Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!mit-eddie!bbn!rochester!cornell!batcomputer!itsgw!imagine!pawl20.pawl.rpi.edu!kibo From: kibo@pawl20.pawl.rpi.edu (James Parry) Newsgroups: comp.sys.atari.st Subject: Virus Alert Keywords: virus Message-ID: <906@imagine.PAWL.RPI.EDU> Date: 25 May 88 02:08:10 GMT Sender: news@imagine.PAWL.RPI.EDU Reply-To: kibo () Organization: RPI Public Access Workstation Lab - Troy, NY Lines: 61 (this is a repost. seems my previous posting was sent out from a machine which didn't spread it - plz forgive if you saw this already.) I found, three days ago, a virus I had not heard of, on my ST. I'll attempt to tell you everything I can find out about it, here. Be warned that I am no expert on virology. I made sure that this was a virus, not a glitch, by running the usual gauntlet of coldstarts, memory checks, rebooting from write-protected system master disks, comparing backups with originals, etc., and I am confident that this was no fluke. My system configuration is 1 Meg 1040ST-F, one floppy drive, no hard disk. ACTIONS OF VIRUS ---------------- Seems to attack only executable programs (.TTP and .PRG files were damaged/ destroyed as will be explained; no other files were touched.) Program files either: (a) vanish or (b) become damaged so that they are still executable, but have severe difficulty accessing data from disks (physical or RAMdisks). For example, I had two working backup copies of Megamax C before this happened; they have both been affected and now both perform in the same broken way - either crashing when they try to compile a good .C file, or claiming that the data file is about 50% garbage (and the garbage the compiler claims to see is invariant from try to try, even after coldstarts, for both copies of the compiler, and my original copy can display the files just fine.) The virus does not seem to destroy an entire disk's contents at once - it seems to take files one at a time. I don't know how often, under what circumstances, etc., but I do know that a good disk can have several files damaged/erased in about an hour (assuming you're using the disk frequently, as I did in this one case). I lost many executable files to the virus either by having them removed or corrupted in this odd way. No cutesy 'Ha Ha' messages or any such ever appeared. PROPAGATION OF VIRUS -------------------- It lives in the boot sectors, and can be killed with PENICILN. I don't know how often it copies itself, or when it does; I think it had spread to several disks since I realized it was around, but I think that I actually received my copy of the virus a few months back, so it may have been idle. PENICILN definitely stops it. Basically, I'm at a loss for further information. I Peniciln'ed all my disks frantically (once I tried it on an infected disk to make sure that I would do this) before I realized I should have saved a copy, so I don't have a 'live' copy of the virus. I do have some damaged programs remaining, that I will diff with the originals sometime, and will see if any deleted files can be undeleted (once I get my shareware disk utilities back :-( ) Has anyone else experienced this weird and evil virus? ----------- Kibo (Jim Parry) userfe0n%mts.rpi.edu@itsgw.rpi.edu userfe0n@rpitsmts.bitnet