kibo@brazil.UUCP (Jim Parry) (05/24/88)
I seem to have had something in the boot sectors of my disks that seeks out program files (.TTP, .PRG...) and causes them to no longer be able to read their data files (even when said files are perfectly good, on the ramdisk, etc.) The 'Peniciln' program stops this thing from attacking any more files. Has anyone seen such a thing before? I'll try to get some more inforamtion with my sector editor, assuming that I didn't kill all my copies already. (It seemed to spread very fast...) ----------- Kibo (Jim Parry) userfe0n%mts.rpi.edu@itsgw.rpi.edu userfe0n@rpitsmts.bitnet or wox me on AmonNet! -- Kibo (with a long "i") kibo%mts.rpi.edu@itsgw.rpi.edu Jim Parry userfe0n@rpitsmts.bitnet "Let's wox on AmonNet!" @S@kibo.amonnet
kibo@pawl20.pawl.rpi.edu (James Parry) (05/25/88)
(this is a repost. seems my previous posting was sent out from a machine which
didn't spread it - plz forgive if you saw this already.)
I found, three days ago, a virus I had not heard of, on my ST. I'll
attempt to tell you everything I can find out about it, here.
Be warned that I am no expert on virology.
I made sure that this was a virus, not a glitch, by running the usual
gauntlet of coldstarts, memory checks, rebooting from write-protected
system master disks, comparing backups with originals, etc., and I am
confident that this was no fluke.
My system configuration is 1 Meg 1040ST-F, one floppy drive, no hard disk.
ACTIONS OF VIRUS
----------------
Seems to attack only executable programs (.TTP and .PRG files were damaged/
destroyed as will be explained; no other files were touched.) Program
files either:
(a) vanish or
(b) become damaged so that they are still executable, but have severe
difficulty accessing data from disks (physical or RAMdisks). For example, I
had two working backup copies of Megamax C before this happened; they have both
been affected and now both perform in the same broken way - either crashing
when they try to compile a good .C file, or claiming that the data file
is about 50% garbage (and the garbage the compiler claims to see is
invariant from try to try, even after coldstarts, for both copies of
the compiler, and my original copy can display the files just fine.)
The virus does not seem to destroy an entire disk's contents at once - it
seems to take files one at a time. I don't know how often, under what
circumstances, etc., but I do know that a good disk can have several files
damaged/erased in about an hour (assuming you're using the disk
frequently, as I did in this one case).
I lost many executable files to the virus either by having them removed or
corrupted in this odd way. No cutesy 'Ha Ha' messages or any such ever
appeared.
PROPAGATION OF VIRUS
--------------------
It lives in the boot sectors, and can be killed with PENICILN. I don't
know how often it copies itself, or when it does; I think it had spread
to several disks since I realized it was around, but I think that
I actually received my copy of the virus a few months back, so it may
have been idle.
PENICILN definitely stops it.
Basically, I'm at a loss for further information. I Peniciln'ed all my
disks frantically (once I tried it on an infected disk to make sure that
I would do this) before I realized I should have saved a copy, so I don't
have a 'live' copy of the virus. I do have some damaged programs remaining,
that I will diff with the originals sometime, and will see if any deleted
files can be undeleted (once I get my shareware disk utilities back :-( )
Has anyone else experienced this weird and evil virus?
-----------
Kibo (Jim Parry)
userfe0n%mts.rpi.edu@itsgw.rpi.edu
userfe0n@rpitsmts.bitnetwoodside@ttidca.TTI.COM (George Woodside) (05/25/88)
In article <114@brazil.UUCP> kibo@brazil.UUCP (Jim Parry) writes: > >I seem to have had something in the boot sectors of my disks that seeks >out program files (.TTP, .PRG...) and causes them to no longer be able >to read their data files (even when said files are perfectly good, >on the ramdisk, etc.) >The 'Peniciln' program stops this thing from attacking any more files. PENICILN will kill most anything, virus or not. While that's a saftey factor, it is rather deadly to disks that are supposed to be self booting. I'm working on a more intelligent program now, but I need more virus samples. If anyone suspects they have a virus infected disk, please send me a copy. If there is a virus, I'll let you know what it's been doing, and add detect-and-kill capabilities for it to the program. Yet Another Wanrning Department: One of the virus infections I have a copy of does not destroy files. It spreads itself like any other virus, but the attack it launches is more subtle. It waits until the ST has been running for a while, then does random memory accesses, at random intervals. It will either step on some word in the screen RAM, causing a glitch on the display, or some byte above the screen, which may cause a memory address bomb. So, just because you don't have files being corrupted, don't think that your system is virus-free. Be wary of new disks, and rely on the write protect tabs to prevent spreading. One of the newest virus infections contains code that intercepts the error if you try to write to a write-protected disk. That means that while it can't spread to a write=protected disk, you will not get an error when it tries, so you'll have no clue that it tried. They're getting sneakier... My next tool will be out soon. Meanwhile, please send samples of infected disks to: George R. Woodside 5219 San Feliciano Drive Woodland Hills, Ca. 91364 USA Thank you. -- *George R. Woodside - Citicorp/TTI - Santa Monica, CA *Path: ..!{trwrb|philabs|csun|psivax}!ttidca!woodside
woodside@ttidca.TTI.COM (George Woodside) (05/26/88)
In article <906@imagine.PAWL.RPI.EDU> kibo () writes: ...[edited]... >ACTIONS OF VIRUS >---------------- >Seems to attack only executable programs (.TTP and .PRG files were damaged/ >destroyed as will be explained; no other files were touched.) Program >files either: > (a) vanish or > (b) become damaged so that they are still executable, but have severe >difficulty accessing data from disks (physical or RAMdisks). For example, I >had two working backup copies of Megamax C before this happened; they have both >been affected and now both perform in the same broken way - either crashing >when they try to compile a good .C file, or claiming that the data file >is about 50% garbage (and the garbage the compiler claims to see is >invariant from try to try, even after coldstarts, for both copies of >the compiler, and my original copy can display the files just fine.) > >The virus does not seem to destroy an entire disk's contents at once - it >seems to take files one at a time. I don't know how often, under what >circumstances, etc., but I do know that a good disk can have several files >damaged/erased in about an hour (assuming you're using the disk >frequently, as I did in this one case). First, it's unfortunate that you don't have a copy left, since I'm still trying to get a copy of this one (if it's the one I think it is). This one (assuming it is the one), is a FAT saboteur. It spreads in the usual manner, copying itself into boot sectors when the BIOS Media Change routine accesses a new disk. I don't have any information yet on the delays it has built in before it starts its dirty work, but the basic technique is to periodically step on small portions of the FAT (File Allocation Table). This results in either the premature termination of a file, or altering the file contents by re-directing the operating system's trail of sectors that make up a given file. Since it makes only small changes each time it strikes (I think), you won't notice it until you access a file that has been hit. Note that since it strikes at the FAT (both copies, I believe), copying the file yields a bad copy. Another victim claims that file data was also destroyed, but I believe the data destruction was a side effect of writing something to the disk after the FATs had been sabotaged. The bottom line is that if you haven't written to the disk, the file data is probably intact, although you can't access the files reliably due to the FAT damage. You can probably recover text files with a disk utility. You may be able to recover executables, but only if you're either real lucky, or a real wizard. I'm still looking for a copy of this one (and other virus anyone may encounter) to add it to the next virus killer. Please send infected disks to: George R. Woodside 5219 San Feliciano Drive Woodland Hills, Ca. 91364 -- *George R. Woodside - Citicorp/TTI - Santa Monica, CA *Path: ..!{trwrb|philabs|csun|psivax}!ttidca!woodside