W8SDZ@SIMTEL20.ARPA (Keith Petersen) (01/27/88)
Now available via standard anonymous FTP from SIMTEL20...
Filename Type Bytes CRC
Directory PD1:<MSDOS.DSKUTL>
FLUSHOT2.ARC.1 BINARY 5539 AFA8H
Here are some comments from the author, Ross Greenberg:
There exists a low-level form of dirt who gets joy out of destroying
your work. They release a program, typically called a 'Trojan Horse',
which is designed to erase or otherwise damage your disks.
The programs are released into the public domain and typically are
downloaded or distributed exactly as you may have received this file.
Once run, they would print some sort of self-congratulatory message
and proceed to erase your data. Obviously, these type of programs are
Not A Good Thing, and should be avoided. However, usually you'll only
know you've been bit by a trojan after the fact.
Recently, a new breed has been developed. Called a 'virus', it
infects all disks that it sees with a copy of itself, and then each of
these copies are capable of infecting all disks that *they* see.
Eventually, at some predetermined instance (a date, a time, a certain
number of copy operations), the virus attacks and destroys whatever
disks it can. By this time, though, the virus has spread, and a
friends' machine may also be infected, infecting the disks of their
friends and so forth.
It was to counter just such a program that the enclosed program,
called FLU_SHOT, was developed. The current virus making the rounds
infects the command processing program called "COMMAND.COM". Every
bootable DOS disk must have a copy of this file. FLU_SHOT examines
each write and will not allow a write operation to the COMMAND.COM
file to take place without your permission. Normally, there should
never be a write operation to this file, so it should be effective in
that regard.
To run FLU_SHOT, place a copy of it in your root directory on the disk
you boot your system from. Additionally, a line to invoke FLU_SHOT
should be placed in your AUTOEXEC.BAT file.
If you find the virus attacking your disk, please try to preserve a
copy of it and to forward it to me at my BBS at (212)-889-6438. Once
I have a copy of the virus, I should be able to develop another
program which would serve as a vaccine.
Please be aware that there is a possibility that, if FLU_SHOT
determines a write operation taking place to your COMMAND.COM, it
*may* be a legitimate one ---- check the currently running program.
FLU_SHOT may indicate that a TSR program you're running seems to be
causing a problem. If this happens to you, and you're sure the TSR
you're running is a valid one, then merely place the FLU_SHOT
invokation line in your AUTOEXEC *after* the TSR invokation line.
Additionally, FLU_SHOT can not determine whether your current
COMMAND.COM is infected, only if a COMMAND.COM is about to be
infected.
The odds of you being hit with this virus are slim, but running
FLU_SHOT should keep this particular incarnation of the virus from
infecting your disks.
Ross M. Greenberg
(212)-889-6438 24hr BBS, 2400/1200,N,8,1
-----
Note from Keith: This program is legitimate. Ross is a personal
friend whose programming skills I highly respect.
--Keith Petersen
Arpa: W8SDZ@SIMTEL20.ARPA
Uucp: {decwrl,harvard,lll-crg,ucbvax,uunet,uw-beaver}!simtel20.arpa!w8sdz
GEnie: W8SDZw8sdz@WSMR-SIMTEL20.ARMY.MIL (Keith Petersen) (05/14/89)
In answer to a recent query for information on Viruses, the following
files from Simtel20 are highly recommended:
Filename Type Bytes CRC
Directory PD1:<MSDOS.TROJAN-PRO>
VIRUS101.001 ASCII 13965 9A66H
VIRUS101.002 ASCII 17756 992BH
VIRUS101.003 ASCII 18575 50C1H
VIRUS101.004 ASCII 4984 AA38H
This is a four-part article which recently appeared on Usenet on the
subject of Viruses.
--Keith Petersen
Maintainer of Simtel20's CP/M, MSDOS, and MISC archives
Internet: w8sdz@wsmr-simtel20.army.mil [26.2.0.74]
Uucp: {ames,decwrl,harvard,rutgers,ucbvax,uunet}!wsmr-simtel20.army.mil!w8sdz