woodside@ttidca.TTI.COM (George Woodside) (10/01/89)
NEOCEPT has released an announcement regarding a virus on some copies of their version 2.0 release disks, a portion of which is reproduced here: "Neocept has discovered a HARMLESS virus on all of the WordUp v2.0 upgrades and new packages with serial numbers from WUP004000 to WUP004249. This virus is completely harmless and does nothing more than copy itself to the boot sector of all disks that are accessed. In fact, this virus could arguably be called a "virus killer", since it wipes out any harmful virus that may already occupy the boot sector. It is remotely possible that this virus could be the "key" to activate some other virus, or that this virus interacts to duplicate some other virus. However, Neocept has already disassembled and looked closely at the virus, and can find no indication of how it might act as a "key". To be safe, users should clear out all but the first 32 bytes of the boot sectors of their WordUp disks, using a disk editor or a virus killing program. ..." I must raise some objection to portions of this announcement. I will withhold comments about the responsibility of software publishers regarding checking releases for viruses. I must, however, voice strong protests at their attempts to downplay the significance of this event. While I have not yet received an exact copy of the virus, it has been identified as the "KEY", "TYPE 1", or "SIGNUM BPL" virus, depending upon the anti-virus software you favor. There is no stretch of the imagination by which this virus could be referred to as a "virus killer". It is a very real, fast spreading virus, with dangerous side effects. It WILL spread itself to the boot sector of any disk inserted into the ST which the virus does not recognize as already containing a copy of the virus. It will, therefore, overwrite the boot sector of a disk which must be auto-booting, rendering the disk useless. It will spread throughout a user's disk library quickly. It is already the most widespread virus in the USA. More dangerous than the spread of this virus, however, is the danger it represents if it locates the "KEY" for which it is waiting. While the virus must be on the boot sector of the disk in drive A during a power up or reset to become activated, no such condition applies to the "KEY". If the virus is active, and a disk bearing the "KEY" characteristics is inserted into the ST, the virus will execute the code present on the "KEY" disk as soon as that "KEY" disk is accessed. It does not require the ST to be reset. As soon as the "KEY" disk is accessed, whatever code is present on the "KEY" disk will be executed immediately. Of course, I will not make public what that "KEY" is. All version of VKILLER will correctly identify a "KEY" disk, should one emerge. Let me make it perfectly clear that the virus on the WordUp v2.0 disks is reported to NOT contain that "KEY". It will not harm systems, other than to destroy boot sectors, as noted above. It will, however, cause a system to fall victim to whatever code is present on a "KEY" disk, should one be inserted into a system with this virus active. As of this writing, neither I nor any of the other virus fighters I know have located a "KEY" disk. No one, therefore, can warn you of what to expect if a "KEY" disk turns up. While I applaud NEOCEPT for going public with this warning, and apparently stopping distribution of the virus quickly, I strongly disagree with their attempts to lessen the gravity of the situation. This virus is NOT "harmless", and is absolutely NOT a "virus killer". Viruses hurt everyone in this industry, and must be fought at every opportunity. -- *George R. Woodside - Citicorp/TTI - Santa Monica, CA *Path: ..!{philabs|csun|psivax}!ttidca!woodside
rcd@cbnewsj.ATT.COM (rana.c.dutt) (10/02/89)
In article <6583@ttidca.TTI.COM>, woodside@ttidca.TTI.COM (George Woodside) writes: > NEOCEPT has released an announcement regarding a virus on some copies > of their version 2.0 release disks, a portion of which is reproduced here: > [Neocept's announcment deleted] > I must raise some objection to portions of this announcement. > > I will withhold comments about the responsibility of software publishers > regarding checking releases for viruses. I must, however, voice strong > protests at their attempts to downplay the significance of this event. > > While I have not yet received an exact copy of the virus, it has been > identified as the "KEY", "TYPE 1", or "SIGNUM BPL" virus, depending upon the > anti-virus software you favor. I have confirmed the presence of the KEY virus on all three of my Wordup 2.0 disks shipped to me by Neocept. I used George Woodside's excellent "Virus Killer" program to detect and then eradicate this virus from my disks. Others who have received Wordup 2.0 should do the same. Virus Killer was posted on comp.binaries.atari.st recently. I'd like to applaud George Woodside for his exceptional public service in a) warning us about this virus (I'd never have suspected that a COMMERCIAL software distribution would contain one); b) disseminating accurate information on it; and c) providing a utility which destroys this and other viruses. Question: will this virus write to the boot sector on my hard disk as well? If so, how can I detect it? (I noticed that Virus Killer only checks and fixes floppy disks.) Thanks very much. Rana Dutt rcd@mtqua.att.com
gl8f@astsun8.astro.Virginia.EDU (Greg Lindahl) (10/03/89)
In article <1097@cbnewsj.ATT.COM> rcd@cbnewsj.ATT.COM (rana.c.dutt) writes: > (I'd never have suspected that a COMMERCIAL software distribution > would contain one) Yep! That's why I test EVERY DISK I get from outside -- anyone can make a mistake and accidentally stick a virus on a disk. It only takes seconds to check. Practice safe... well you get the idea. ------ Greg Lindahl gl8f@virginia.edu I'm not the NRA.
woodside@ttidca.TTI.COM (George Woodside) (10/03/89)
In article <1097@cbnewsj.ATT.COM> rcd@cbnewsj.ATT.COM (rana.c.dutt) writes: ...[edited]... >Question: will this virus write to the boot sector on my hard disk as >well? If so, how can I detect it? (I noticed that Virus Killer only >checks and fixes floppy disks.) Thanks very much. No, the "KEY" virus will not touch a hard disk. It doesn't even know they exist. I'm busy re-writing Vkiller (from scratch) to enhance its capabilities, and add some hard disk facilities. It will be a while before it gets re-posted, but I'm working on it. So far, though, I have no information on any ST viruses which spread through, or attack, hard disks. If anyone has any information on viruses that Vkiller (2.20) doesn't recognize, or on any ST-oriented hard disk or link viruses, I would certainly appreciate hearing from them. -- *George R. Woodside - Citicorp/TTI - Santa Monica, CA *Path: ..!{philabs|csun|psivax}!ttidca!woodside