Path: utzoo!mnetor!uunet!husc6!mit-eddie!uw-beaver!ssc-vax!uvicctr!klewall1 From: klewall1@uvicctr.UUCP (Kim Lewall) Newsgroups: comp.sys.amiga Subject: NEW Virus Message-ID: <357@uvicctr.UUCP> Date: 3 Feb 88 07:45:36 GMT Organization: University of Victoria, Victoria B.C. Canada Lines: 44 A friend of mine who doesn't have postnews access asked me to post this: I have not seen any reference to this particular virus before. ---------------------------------------------------------------------------- A new virus has shown up on the Amiga. It was written in September, 1987, by someone calling himself The Byte Bimbo (well, maybe that's not the right name; I can't remember... ;-) ) Last night (Feb 01 88) I was handed a disk and told "This is acting weird. Can you look into it?" Apparently our Amiga club had a guest speaker from Toronto who provided several disks of bootable demo programs from the AmiExpo show. While there is no proof, it is very likely that the virus originated at one of those two places as it looks like we have generation 2!!! This virus, like the SCA virus, installs itself in the boot block (both 0 and 1) but, unlike the SCA virus, is actually running in the system and will infect each and every writable disk placed into a drive. SCA only copied itself during a reboot. Furthermore, if you have an infected machine, and try to use the Install command to clean your disk, the virus will immediately re-install itself! From disassembling the virus, it appears only to shut down *all* interrupts after a certain condition is met. This can happen in mid-session, and renders your system un-bootable until power down. I have not, however, been able to figure out all of the code (I have had a copy of the virus for 7 hours) so it may do more than it first appears.... I called Commodore today and am sending down a copy of the virus for them to look at. Until they have a new VCheck to deal with this one, the only way to tell if you have any infected disks is to look at the boot block directly with DiskZap, DiskWik or some other block editor. Look at block 0. You will see "Virus by Byte Bandit in 9.87.Number of copys :" if you are infected. Let's stamp this one out before it gets anywhere! Christopher Halsall LateNight Developments Corp. Victoria, B.C. Canada. (604) 380-3032 ----------------------------------------------------------------------------