Path: utzoo!mnetor!uunet!husc6!rutgers!ucla-cs!zen!ucbvax!hoser.berkeley.edu!bryce From: bryce@hoser.berkeley.edu (Bryce Nesbitt) Newsgroups: comp.sys.amiga Subject: Re: Virus Author comes forward!!! Message-ID: <22368@ucbvax.BERKELEY.EDU> Date: 2 Jan 88 11:09:41 GMT References: <3007@cbmvax.UUCP> <3008@cbmvax.UUCP> <6028@cisunx.UUCP> <4862@well.UUCP> <597@inria.UUCP> <3064@cbmvax.UUCP> <297@stag.UUCP> Sender: usenet@ucbvax.BERKELEY.EDU Reply-To: bryce@hoser.berkeley.edu (Bryce Nesbitt) Organization: The Logic Foundation Lines: 75 Keywords: virus, diskkiller Summary: How to write a better virus, sigh. In article <297@stag.UUCP> trb@stag.UUCP ( Todd Burkey ) writes: > >Wouldn't it be simple to check for a virus that lodges itself in >the OS and/or boot sectors by writing a simple CRC routine (two-level >to allow byte isolation). No it would not. One of the capabilities of such a virus it to infect the sector read commands. When you check to see if the boot-block is "normal" the smart virus could just return a "normal" block. >Since we have the full OS on ROM on the ST, I tend to worry more about >the Trojan horse problem. The Amiga virus is still a problem on the Amiga 500 and 2000, both of which have the OS in ROM. The way the virus gets started is in the "boot block" of a disk. This contains some code that is executed. Normally it will bring in the default DOS (AmigaDOS, usually). Sort of like infecting a file in the "auto" folder on the ST, but somewhat worse. The Amiga virus survives reseting the machine. To draw the same Atari ST analogy, it would then search any new disks put in any drive for "Auto" folders and infect them as well. The *ONLY* way to clean a system is to turn OFF the machine, WAIT, then put a VIRGIN boot disk in (Preferably one that has never had it's write protect notch enabled, ever). The Workbench disk that came with the machine would be a good choice. At this point you can cycle any number of disks through, cleaning them with an "Install df0:" command from the CLI. Remember, only bootable disks are vulnerable. As a precaution that dates way before this virus hit, I use only one boot disk, and keep it write protected any time I am not writing to it. Even this is really not good enough... someone could run a "Trojan horse" demo that would seem to exit cleanly but actually leave a worm in the system. This worm would patiently wait until the boot disk is unprotected. It is easy to see how a person could loose an entire stack of backups to the virus... hmmm, that one is bad... I'll try this one. Bad also?? Hmmm... I'll try this one. Viruses are a problem that can infect any of the current crop of computers. The Amiga, Mac, ST, Apple IIgs, Coleco Adam, Mindset, and IBM PS divided-by 2 all are quite vulnerable. -------- PS: Some people may not have noticed this, but the first SCA virus is destructve in a least two ways: 1> Destroys "custom" boot blocks. 2> Writes to an absolute memory address. The address is usually in the middle of the Supervisor stack, and does no harm. If $C00000 memory is installed the address is in the middle of free memory. Since all boot block code is by nature relocatable, the virus authors could have inserted the code, leaving the block mostly intact. They also could have dynamically found an address to use, and perhaps made it permanent with "ROM Tags in ram". Such sloppy code, for shame! :-| -------- ** The above information may be used in any way except for improving or creating viruses. |\ /| . Ack! (NAK, SOH, EOT) {o O} . bryce@hoser.berkeley.EDU -or- ucbvax!hoser!bryce (or try "cogsci") (") U "Your theory is crazy... but not crazy enought to be true." -Niels Bohr