[Search for users] [Overall Top Noters] [List of all Conferences] [Download this site]

Conference 7.286::atarist

Title:	Atari ST, TT, & Falcon
Notice:	Please read note 1.0 and its replies before posting!
Moderator:	FUNYET::ANDERSON

Created:	Mon Apr 04 1988
Last Modified:	Tue May 06 1997
Last Successful Update:	Fri Jun 06 1997
Number of topics:	1433
Total number of notes:	10312

1278.0. "Eeeek... I have virus !!!" by COMICS::DSMMGR (Pigman, Pigman, ha ha charade you are...) Mon Apr 13 1992 15:56

    
    Eeeeeeeek I have a virus !!!
    
    I have no idea where I picked it up from, but my prime suspect at the
    moment is from either the ST Format or ST User magazine freebie disk.
    
    Unfortunately the virus propogated quite a bit before I noticed it and
    I am having a real hard time getting rid of it... suggestions are all
    welcome. Let me explain what has happened to date.
    
    Firstly I have seen no overt signs of the virus in action. I use
    Neodesk and noticed an E in the window of my system diskette which
    should not be there, so good egg that I am I immediately ran
    VKILLER.PRG on the disk. It came up with the devil's face and said that
    the disk was highly suspicious. So I selected the kill option. This 
    had no effect, the disk remained 'highly suspicious.'
    
    Okay I thought, this virus killer proggy can't handle this virus so
    I tried the Ultimate Virus Killer (its a demo version which allows only
    one virus kill per session) and this said that there were no viruses in
    memory but upon scanning the disk said :
    
    		RED ALERT. YOU HAVE BEEN INFECTED BY THE
    		GHOST VIRUS A...
      		REPAIR DISK IMMEDIAATELY !!
    
    Needless to say I selected the repair option and upon doing it it said
    the disk was 100% safe. However as soon as I went bact to the Neodesk
    desktop the dreaded E was there in my window again. Go into UVK again
    and once again I got the infection alert.
    
    QUESTIONS:  What IS the Ghost virus and how does it manifest itself ??
    
    		What's the best thing to do to get rid of the beast... I
    		think quite a few of my floppies are infected.
    
    		Will a virus only get into memory if you BOOT off an 
    		infected floppy ?
    
    What I mean by the last question is that if I have a known clean disk 
    with a virus killer on it and I invoke the virus killer and then
    insert the floppy to be checked, could the process of the virus killer
    reading the disk to check it actually cause the virus to hide itself
    in memory and thereby infect the disk even after a kill operation has
    been performed by the virus killer.
    
    Again ALL help is gratefully received.
    
    
    Cheers,
    
    Jonathan

T.R	Title	User	Personal Name	Date	Lines
1278.1	always boot a clean disk	UFHIS::BFALKENSTEIN		`Tue Apr 14 1992 08:21`	11
	you should boot up the known clean disk and then kill the virus on the infected disk before it had the chance to jump to memory. Then shut off the machine again to be sure your memory is clean. If you have a harddisk, then you should boot up without the harddisk and then kill the virus. If the virus is already on your harddisk, then use virus- killers that check the HD, like Sagrotan. Bernd
1278.2		KERNEL::IMBIERSKI	The sound of electric wood	`Wed Apr 15 1992 10:24`	14
	Jonathon, I get ST format and ST user too, and always check the cover disks with UVK for boot sector viruses before using them. I don't check for link viruses, though. UVK has not reported any problems so far. Which type of virus is this (ie boot sector or link ?) Have you tried the suspected infected cover disks with UVK? Can you tell me which ones they are so I can double check mine? Sorry Jonathon! Lots of questions for you but few answers! Tony I
1278.3	Maybe I'm Lucky START Folded	RICKS::ROST	The Creator has a master plan	`Wed Apr 15 1992 19:07`	8
	Sort of a side issue...how come we're always hearing about infected disks being given away with the magazines in the UK? Is it a tradition or something? 8^) Seriously, have the publishers figured out how these disks are getting infected? Brain
1278.4	is it really a virus?	KERNEL::BLAND	Norman Bland 833 3797 CSC, Basingstoke	`Thu Apr 16 1992 01:09`	9
	I get these coverdisks too. Do you know which issue of ST FORMAT or ST USER is suspect? I have also got NEODESK but I do not as a matter of course check my Cover Disks (trusting soul that I am). I better get checking. BTW, when checking some other disks a while back, I noticed the "E" on one of my disks; I nearly died of fright. It turned out to be an executable boot sector on a disk which I believe has GDOS on it! Norman
1278.5		KERNEL::IMBIERSKI	The sound of electric wood	`Thu Apr 16 1992 08:49`	7
	There has been 1 serious case that I know about of a UK magazine putting an infected disk on their cover. Jonathon only suspects the magaazine disks at the moment because they are the only new "foreign" disks he has introduced into his system. We don't know for sure that was the source. Tony I
1278.6	What does the Ghost virus do ??	COMICS::DSMMGR	Pigman, Pigman, ha ha charade you are...	`Thu Apr 16 1992 12:00`	19
	Re .-1 This is true. I do not want to place the blame on either of the magazines I mentioned. I just suggest that it is POSSIBLE that they were the source because I have not bought any other s/w recently. It will be interesting to read next month's editions to see if anyone else got infected. I do not religiously check every disk I get for viruses either, so it is possible that the source of the infection was from any of a number of PD disks I have had for some time but not used much. What I am really interested in knowing is what the Ghost Virus does... does anyone know this ?? Cheers, Jonathan
1278.7	Possibly ST User ?	WAYOUT::CLARKE	The Cat in the Hat comes back.	`Thu Apr 16 1992 12:39`	17
	I think I may have picked up a virus also. Symptoms are that for periods of time you move mouse up and down pointer on desktop moves down and up, and then it switches back to normal for a bit. One of my more informed colleagues suggested that this was the aforementioned Ghost virus. I have not been able to check my disks as I do not have any virus combat software unfortunately Robocod took preference. The moral of this story is that when I first detected the virus I was looking so see if anything useful was put on the February and March ST User cover disks. It was an ST User cover disk which contained a virus previously. Heres to cheaper magazines with no crummy cover disks which are more trouble than they are worth. (Saying that I havent checked out the full version of HiSoft Harlekin given away on April cover disk!) Aston
1278.8	Clean as driven snow once more	COMICS::DSMMGR	Pigman, Pigman, ha ha charade you are...	`Tue Apr 21 1992 10:44`	17
	Yup, for sure that is the Ghost Virus. I looked up the symptoms from an article in one of the ST magazines (the haave their uses 8-) I am now pure and clean again having spent hours going through my diskette collection and blasting numerous copies of the aforementioned nasty. I used PVK (professional Virus Killer) to do the job and I must admit that its a very nice program too. It was given away on one of the cover disks (so they are not always more trouble than they are worth) Thanks to all those who responded to this base note with advice and help. MMMmmmmm I wonder if I have learnt my lesson ??? Time will tell. Jonathan
1278.9		WARNUT::KAYD	WORM-mode noter	`Tue Apr 21 1992 13:55`	13
	Jonathan, Did you find out where the virus came from ? In particular, does it still look as though it was on a cover disk ? I must admit, I've been assuming that since the one recorded incident of a cover disk having a virus on it the publishers are being ultra-cautious, so I don't routinely check cover disks for viruses (virii ?). Maybe I should start ! Cheers, Derek.
1278.10	No not really	COMICS::DSMMGR	Pigman, Pigman, ha ha charade you are...	`Tue Apr 21 1992 16:14`	10
	Hi Derek, No, not categorically. To be honest I'm just glad to be rid of the thing though I'm not sure where ELSE it might have come from Cheers, Jonathan
1278.11	E in the window	VIVIAN::T_SMITH		`Wed Apr 22 1992 07:37`	16
	If I'm preaching to the converted - then I apologise, but don't forget that Neodesk will show an E in the floppy's window if the boot sector is executable. So if you use <say> the GE-Soft hard disk adapter, it uses an executable boot sector on the floppy in drive A to point to drive C as the boot device. (Or words to that effect). Kill the boot sector on the floppy and you'll not be able to boot from the hard disk. Also don't forget the old rat-trap where yo ugo around zapping all the executable boot sectors only to find that you can't play your favourite games any more. Like I said - sorry if I'm preaching to the converted. Tony