| <<< Z::DUA1:[TENNY.USENET]COMP_SYS_AMIGA.NOTE;1 >>>
-< Usenet comp.sys.amiga postings >-
================================================================================
Note 40.0 Amiga Virus Loose (more info) 1 reply
Z::TENNY "esunix!blgardne" 63 lines 13-OCT-1987 09:18
--------------------------------------------------------------------------------
Newsgroups: comp.sys.amiga
Path: decwrl!labrea!aurora!ames!rutgers!im4u!ut-sally!utah-cs!utah-gr!uplherc!esunix!blgardne
Subject: Re: Amiga Virus Loose (more info)
Posted: 7 Oct 87 04:59:18 GMT
Organization: Evans & Sutherland Computer Corporation
in article <15589@amdahl.amdahl.com>, kim@amdahl.amdahl.com (Kim DeVaughn) says:
> The following was downloaded from the FAUG (First Amiga Users Group) BBS.
> Seems like we've been spared such crap until now, but this highly disturbing
> notice shows we are not immune to attacks on our machines by the "Dark Side
> of the Force"!
> Any further information on this (or other such nastiness) would be greatly
> appreciated!
>
A local user has taken a strong interest in this virus, here is what he
has told me about it. It is located in the boot blocks as mentioned, and
INSTALL will kill it. The only way to be sure you've eradicated the
virus is to examine ALL the floppies you may have had in the machine
when they were write-enabled. If they show the smart-aleck message,
install them. The easier approach may be to just run install on all your
suspect disks.
The virus loads itself into the reset handler, and when you do a warm
boot (Ctrl-A-A) it writes itself into the boot block of all the disks
available in drives. If the disk is write-protected, the virus puts up a
phony recoverable alert (guru). I guess this might be to persuade you to
remove the write-protect, so that it can spread itself further.
He says that the virus has several stages: first it quietly spreads
itself onto as many of your disks as possible. On every reset it
increments a counter, and when it reaches a limit (10 or 20?) it puts up
the "gotcha" message. The counter continues to increment, and then
engages the final stage which is trapping the Ctrl-A-A reset. Once it
does this you have to shut the machine down and re-Kickstart since
Ctrl-A-A no longer returns you to the Workbench prompt. As far as he has
been able to determine, the virus does not engage in any disk
destruction or other really nasty stuff. However I would consider
losing my VD0: contents to a cold boot pretty hostile action.
The above comments about incrementing the booby-trap timer apply to
EVERY disk infected by the virus of course, so it's important to kill
every occurance of it, or you'll soon be re-infected. Install is a
pretty simple way to solve this program, but he was thinking of writing
a little program to automatically look for and kill the virus. Should I
encourage him to do so?
I almost seems that we got lucky this time, and that the virus isn't as
bad as some of the IBM-PC trojans that I've heard about. Maybe I'm a bit
paranoid, but how many of you read the EXECUTE.ME files that often
accompany .ARC files? All it would take is for some sick soul to add a
little "delete...." to an ordinary rename script. Since this possiblity
occured to me (prompted by a discussion in Risks several months ago),
I've made it a point to read all EXECUTE.ME's before executing them.
Maybe a little extra trouble, but I like to know what's going on in my
machine.
The big question is: does anyone know how this virus got into the
country?
--
Blaine Gardner @ Evans & Sutherland 540 Arapeen Drive, SLC, Utah 84108
UUCP Address: {ihnp4,ucbvax,decvax,allegra}!decwrl!esunix!blgardne
{ihnp4,seismo}!utah-cs!utah-gr!uplherc!esunix!blgardne
"I don't see no points on your ears boy, but you sound like a Vulcan!"
|