Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!decwrl!fernwood!portal!cup.portal.com!ts From: ts@cup.portal.com (Tim W Smith) Newsgroups: comp.sys.mac.programmer Subject: Re: A new virus that physically damages your hard disk? Message-ID: <41325@cup.portal.com> Date: 16 Apr 91 09:34:06 GMT References: <1CE00001.cjpdlcx@tbomb.ice.com> <1991Apr12.153022.15898@visix.com> Organization: The Portal System (TM) Lines: 84 Here are several ideas as to how one might do something to a disk drive that will either break it, or convince the average user that it is broken. 1. It is possible that some drives have commands meant for use only in the factory that can overwrite various internal data structures such that the drive must be sent back to the factory to be revived. At one time there was a proposal before the SCSI-2 committee to standardize various diagnostic commands, and I believe such dangerous commands were included. These were not put in the standard, but the fact that someone proposed them indicates that there is someone out there who thinks this kind of command is OK. It would not surprise me if these people include such commands as vendor unique commands in their drives. 2. It is possible that some virus author has found a firmware bug in some drive that lets the drive be screwed up. There are bugs in drive firmware. For example, the Sony 40 meg drive that Apple sells violates the SCSI standard in certain areas of message handling (I don't remember the exact sequence that causes this - sorry). 3. Most likely, it just plays around with the mode select command. SCSI-1 specified almost nothing about what this command actually did. The CCS specifed many of the mode select options, I believe, but there are a lot of things that go beyond CCS that drive vendors implemented. When one develops a SCSI disk installer for the Mac, one can build in knowledge of the particular drives that one is selling, and thus know how to set up all the mode select options the way one wants. However, programs that are willing to work with "generic" drives might not be able to set such a drive to a reasonable state if a virus that knew about that drive went out and diddled it. For example, some drives have an option to not spin up until the host sends a START UNIT command. I believe that some drives allow this option to be selected by software. If a virus set this option, that drive would look broken to a lot of software. If this option is in a mode select page your installer does not know about, you are screwed. 4. Some drives let you set the SCSI ID in software. If the virus set the ID to 7, it would look like a dead drive. I've never experimented with drives that allow this, so I don't know how permanent it would be (e.g., would the drive notice a change in the jumper settings and interpret this as meaning you now want to get the ID from the jumpers instead of from the saved value?), but this could be real nasty. 5. Some drives have command that let you read and write extra data. You get the sector you asked for PLUS the ECC data. Writing bad ECC data to random sectors could convince a user that the drive has hardware problems. 6. Some drives let you change the block size without reformatting. Changing the block size to 1K would screw up a lot of software. Most installers would probably decide that the drive is broke. 7. Issue a bunch of commands to remap bad blocks until the bad block table in the drive is full. Now wait till the user gets a new bad block and runs the installation software to deal with it. When the installation sofware encounters a full bad block table, it is likely to report that the drive is in the process of dying. To summarize, it is remotely possible that a virus is screwing disks sufficiently to require them to be sent back to the manufacturer. It is more likely, in my opinion, that it is simply doing something that confuses the Mac so that the user thinks that something is wrong, and confuses the installation software from the drive vendor, so that the user decides that the problem is a hardware error. Tim Smith