Path: utzoo!attcan!uunet!husc6!think!ames!amdahl!pyramid!prls!philabs!ttidca!woodside
From: woodside@ttidca.TTI.COM (George Woodside)
Newsgroups: comp.sys.atari.st
Subject: Re: Virus Alert
Message-ID: <2582@ttidca.TTI.COM>
Date: 25 May 88 13:07:40 GMT
References: <114@brazil.UUCP>
Reply-To: woodside@ttidcb.tti.com (George Woodside)
Organization: Citicorp/TTI, Santa Monica
Lines: 43

In article <114@brazil.UUCP> kibo@brazil.UUCP (Jim Parry) writes:
>
>I seem to have had something in the boot sectors of my disks that seeks
>out program files (.TTP, .PRG...) and causes them to no longer be able
>to read their data files (even when said files are perfectly good,
>on the ramdisk, etc.)
>The 'Peniciln' program stops this thing from attacking any more files.

PENICILN will kill most anything, virus or not. While that's a saftey
factor, it is rather deadly to disks that are supposed to be self booting.

I'm working on a more intelligent program now, but I need more virus samples.
If anyone suspects they have a virus infected disk, please send me a copy.
If there is a virus, I'll let you know what it's been doing, and add 
detect-and-kill capabilities for it to the program. 

Yet Another Wanrning Department: One of the virus infections I have a copy
of does not destroy files. It spreads itself like any other virus, but the
attack it launches is more subtle. It waits until the ST has been running
for a while, then does random memory accesses, at random intervals. It
will either step on some word in the screen RAM, causing a glitch on the
display, or some byte above the screen, which may cause a memory address
bomb. So, just because you don't have files being corrupted, don't think
that your system is virus-free. Be wary of new disks, and rely on the
write protect tabs to prevent spreading.

One of the newest virus infections contains code that intercepts the error
if you try to write to a write-protected disk. That means that while it
can't spread to a write=protected disk, you will not get an error when it
tries, so you'll have no clue that it tried. They're getting sneakier...

My next tool will be out soon. Meanwhile, please send samples of infected
disks to:

       George R. Woodside
       5219 San Feliciano Drive
       Woodland Hills, Ca. 91364  USA

Thank you.

-- 
*George R. Woodside - Citicorp/TTI - Santa Monica, CA 
*Path: ..!{trwrb|philabs|csun|psivax}!ttidca!woodside