woodside@ttidca.TTI.COM (George Woodside) (10/01/89)
NEOCEPT has released an announcement regarding a virus on some copies
of their version 2.0 release disks, a portion of which is reproduced here:
"Neocept has discovered a HARMLESS virus on all of the WordUp v2.0
upgrades and new packages with serial numbers from WUP004000 to
WUP004249. This virus is completely harmless and does nothing more
than copy itself to the boot sector of all disks that are
accessed. In fact, this virus could arguably be called a
"virus killer", since it wipes out any harmful virus that may
already occupy the boot sector. It is remotely possible that this
virus could be the "key" to activate some other virus, or that this
virus interacts to duplicate some other virus. However, Neocept
has already disassembled and looked closely at the virus, and can
find no indication of how it might act as a "key". To be safe,
users should clear out all but the first 32 bytes of the boot sectors
of their WordUp disks, using a disk editor or a virus killing program. ..."
I must raise some objection to portions of this announcement.
I will withhold comments about the responsibility of software publishers
regarding checking releases for viruses. I must, however, voice strong
protests at their attempts to downplay the significance of this event.
While I have not yet received an exact copy of the virus, it has been
identified as the "KEY", "TYPE 1", or "SIGNUM BPL" virus, depending upon the
anti-virus software you favor.
There is no stretch of the imagination by which this virus could be
referred to as a "virus killer". It is a very real, fast spreading virus,
with dangerous side effects.
It WILL spread itself to the boot sector of any disk inserted into the ST
which the virus does not recognize as already containing a copy of the
virus. It will, therefore, overwrite the boot sector of a disk which must be
auto-booting, rendering the disk useless. It will spread throughout a user's
disk library quickly. It is already the most widespread virus in the USA.
More dangerous than the spread of this virus, however, is the danger it
represents if it locates the "KEY" for which it is waiting.
While the virus must be on the boot sector of the disk in drive A during a
power up or reset to become activated, no such condition applies to the
"KEY". If the virus is active, and a disk bearing the "KEY" characteristics
is inserted into the ST, the virus will execute the code present on the
"KEY" disk as soon as that "KEY" disk is accessed. It does not require the
ST to be reset. As soon as the "KEY" disk is accessed, whatever code is
present on the "KEY" disk will be executed immediately. Of course, I will
not make public what that "KEY" is. All version of VKILLER will correctly
identify a "KEY" disk, should one emerge.
Let me make it perfectly clear that the virus on the WordUp v2.0 disks is
reported to NOT contain that "KEY". It will not harm systems, other than to
destroy boot sectors, as noted above. It will, however, cause a system to
fall victim to whatever code is present on a "KEY" disk, should one be
inserted into a system with this virus active. As of this writing, neither I
nor any of the other virus fighters I know have located a "KEY" disk. No
one, therefore, can warn you of what to expect if a "KEY" disk turns up.
While I applaud NEOCEPT for going public with this warning, and apparently
stopping distribution of the virus quickly, I strongly disagree with their
attempts to lessen the gravity of the situation. This virus is NOT
"harmless", and is absolutely NOT a "virus killer". Viruses hurt everyone in
this industry, and must be fought at every opportunity.
--
*George R. Woodside - Citicorp/TTI - Santa Monica, CA
*Path: ..!{philabs|csun|psivax}!ttidca!woodsidercd@cbnewsj.ATT.COM (rana.c.dutt) (10/02/89)
In article <6583@ttidca.TTI.COM>, woodside@ttidca.TTI.COM (George Woodside) writes: > NEOCEPT has released an announcement regarding a virus on some copies > of their version 2.0 release disks, a portion of which is reproduced here: > [Neocept's announcment deleted] > I must raise some objection to portions of this announcement. > > I will withhold comments about the responsibility of software publishers > regarding checking releases for viruses. I must, however, voice strong > protests at their attempts to downplay the significance of this event. > > While I have not yet received an exact copy of the virus, it has been > identified as the "KEY", "TYPE 1", or "SIGNUM BPL" virus, depending upon the > anti-virus software you favor. I have confirmed the presence of the KEY virus on all three of my Wordup 2.0 disks shipped to me by Neocept. I used George Woodside's excellent "Virus Killer" program to detect and then eradicate this virus from my disks. Others who have received Wordup 2.0 should do the same. Virus Killer was posted on comp.binaries.atari.st recently. I'd like to applaud George Woodside for his exceptional public service in a) warning us about this virus (I'd never have suspected that a COMMERCIAL software distribution would contain one); b) disseminating accurate information on it; and c) providing a utility which destroys this and other viruses. Question: will this virus write to the boot sector on my hard disk as well? If so, how can I detect it? (I noticed that Virus Killer only checks and fixes floppy disks.) Thanks very much. Rana Dutt rcd@mtqua.att.com
gl8f@astsun8.astro.Virginia.EDU (Greg Lindahl) (10/03/89)
In article <1097@cbnewsj.ATT.COM> rcd@cbnewsj.ATT.COM (rana.c.dutt) writes: > (I'd never have suspected that a COMMERCIAL software distribution > would contain one) Yep! That's why I test EVERY DISK I get from outside -- anyone can make a mistake and accidentally stick a virus on a disk. It only takes seconds to check. Practice safe... well you get the idea. ------ Greg Lindahl gl8f@virginia.edu I'm not the NRA.
woodside@ttidca.TTI.COM (George Woodside) (10/03/89)
In article <1097@cbnewsj.ATT.COM> rcd@cbnewsj.ATT.COM (rana.c.dutt) writes: ...[edited]... >Question: will this virus write to the boot sector on my hard disk as >well? If so, how can I detect it? (I noticed that Virus Killer only >checks and fixes floppy disks.) Thanks very much. No, the "KEY" virus will not touch a hard disk. It doesn't even know they exist. I'm busy re-writing Vkiller (from scratch) to enhance its capabilities, and add some hard disk facilities. It will be a while before it gets re-posted, but I'm working on it. So far, though, I have no information on any ST viruses which spread through, or attack, hard disks. If anyone has any information on viruses that Vkiller (2.20) doesn't recognize, or on any ST-oriented hard disk or link viruses, I would certainly appreciate hearing from them. -- *George R. Woodside - Citicorp/TTI - Santa Monica, CA *Path: ..!{philabs|csun|psivax}!ttidca!woodside