Path: utzoo!attcan!uunet!portal!cup.portal.com!Chad_The-Walrus_Netzer From: Chad_The-Walrus_Netzer@cup.portal.com Newsgroups: comp.sys.amiga Subject: Re: Interesting boot block I found... (long) Message-ID: <5559@cup.portal.com> Date: 17 May 88 22:41:40 GMT References: <13348@tut.cis.ohio-state.edu> Organization: The Portal System (TM) Lines: 47 XPortal-User-Id: 1.1001.2959 In [a previous article] (Ethan R. Dicks) writes: )I have since written a program to read the boot block and save it to a )1024 byte file, or write a 1024 block file to the boot block. The programs "Blocker" and "Diskx2" (which was written by Steve Tibbett, who also wrote VirusX), both do this same thing, BTW.. "Diskx2" is quite flexible in this regards, in fact... A REAL nice disk editor/explorer... )Here is this most amazing boot block... )(it passes through VirusX _and_ Vcheck1.9) VirusX has ALWAYS discovered this particular boot block when I tried it. (But NOT VirusX1.9... BUG/INCONSISTENCY/MISIMPLEMENTATION!!) [Boot block deleted] )Pretty strange huh? )Perhaps some Virus examiner could explain why it works? My bets are on the )byte immediately following the boot code, $F0. I think the virus looks for )this magic cookie when deciding whether to spread or increment a counter. Exactly right. The SCA virus has a special check to see if the Boot Block Checksum is a certain value. If it is, the virus won't infect that disk... So how so you get the disk protected? You use the SCA virus eradicator program (called "Virus Protector V1.0", I believe). It has a special option to "Protect" your disks from being infected by the SCA virus... This option then puts the dumb message in the boot block. In my opinion it is better to rely on programs such as "VirusX1.21", for your protection. First of all, who would trust more SCA programs? Second, how do we know it is protected for REAL, and that nothing else gets screwed up (This virus doesn't, but what about the future?). And three, I don't trust ANY program that doesn't check to see if a disk is writeable before writng to it... Try it... Insert a WRITE-Protected disk into df0: while running "Virus-Protector", and select the "Virus kill" or "Disk protect" options... the disk drive will spin, and the program will report that the operation was completed successfully... WRONG!!! The idiot programmers didn't even do a simple Write-Protect check (which also means they must use their OWN code, and not Amiga-DOS to do their disk I/O (Which I DON'T trust...)) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Chad 'The_Walrus' Netzer -> AmigaManiac++ "Ever have one of those life's?"