Path: utzoo!mnetor!uunet!mcvax!ukc!mupsy!liv-cs!unpowell From: unpowell@csvax.liv.ac.uk Newsgroups: comp.sys.atari.st Subject: Re: A cure looking for a disease? (I hope) Message-ID: <531@csvax.liv.ac.uk> Date: 15 Mar 88 18:07:15 GMT Lines: 39 Organisation: Computer Science CSVAX (VAX1), Liverpool University In article <8803081650.AA29358@ucbvax.Berkeley.EDU> 051332@UOTTAWA.BITNET (John Turnbull) writes: > >A program called VDU_2_0.PRG has been posted to the FILESERVers at >CANADA01 and UHUPVM1. It is claimed that it will cure the 'Boot sector' >virus and immunize the disk from future infection with this virus. > >Does anybody have any information about this virus, its mode of >infection, mechanism, symptoms or how wide-spread it may have become? > >Please post replies to the net. Most people will be interested. /JT > >John Turnbull, NetNorth: 051332@uottawa I've seen an ST virus, I don't if we're all talking about one or many viruses here. The way it worked was by altering the MEDIACH vector (I think), location $472, to point to itself. Then whenever a disk is swapped, and TOS calls the media change handler, the virus is executed. The virus then calls the normal media change handler (and the BIOS parameter block is read from the disk), the virus then wrote itself onto the new disk. The virus did do a little bit of checking on the newly inserted disk before it read itself in. If the new disk already had a virus on it with a higher generation number (yes it keeps a count of how many times it has reproduced) it would read this new version into memory and make it the "resident" virus. It also some other checks on the boot sector of the new disk, which I'm not quite sure about. It seemed to be checking the boot sector for a particular program and if it found it, it would execute it. I'm not sure, but it could be waiting for a second virus to come along which would maybe cause it to become malicious.... ******************************************************************************** "...there's no success JANET unpowell@uk.ac.lis.csvax like failure and UUCP {backbone}!mcvax!ukc!mupsy!lis-cs!unpowell failure's no success ARPA unpowell%csvax.lis.ac.uk@nss.cs.ucl.ac.uk at all..." B.Dylan ********************************************************************************