Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!killer!ames!oliveb!pyramid!prls!philabs!ttidca!woodside From: woodside@ttidca.TTI.COM (George Woodside) Newsgroups: comp.sys.atari.st Subject: Re: Virus Alert Keywords: virus Message-ID: <2590@ttidca.TTI.COM> Date: 26 May 88 12:29:04 GMT References: <906@imagine.PAWL.RPI.EDU> Reply-To: woodside@ttidcb.tti.com (George Woodside) Organization: Citicorp/TTI, Santa Monica Lines: 60 In article <906@imagine.PAWL.RPI.EDU> kibo () writes: ...[edited]... >ACTIONS OF VIRUS >---------------- >Seems to attack only executable programs (.TTP and .PRG files were damaged/ >destroyed as will be explained; no other files were touched.) Program >files either: > (a) vanish or > (b) become damaged so that they are still executable, but have severe >difficulty accessing data from disks (physical or RAMdisks). For example, I >had two working backup copies of Megamax C before this happened; they have both >been affected and now both perform in the same broken way - either crashing >when they try to compile a good .C file, or claiming that the data file >is about 50% garbage (and the garbage the compiler claims to see is >invariant from try to try, even after coldstarts, for both copies of >the compiler, and my original copy can display the files just fine.) > >The virus does not seem to destroy an entire disk's contents at once - it >seems to take files one at a time. I don't know how often, under what >circumstances, etc., but I do know that a good disk can have several files >damaged/erased in about an hour (assuming you're using the disk >frequently, as I did in this one case). First, it's unfortunate that you don't have a copy left, since I'm still trying to get a copy of this one (if it's the one I think it is). This one (assuming it is the one), is a FAT saboteur. It spreads in the usual manner, copying itself into boot sectors when the BIOS Media Change routine accesses a new disk. I don't have any information yet on the delays it has built in before it starts its dirty work, but the basic technique is to periodically step on small portions of the FAT (File Allocation Table). This results in either the premature termination of a file, or altering the file contents by re-directing the operating system's trail of sectors that make up a given file. Since it makes only small changes each time it strikes (I think), you won't notice it until you access a file that has been hit. Note that since it strikes at the FAT (both copies, I believe), copying the file yields a bad copy. Another victim claims that file data was also destroyed, but I believe the data destruction was a side effect of writing something to the disk after the FATs had been sabotaged. The bottom line is that if you haven't written to the disk, the file data is probably intact, although you can't access the files reliably due to the FAT damage. You can probably recover text files with a disk utility. You may be able to recover executables, but only if you're either real lucky, or a real wizard. I'm still looking for a copy of this one (and other virus anyone may encounter) to add it to the next virus killer. Please send infected disks to: George R. Woodside 5219 San Feliciano Drive Woodland Hills, Ca. 91364 -- *George R. Woodside - Citicorp/TTI - Santa Monica, CA *Path: ..!{trwrb|philabs|csun|psivax}!ttidca!woodside