rodent@netcom.COM (Ben Discoe) (04/24/91)
I practice safe software, never running programs from BBSs, never
swapping software with pirates, etc. However, the 3000 that we do our
commercial development on was struck by a virus today. When starting
ced (CygnusEd), I got a black screen with thick white letters saying
something along the lines of "Computer Viruses are a horrible Disease...
This is the Cure" with something else that went by so quick I couldn't
read it. The next time I rebooted, I got a 1-2 second pause before
any program ran, and the Amiga ignored my system-configuration file.
Looking around, I found a file in DEVS: with an apparently blank file
name ("<LF><LF><LF>") which was tricky to delete. Once it was removed,
my system went back to normal... apparently. The "Computer Viruses
are a Disease" message has come back three times since then, so the
darn virus is still alive, hiding in there somewhere. It also modified
"setpatch", the first line in my startup-sequence, to be some mysterious
chunk of code.
All this is enormously surprising, because:
1. The only floppies that have entered my machine lately are the SAS/C
5.1 upgrade disks, which are SURELY virus-free!
2. This is on a 3000 under 2.0, which I doubt any viruses are intended
to survive in. Perhaps that's why I was able to cure the symptoms but
not the disease.
Can someone help me extinguish this thing? And why haven't I seen even
a MENTION of viruses in any Amiga group in months? Were they all supposedly
exterminated with some super-virus-killer?
--------------
Ben in San Jose, trying to escape this horrible city.dvljrt@cs.umu.se (Joakim Rosqvist) (04/26/91)
>ced (CygnusEd), I got a black screen with thick white letters saying >something along the lines of "Computer Viruses are a horrible Disease... >This is the Cure" with something else that went by so quick I couldn't >read it. The next time I rebooted, I got a 1-2 second pause before >any program ran, and the Amiga ignored my system-configuration file. > >Looking around, I found a file in DEVS: with an apparently blank file >name ("<LF><LF><LF>") which was tricky to delete. Once it was removed, >my system went back to normal... apparently. The "Computer Viruses >are a Disease" message has come back three times since then, so the >darn virus is still alive, hiding in there somewhere. It also modified >"setpatch", the first line in my startup-sequence, to be some mysterious >chunk of code. > I've been a victim of this virus too. What it does when started is the following: Load the startup-sequence, check "what is the first command?" hmm.. setpatch.. ok, then I'll call myself "setpatch" that way I will always be started on every boot and this without changing the startup-sequence. But.. the user will surely notice if the first command is not executed, so I'll copy it to the devs directory (nobody makes a dir of it anyway, but to be sure I'll call it " " so it won't appear on a dir) The virus, wich now is called "setpatch" (or whatever) will, after installed in memory, always run 'devs/" "' so everything works normally. When you deleted that file in devs you actually removed setpatch. The real cure is deleting setpatch or whatever you have first in startup-sequence then rename the mysterious DEVS-file to that name. /$DR.HEX$
peter@cutmcvax.cs.curtin.edu.au (Peter Wemm) (04/27/91)
rodent@netcom.COM (Ben Discoe) writes: >I practice safe software, never running programs from BBSs, never >swapping software with pirates, etc. However, the 3000 that we do our >commercial development on was struck by a virus today. When starting >ced (CygnusEd), I got a black screen with thick white letters saying >something along the lines of "Computer Viruses are a horrible Disease... >This is the Cure" with something else that went by so quick I couldn't >read it. The next time I rebooted, I got a 1-2 second pause before >any program ran, and the Amiga ignored my system-configuration file. >Looking around, I found a file in DEVS: with an apparently blank file >name ("<LF><LF><LF>") which was tricky to delete. Once it was removed, >my system went back to normal... apparently. The "Computer Viruses >are a Disease" message has come back three times since then, so the >darn virus is still alive, hiding in there somewhere. It also modified >"setpatch", the first line in my startup-sequence, to be some mysterious >chunk of code. I beleive the virus that you describe is called "BGS 9" or something.. It is a file virus.. It creates a file with unprintable characters, and either puts it in devs and runs it from the startup-sequence, or it renames a particular file (first in startup-sequence), puts it's code in it's place and runs the renamed version. You need to locate it, and delete it.. or preferably get a virus killer that can deal with it... Be warned: It spreads like wildfire! It could be in multiple places on the Hard Disk, and probably not in any bootblocks on your disks.... It takes a LONG time to get rid of if it gets very far... >-------------- >Ben in San Jose, trying to escape this horrible city. -- Peter Wemm ------------------------------------------------------------------------------ peter@cs.curtin.edu.au (Home) +61-9-450-5243 Curtin University of Technology, Perth, Western Australia. Amiga... Because life is too short for boring computers. (Dan Zerkle)
rjlov@ecr.mu.oz.au (Richard James LOVEJOY) (04/30/91)
This virus could be the ttv1 link virus. It searches the file s/startup-sequence, and puts the first file named therein as a blank line in either the main or devs directories. It then replaces the first file with itself. If it is this virus, the first command in your startup-sequence will be 2608 bytes in length, and this is the actual virus. The blank line is simply an innocent program renamed.