woodside@ttidca.TTI.COM (George Woodside) (03/31/88)
I've received a lot of mail about the ST virus, and the virus killer I posted
called PENECILN. I've collected all the questions, and will try to answer them
all at once. This will be in rather simple terms, so you needn't be an
operating systems guru to understand what's happening, or what to do about it.
The only virus I've heard described attacks only floppy disks, and works as
follows:
The ST uses the write protect detection logic to detect when a disk has
been removed from the disk drive. When the ST next accesses that drive,
even if the same disk was pulled out and re-inserted, it does a check
to see if the disk has been changed. This check is a system function called
Getbpb. The ST will execute this function on every disk you insert into the
machine and access, regardless of what program accesses the disk, or for
what reason.
The virus "attaches itself" to the system Getbpb function call. When the
ST checks the disk, the virus writes itself on the disk, unless the disk's
write protect window is open. That's very significant; the virus can not
spread itself to a write protected disk.
The virus keeps count of how many times it has reproduced itself. It zeroes
and restarts the count each time it writes itself to a new disk. I assume the
philosophy here is "If I see a non-infected disk, I haven't spread enough
yet. When I see X infected disks in a row, I'm pretty well spread around."
When the virus gets to X infected disks in a row, it trashes the disk.
Note that the virus is still in RAM, and will continue trashing every disk
it sees.
The virus can not load itself into your system except when you power on,
or do a system reset. It can not enter your system by reading a disk at
any other time, only at power-up or reset.
The PENECILN program forces a system Getbpb call to the disk before
it zeroes the boot sector, to insure that (if your system is infected)
the virus will get written before PENECILN zeroes the boot sector,
not afterwards. Then, after writing zeroes to the boot sector, it
(in keypress mode) sits and waits for another command before releasing
control of the system.
How to dis-infect a system, whether you have the virus or not, is not
difficult. These steps will get your system clean, even if you don't
have reason to worry (yet).
1) Get a copy of PENECILN, and run the program with the "-k" option
specified on the command line. Put a disk with the write protect
window closed in drive A, and press "A". This tells PENICILN
to zero the boot sector on the disk in drive A.
2) Wait for the disk access light to go out. Don't do anything else!
This insures that nothing gets the opportunity to alter the boot
sector after it has been cleared.
3) Turn off the power to your system and wait 15 seconds. This insures
that memory is completely erased, including the virus, if it was
present in your system.
4) Remove the disk from drive A, open the write protect window, and
put it back in drive A. This provides a safe disk to boot from,
which can no longer be altered.
5) Power up your system. Run your favorite sector editor, or sector
dump program, to check the contents of sector zero on the disk in
drive A. This insures that the copy of PENECILN you have hasn't been
tampered with by some *%&@!$#. There should be zeroes in bytes 0-7,
and in 30 - 509. The data in 8 - 29 is the serial number and disk
configuration parameters. The numbers in 510 and 511 force a zero
checksum on the disk, telling GEMDOS that the boot sector is not
executable. Assuming that your disk matches these requirements,
you now have a safe boot disk, and a dis-infected system. If the
disk doesn't have the zeroes everywhere else, (assuming you didn't
specify an MS-DOS boot sector), destroy that copy of PENECILN.
Destory whoever gave it to you, too!!! :^) Seriously, there should
be zeroes everywhere, or something is very wrong.
6) Set aside any disks you have which must be self booting (games or other
software which you have to insert into drive A before powering up or
pressing reset). These disks can not have their boot sectors altered, or
they will be useless. You should probably keep the originals aside,
but throw your working copies into the stack of disks you are going to
clean up.
7) Run PENECILN again, with the -k option specified. Feed it every disk
you own, except for those you set aside above. This dis-infects all
your disks.
At this point, you have a clean system, and all your disks are clean,
with the possible exception of the self-booting ones you set aside. To
keep your system clean, never power up or press reset with a disk in
drive A which you haven't dis-infected. And, keep the write protect
window open on disks unless you know you will have to write on them. Be
suspicious of disks from anyone else, and dis-infect them before using
them (unless they absolutely must be self booting). One report of the
virus came from disks purchased at a computer store. Whether intentional
or not, any disk you introduce to your system can be spreading the virus.
Hopefully, this plague can be wiped out. But, I doubt if we can ever
feel 100% safe from this sort of sabotage.
There are more questions, but related more to boot sectors and serial
numbers, which I'll cover in another posting.
--
*George R. Woodside - Citicorp/TTI - Santa Monica, CA
*Path: ..!{trwrb|philabs|csun|psivax}!ttidca!woodside