woodside@ttidca.TTI.COM (George Woodside) (03/31/88)
I've received a lot of mail about the ST virus, and the virus killer I posted called PENECILN. I've collected all the questions, and will try to answer them all at once. This will be in rather simple terms, so you needn't be an operating systems guru to understand what's happening, or what to do about it. The only virus I've heard described attacks only floppy disks, and works as follows: The ST uses the write protect detection logic to detect when a disk has been removed from the disk drive. When the ST next accesses that drive, even if the same disk was pulled out and re-inserted, it does a check to see if the disk has been changed. This check is a system function called Getbpb. The ST will execute this function on every disk you insert into the machine and access, regardless of what program accesses the disk, or for what reason. The virus "attaches itself" to the system Getbpb function call. When the ST checks the disk, the virus writes itself on the disk, unless the disk's write protect window is open. That's very significant; the virus can not spread itself to a write protected disk. The virus keeps count of how many times it has reproduced itself. It zeroes and restarts the count each time it writes itself to a new disk. I assume the philosophy here is "If I see a non-infected disk, I haven't spread enough yet. When I see X infected disks in a row, I'm pretty well spread around." When the virus gets to X infected disks in a row, it trashes the disk. Note that the virus is still in RAM, and will continue trashing every disk it sees. The virus can not load itself into your system except when you power on, or do a system reset. It can not enter your system by reading a disk at any other time, only at power-up or reset. The PENECILN program forces a system Getbpb call to the disk before it zeroes the boot sector, to insure that (if your system is infected) the virus will get written before PENECILN zeroes the boot sector, not afterwards. Then, after writing zeroes to the boot sector, it (in keypress mode) sits and waits for another command before releasing control of the system. How to dis-infect a system, whether you have the virus or not, is not difficult. These steps will get your system clean, even if you don't have reason to worry (yet). 1) Get a copy of PENECILN, and run the program with the "-k" option specified on the command line. Put a disk with the write protect window closed in drive A, and press "A". This tells PENICILN to zero the boot sector on the disk in drive A. 2) Wait for the disk access light to go out. Don't do anything else! This insures that nothing gets the opportunity to alter the boot sector after it has been cleared. 3) Turn off the power to your system and wait 15 seconds. This insures that memory is completely erased, including the virus, if it was present in your system. 4) Remove the disk from drive A, open the write protect window, and put it back in drive A. This provides a safe disk to boot from, which can no longer be altered. 5) Power up your system. Run your favorite sector editor, or sector dump program, to check the contents of sector zero on the disk in drive A. This insures that the copy of PENECILN you have hasn't been tampered with by some *%&@!$#. There should be zeroes in bytes 0-7, and in 30 - 509. The data in 8 - 29 is the serial number and disk configuration parameters. The numbers in 510 and 511 force a zero checksum on the disk, telling GEMDOS that the boot sector is not executable. Assuming that your disk matches these requirements, you now have a safe boot disk, and a dis-infected system. If the disk doesn't have the zeroes everywhere else, (assuming you didn't specify an MS-DOS boot sector), destroy that copy of PENECILN. Destory whoever gave it to you, too!!! :^) Seriously, there should be zeroes everywhere, or something is very wrong. 6) Set aside any disks you have which must be self booting (games or other software which you have to insert into drive A before powering up or pressing reset). These disks can not have their boot sectors altered, or they will be useless. You should probably keep the originals aside, but throw your working copies into the stack of disks you are going to clean up. 7) Run PENECILN again, with the -k option specified. Feed it every disk you own, except for those you set aside above. This dis-infects all your disks. At this point, you have a clean system, and all your disks are clean, with the possible exception of the self-booting ones you set aside. To keep your system clean, never power up or press reset with a disk in drive A which you haven't dis-infected. And, keep the write protect window open on disks unless you know you will have to write on them. Be suspicious of disks from anyone else, and dis-infect them before using them (unless they absolutely must be self booting). One report of the virus came from disks purchased at a computer store. Whether intentional or not, any disk you introduce to your system can be spreading the virus. Hopefully, this plague can be wiped out. But, I doubt if we can ever feel 100% safe from this sort of sabotage. There are more questions, but related more to boot sectors and serial numbers, which I'll cover in another posting. -- *George R. Woodside - Citicorp/TTI - Santa Monica, CA *Path: ..!{trwrb|philabs|csun|psivax}!ttidca!woodside