Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!swrinde!zaphod.mps.ohio-state.edu!ub!uhura.cc.rochester.edu!rochester!kodak!uupsi!sunic!cs.umu.se!dvljrt From: dvljrt@cs.umu.se (Joakim Rosqvist) Newsgroups: comp.sys.amiga.misc Subject: Re: A virus that popped up on my 3000's hard drive Message-ID: <1991Apr25.211752.23182@cs.umu.se> Date: 25 Apr 91 21:17:52 GMT References: <1991Apr24.024037.25613@netcom.COM> Sender: news@cs.umu.se (News Administrator) Organization: Dep. of Info.Proc, Umea Univ., Sweden Lines: 30 >ced (CygnusEd), I got a black screen with thick white letters saying >something along the lines of "Computer Viruses are a horrible Disease... >This is the Cure" with something else that went by so quick I couldn't >read it. The next time I rebooted, I got a 1-2 second pause before >any program ran, and the Amiga ignored my system-configuration file. > >Looking around, I found a file in DEVS: with an apparently blank file >name ("") which was tricky to delete. Once it was removed, >my system went back to normal... apparently. The "Computer Viruses >are a Disease" message has come back three times since then, so the >darn virus is still alive, hiding in there somewhere. It also modified >"setpatch", the first line in my startup-sequence, to be some mysterious >chunk of code. > I've been a victim of this virus too. What it does when started is the following: Load the startup-sequence, check "what is the first command?" hmm.. setpatch.. ok, then I'll call myself "setpatch" that way I will always be started on every boot and this without changing the startup-sequence. But.. the user will surely notice if the first command is not executed, so I'll copy it to the devs directory (nobody makes a dir of it anyway, but to be sure I'll call it " " so it won't appear on a dir) The virus, wich now is called "setpatch" (or whatever) will, after installed in memory, always run 'devs/" "' so everything works normally. When you deleted that file in devs you actually removed setpatch. The real cure is deleting setpatch or whatever you have first in startup-sequence then rename the mysterious DEVS-file to that name. /$DR.HEX$