Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!rutgers!mailrus!cornell!uw-beaver!apollo!ulowell!page From: page@swan.ulowell.edu (Bob Page) Newsgroups: comp.sys.amiga Subject: Re: IRQ Virus -it's out!!! Summary: It's very dangerous. Please send me a copy. Keywords: Link Virus Message-ID: <11035@swan.ulowell.edu> Date: 31 Dec 88 04:58:00 GMT References: <1885@daimi.dk> Reply-To: page@swan.ulowell.edu (Bob Page) Organization: University of Lowell, Computer Science Dept. Lines: 62 This one of the two potential methods of virus I was worried about (and it's the worst of the two). I guarantee this will spread much faster and wider than any other Amiga virus. This one is a *real* virus. The only innoculation is to check _every_ write to _every_ disk on your system, and refuse if the block looks like a known pattern. The only treatment is to check every disk looking for the virus and re-write each infected program to rearrange the hunks. Time consuming and error-prone, and the next strain will just restart the problem. The fault with this approach is that you can't easily distribute the antidote. Since the innoculator program has to contain the virus code pattern, any time you try to copy the program, you will be stopped because the innoculator will detect the pattern! And think about it - if you can write a program such that you can copy the innoculator program without being detected, anyone can come up with a similar method to disguise the pattern. Worse, they could go right to the metal and scribble the bits right on the disk. You can't stop that on the current Amiga. There is another alternative, although not pretty, and not 100% effective. Make sure your disks are always 100% full, so any write (that extends the file) will fail. The problem is if the virus itself can fit in a partial block - if your program takes 18.1 blocks it takes 19 blocks on the disk. If the virus code is only 0.8 blocks, you can still get infected. The *only* ways not to get it? 0. Write protect all your disks and don't give them out. :-( 1. Don't use any new software, commercial or public, unless you have source code and you *know* your compiler is OK. 2. Don't let anyone else use your machine, or your disks. Once again, we need to know where this is and how it works, if we are to be successful in fighting it. As a "publisher" of publicly available code, I feel I have a stake in this. If anyone has a copy of this, please send it to me and I will write a disk scanner. It's not the ultimate answer but it's a start. If anyone else has any more info, please send it or post it if you feel it's worthwhile. I don't want to push the panic button but I'm not happy about this news. I just hope the virus doesn't contain any time bombs. [I'm going on vacation in a few hours but am still very interested and will be thinking a lot about it while baking in the sun. :-) If you can't e-mail via Usenet/ARPAnet, you can email to 'page' on BIX or 'zoxso' on people link, or surface mail to Bob Page, PO Box 1773, Lowell MA 01853, USA.] ..Bob johnsen@daimi.dk (Henrik Johnsen) wrote: >Symptoms are a title bar with text: > IRQ Presents another virus for the Amiga >virus installs itself as the code hunk, and puts the original program >into a data hunk. -- Bob Page, U of Lowell CS Dept. page@swan.ulowell.edu ulowell!page Have five nice days.