@caesar.cs.montana.edu> icsu8053@caesar.cs.montana.edu (Craig Pratt) writes: ...[edited]... >I just ran into this virus yesterday and it is not even in the general sense >harmless! It ate two of my disks last night before I could isolate it and >kill it. Your description of the events is not characteristic of the "KEY" virus. If you have a surviving copy of what hit you, please contact me as soon as possible. The "KEY" virus will not do anything to any disk other than reproduce itself onto the boot sector, unless the "KEY" disk has turned up. -- * George R. Woodside - Citicorp/TTI - Santa Monica, CA * * Path: woodside@ttidca * * or: ..!{philabs|csun|psivax}!ttidca!woodside *
woodside@ttidca.TTI.COM (George Woodside) (02/16/90)
In article <2059@mrsvr.UUCP> krieg@jupiter.UUCP (Andrew Krieg) writes: >I have been infected by a virus. Using VKILLER 2.2 I have learned that I >have the 'Key' virus that everyone is talking about. It is waiting for a >certain disk to be inserted before it does its damage. Thankfully, I never >inserted that disk. By the spread of the virus (about 25 of my disks) I have >determined that I have had the virus for about 3 weeks. Now, I probably still >have the program that generated the virus in the first place. Is there any >way to test for that? I'd like to determine where I picked it up from. I know of no programs which spawn the "KEY", or any other virus (on the ST) as of this date. The only way to get infected is to boot your system from an infected disk. As for testing for a "spawn" program, I'm about to submit the new VKILLER to the binaries group. It will provide a means of installing a tiny monitoring program which will check all passing floppies for executable boot sectors. If you run a program which installs a virus on a disk, the next access to that disk will cause an alarm to be triggered. The new version has been beaten to death by some of my long suffering friends (to whom I express my gratitude for their patience and efforts) and is heading for the net, Compuserve, and GEnie this weekend (Feb 17). It still does not deal with hard disks, because I have no concrete information about any virus which is hard disk specific. It does not deal with link viruses, for the same reason. I have developed some new software to deal with link viruses, or program alteration in general, but it is a bit too large to install into the working version of VKILLER. I'll be submitting a separate program to deal with those, in the near future. Please be patient. -- * George R. Woodside - Citicorp/TTI - Santa Monica, CA * * Path: woodside@ttidca * * or: ..!{philabs|csun|psivax}!ttidca!woodside *