john@minster.york.ac.uk (03/22/88)
I'm posting this for someone who does not have Usenet access.
-------------------
THE ATARI ST VIRUS
==================
This weekend I received a number of pd software disks from a computer store.
I found that three of these contained the 'ST Virus' that has been
mentioned on the net recently. I did not however discover this until it
had trashed one disk and infected a very large number of disks.
I have since disassembled the virus and worked out exactly what it
does and I am posting a summary of what I found here.
What The Virus Does
===================
When the ST is reset or switched on, it reads some information from track 0
sector 0 of the disk in drive A. It is possible to set up that sector so
that the ST will execute its contents. The virus program is written into
this sector so that it is loaded whenever the ST is booted on the offending
disk.
Once loaded into memory the virus locates itself at the end of the
system disk buffer (address contained at 0x4c2 I think) and attaches itself
to the bios getbpb() function.
Every time getbpb() is called, the virus is activated. It tests the
disk to see if it contains the virus. If it doesn't then the virus is
written out to the boot sector and a counter is initialised.
If the disk does contain the virus then the counter is incremented.
Once the counter reaches a certain value, random data is written across the
root directory & fat tables for the disk thus making it unusable. The virus
then removes itself from the boot sector of the damaged disk (destroys the
evidence??).
NOTES
=====
Once the virus is installed in the ST it will copy itself to EVERY non write
protected disk that you use - EVEN IF YOU ONLY DO A DIRECTORY - or open a
window to it from the desktop.
The virus CANNOT copy itself to a write-protected disk.
I *think* (but am not certain) that it survives a reset.
The current virus does not affect hard disks (it uses the flopwr() call).
However, if you are using an auto-boot hard disk such as Supra, and the disk
in drive A contains the virus, THE FLOPPY BOOT SECTOR IS EXECUTED BEFORE THE
HARD DISK BOOT SECTOR and consequently the virus will still be loaded and
transferred to every floppy that you use.
THE CURE
========
To test for the virus, look at sector 0 of a floppy with a disk editor.
If the boot sector is executable then it will contain 60 hex as its first
byte. Note that a number of games have executable boot sectors as part of their
loading. However if this is the case then they should not load when infected
by the virus.
If people are worried about this & haven't been able to get the other killer
(I have not seen it yet) then I will post the source/object for a simple
virus detector/killer that I have written.
OTHER VIRUSES
=============
It would appear that this virus is not the end of the story. I have heard
that there is a new virus around. This one is almost impossible to detect
as for each disk inserted, it scans for any *.prg and appends itself to the
text segment in some way. Thus it is very difficult to tell whether or not
the virus is actually on a disk.....
FINALLY
=======
Use those write-protect tabs!
Check all new disks!
Hopefully we can get rid of this virus totally before it damages something
important.
Chris Allen.
===================================================
If you want any information, etc etc mail me at:
Janet: CJA1@uk.ac.york.vaxa
uucp: ...!uunet!mcvax!ukc!minster!CJA1@VAXA
arpa: CJA1%vaxa.york.ac.uk@mss.cs.ucl.ac.uk
===================================================