Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!decwrl!sun!pitstop!sundc!seismo!uunet!mcvax!kth!draken!tut!utacs!koykka
From: koykka@utacs.UTA.FI (Sami K|ykk{)
Newsgroups: comp.sys.amiga
Subject: New Virus
Message-ID: <653@utacs.UTA.FI>
Date: 3 Mar 89 12:47:56 GMT
Reply-To: koykka@utacs.uta.fi (Sami K|ykk{)
Distribution: comp
Organization: University of Tampere, Department of Computer Science, Finland
Lines: 38


	Last night I discovered a new virus on the Amiga. It all began when
my Workbench1.3 suddenly crashed while booting. When I took a look at
startup-sequence, I noticed that SetClock was the crashing program. It didn't
crash always, but very often.

	I began to think if it was IRQ-virus. So I used my friend's virus-
killer and checked whole disk. In Devs-directory the killer found a file
which name was nothing but spaces. I peeked in the file and found out that
it was a program called SetPatch - renamed and copied in Devs-directory!

	Next I looked at the "real" SetPatch-command in C-directory. It was
totally different program. Its length was 2608 bytes - not the length of
SetPatch. So somebody had changed the location of my command and made a new
program into its old location. 

	SetPatch was the first command in my Startup-Sequence and it seemed
very likely that I've been under attack by a new virus! So, the next step
was to test if it spreads. I made a copy of fresh workbench, booted with
infected disk and resetted. 

	After that I inserted my write-enabled fresh Workbench-disk and 
waited. Screen remained white and disk drive whirred long time. After
startup-sequence had stopped, I checked Devs-directory. There it was,
the file named "       "! It was small, only about 800 bytes. In that
disk, the first command in Startup-Sequence was Addbuffers. So I checked
Addbuffers-command, and it was changed! It was 2608 bytes long just like
the False Setpatch in the another disk.

	I don't know how long this virus has been around and where it comes
from, but I thought that I'd better write about it in here.

------------------------------------------------------------------------------
!Sami K|ykk{, Tampere University, Finland                                    !
!E-Mail:  koykka@utacs.uta.fi                                                !
!         koykka@utacs.uucp                                                  !
!         koykka%utacs.uta.fi@uunet.uu.net  (in USA)                         !
+----------------------------------------------------------------------------+