MAINT@UQAM.BITNET (Peter Jones) (12/09/89)
We have a PC virus in our labs, which is detected as Ping Pong B by SCANV49, and as the Ping Pong Virus by IBM's virus scanner. Unlike the Ping Pong described in file MSDOSVIR.A89, it does not have the bytes 1357 at offset 1FCO. The virus appears to be a boot-sector virus; it has not been detected by SCAN in the .COMs or .EXEs. As with Ping Pong, a strange character (not a lower-case 'o') bounces around the screen. Sometimes the "ball" bounces off a non-blank character. Sometimes characters fall down. The virus appears to be triggered, like Ping Pong, when a disk access occurs near a quarter-hour. CHKDSK issued about 5 seconds before such a time usually does it. Occaisonally, we have observed two independent "balls" on the screen. We have been unable to cause this behaviour deliberately on our test PC. The virus can be spread by an infected boot sector on non-system data diskettes, if the user accidentally leaves such a diskette in drive A and tries to boot from it, then presses any key to continue booting after the "non-system disk" message from DOS. Questions for you readers: 1) Is there a complete description of the virus available? 2) What damage does it do? 3) What prevention and disinfection procedures can be used a) in computer labs with many users per machine b) in professor's office (few people using a machine) (I've read about the idea of scanning the diskettes used by students in labs before giving the diskette to another student.) 4) Is there a version of SCANVRS that will detect boot-sector viruses on data disks? Aside from disk utilities such as Norton's absolute sector editor, is there a simple way to disinfect a data disk? SYS A: after a clean boot doesn't work because there isn't space for a system on A:. Peter Jones MAINT@UQAM (514)-987-3542 "Life's too short to try and fill up every minute of it" :-)