Path: utzoo!mnetor!uunet!husc6!uwvax!dogie!uwmcsd1!marque!gryphon!pnet02!hrlaser From: hrlaser@pnet02.cts.com (Harv Laser) Newsgroups: comp.sys.amiga Subject: Re: "NEW" Amiga virus has arrived in Europe Message-ID: <2896@gryphon.CTS.COM> Date: 15 Mar 88 07:20:42 GMT Sender: root@gryphon.CTS.COM Organization: People-Net [pnet02], Redondo Beach, CA. Lines: 133 Cross posted from the AmigaZone (on PeopleLink) this is one man's experience with the Byte Bandit virus. Me, I've never seen the thing myself, only the SCA variety. I've got a ring of garlic cloves around my hard drive for now..... --------------------------[begin cross post]------------------------- February 29, 1987 Just got the Byte Bandit Virus from a commercial disk, straight out of the box. This is one nasty virus so I thought I would put up some of the features of this virus that maybe you don't already know about. (Someone posted a notice about 3 weeks ago about this one, but it was rather vague) 1. This virus seems to cause a total system crash within 10 minutes, EVERY TIME. 2. IT IS NOT NECCESSARY TO BOOT FROM A DISK, FOR THAT DISK TO BECOME INFECTED! That is, ANY write enabled disk will become infected as soon as it is inserted into ANY drive. That's right, just inserting a write enabled disk in df1: will cause that disk to become infected!!!! 3. The virus, once in the computer, will survive a warm boot and will still infect disks upon boot up. 4. VCheck1.2 will not detect infected disks. 5. VCheck1.2 will not detect infected computers. 6. If your machine is infected then re-installing an infected disk WILL NOT cure it because as soon as it is installed (Healed) it will be RE-INFECTED. 7. VirusX will recognize non-standard boot blocks such as the Byte Bandit virus BUT NOT ALWAYS. If your machine is already infected and you put an infected disk in any drive and that infected disk is write-enabled, VirusX will NOT detect it!!! Otherwise VirusX will recognize it as a non-standard boot block. 8. Don't worry, the only way for your computer to become infected is to BOOT from an infected disk. A clean machine WILL NOT become infected if an infected disk is inserted in a drive. 9. There is a very complicated countdown mechanism within the virus that keeps track of how a particular disk became infected. The counter seems to be placing new digits or letters within a few bytes of the DOS header. I experimented with lots of disks by letting them become infected and then looking at this area with a sector editor. There are at least 2 kinds of counters. One is what I call first degree infection, that is infection through rebooting the infected machine with a clean disk that is write- enabled. Note that this disk need not be bootable originally, but will become bootable once it is infected. The second counter (or way of counting) is for what I call second degree infections. These are disks that become infected by inserting them into a drive of an infected machine while the machine is running. At one point I kept inserting blank unformated disks in df1: so that they would become infected and saw a "counter" go down from "kp" down to "ke" in sequence for each additional disk that was infected. There is alot of code further down the pages of the sector editor and I would hate to think what might happen when a certain value is reached. I see this virus as being much more potent and contagious than the SCA virus. This one was created to be destructive, and can be IF we are not careful. A program like VirusX 1.01 that will detect non standard boot blocks is helpful, but not infallible. I usually run my system from a recoverable ram disk that contains my entire workbench disk. Every thing is assigned to the ram disk so that I don't need my workbench disk in any drive. I feel relitively safe so long as I know that my boot disk is clean. VirusX caught that commercial disk as soon as I inserted it in df1:, I became suspicious and checked it out. So long as a program can be run from my workbench then I would feel safe. If it becomes neccessary to boot from another disk then it would be wise to either know that the boot disk is clean or power down after using. If you have to write to other disks then always be sure that they have not become infected. Hope this helps. Dave Crane OHS080 March 4, 1988 This file is to be read in conjunction with NewVirus.txt of Feb 29, 1988 Here's some more info on the new Byte Bandit virus. As I told you before, I received this virus on a commercial disk, straight out of the box, direct from the manufacturer. Virus caused crashes. In my last note I stated that the virus causes the Amiga to crash within 10 minutes every time. This is not quite true. A newly infected machine will NOT crash period. (as far as I can tell. Future generations of the self replicated virus as it is passed onto other disks may act differently) From the tests I have performed with this virus it would seem that an infected machine will not crash UNTIL the virus has replicated itself TWICE by FIRST DEGREE INFECTION.(I call first degree infection the infection of another disk by re-booting an infected machine with a write-enabled boot disk. The boot disk receives a first degree infection) After the second disk has been infected the machine will run for about 5 minutes 30 seconds before crashing with a solid blue screen. I have reproduced this effect many times with different generations of the virus. The virus may be passed on many times by second degree infection, without any effect on the source computer. Second degree infection is infection by inserting ANY WRITE-ENABLED DISK into ANY DRIVE of an infected machine WHILE it is already running. The inserted disk will receive second degree infection. Again I would like to say that the only way for a clean machine to become infected is for that machine to be booted from an infected disk. Merely inserting an infected disk into a drive will NOT infect the machine. Dave Crane OHS080 -------------------------[end cross post]------------------------------ Harv Laser, Sysop, the People/Link AmigaZone. Plink ID: CBM*HARV UUCP: {ihnp4!scgvaxd!cadovax, rutgers!marque}!gryphon!pnet02!hrlaser INET: hrlaser@pnet02.cts.com "The man in the crowd with the multicolored mirrors on his hobnail boots"