Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!uunet!husc6!rutgers!im4u!ut-sally!utah-cs!utah-gr!uplherc!esunix!blgardne From: blgardne@esunix.UUCP (Blaine Gardner) Newsgroups: comp.sys.amiga Subject: Re: Amiga Virus Loose (more info) Message-ID: <515@esunix.UUCP> Date: Wed, 7-Oct-87 00:59:18 EDT Article-I.D.: esunix.515 Posted: Wed Oct 7 00:59:18 1987 Date-Received: Sat, 10-Oct-87 12:24:02 EDT References: <15589@amdahl.amdahl.com> Organization: Evans & Sutherland Computer Corporation Lines: 57 in article <15589@amdahl.amdahl.com>, kim@amdahl.amdahl.com (Kim DeVaughn) says: > The following was downloaded from the FAUG (First Amiga Users Group) BBS. > Seems like we've been spared such crap until now, but this highly disturbing > notice shows we are not immune to attacks on our machines by the "Dark Side > of the Force"! > Any further information on this (or other such nastiness) would be greatly > appreciated! > A local user has taken a strong interest in this virus, here is what he has told me about it. It is located in the boot blocks as mentioned, and INSTALL will kill it. The only way to be sure you've eradicated the virus is to examine ALL the floppies you may have had in the machine when they were write-enabled. If they show the smart-aleck message, install them. The easier approach may be to just run install on all your suspect disks. The virus loads itself into the reset handler, and when you do a warm boot (Ctrl-A-A) it writes itself into the boot block of all the disks available in drives. If the disk is write-protected, the virus puts up a phony recoverable alert (guru). I guess this might be to persuade you to remove the write-protect, so that it can spread itself further. He says that the virus has several stages: first it quietly spreads itself onto as many of your disks as possible. On every reset it increments a counter, and when it reaches a limit (10 or 20?) it puts up the "gotcha" message. The counter continues to increment, and then engages the final stage which is trapping the Ctrl-A-A reset. Once it does this you have to shut the machine down and re-Kickstart since Ctrl-A-A no longer returns you to the Workbench prompt. As far as he has been able to determine, the virus does not engage in any disk destruction or other really nasty stuff. However I would consider losing my VD0: contents to a cold boot pretty hostile action. The above comments about incrementing the booby-trap timer apply to EVERY disk infected by the virus of course, so it's important to kill every occurance of it, or you'll soon be re-infected. Install is a pretty simple way to solve this program, but he was thinking of writing a little program to automatically look for and kill the virus. Should I encourage him to do so? I almost seems that we got lucky this time, and that the virus isn't as bad as some of the IBM-PC trojans that I've heard about. Maybe I'm a bit paranoid, but how many of you read the EXECUTE.ME files that often accompany .ARC files? All it would take is for some sick soul to add a little "delete...." to an ordinary rename script. Since this possiblity occured to me (prompted by a discussion in Risks several months ago), I've made it a point to read all EXECUTE.ME's before executing them. Maybe a little extra trouble, but I like to know what's going on in my machine. The big question is: does anyone know how this virus got into the country? -- Blaine Gardner @ Evans & Sutherland 540 Arapeen Drive, SLC, Utah 84108 UUCP Address: {ihnp4,ucbvax,decvax,allegra}!decwrl!esunix!blgardne {ihnp4,seismo}!utah-cs!utah-gr!uplherc!esunix!blgardne "I don't see no points on your ears boy, but you sound like a Vulcan!"