Conference 7.286::atarist

Newsgroups: comp.sys.atari.st
Path: decwrl!labrea!agate!pasteur!ames!necntc!linus!philabs!ttidca!woodside
Subject: Treating a Virus
Posted: 31 Mar 88 14:26:23 GMT
Organization: Citicorp/TTI, Santa Monica
 
I've received a lot of mail about the ST virus, and the virus killer I posted
called PENECILN. I've collected all the questions, and will try to answer them
all at once. This will be in rather simple terms, so you needn't be an 
operating systems guru to understand what's happening, or what to do about it.
 
The only virus I've heard described attacks only floppy disks, and works as 
follows:
 
The ST uses the write protect detection logic to detect when a disk has
been removed from the disk drive. When the ST next accesses that drive,
even if the same disk was pulled out and re-inserted, it does a check
to see if the disk has been changed. This check is a system function called
Getbpb. The ST will execute this function on every disk you insert into the
machine and access, regardless of what program accesses the disk, or for
what reason. 
 
The virus "attaches itself" to the system Getbpb function call. When the
ST checks the disk, the virus writes itself on the disk, unless the disk's
write protect window is open. That's very significant; the virus can not
spread itself to a write protected disk.
 
The virus keeps count of how many times it has reproduced itself. It zeroes
and restarts the count each time it writes itself to a new disk. I assume the
philosophy here is "If I see a non-infected disk, I haven't spread enough
yet. When I see X infected disks in a row, I'm pretty well spread around."
When the virus gets to X infected disks in a row, it trashes the disk.
Note that the virus is still in RAM, and will continue trashing every disk
it sees.
 
The virus can not load itself into your system except when you power on,
or do a system reset. It can not enter your system by reading a disk at
any other time, only at power-up or reset.
 
The PENECILN program forces a system Getbpb call to the disk before
it zeroes the boot sector, to insure that (if your system is infected)
the virus will get written before PENECILN zeroes the boot sector,
not afterwards. Then, after writing zeroes to the boot sector, it
(in keypress mode) sits and waits for another command before releasing
control of the system. 
 
How to dis-infect a system, whether you have the virus or not, is not
difficult. These steps will get your system clean, even if you don't 
have reason to worry (yet).
 
1) Get a copy of PENECILN, and run the program with the "-k" option
   specified on the command line. Put a disk with the write protect
   window closed in drive A, and press "A". This tells PENICILN
   to zero the boot sector on the disk in drive A.
 
2) Wait for the disk access light to go out. Don't do anything else!
   This insures that nothing gets the opportunity to alter the boot
   sector after it has been cleared.
 
3) Turn off the power to your system and wait 15 seconds. This insures
   that memory is completely erased, including the virus, if it was
   present in your system.
 
4) Remove the disk from drive A, open the write protect window, and
   put it back in drive A. This provides a safe disk to boot from,
   which can no longer be altered.
 
5) Power up your system. Run your favorite sector editor, or sector
   dump program, to check the contents of sector zero on the disk in
   drive A. This insures that the copy of PENECILN you have hasn't been
   tampered with by some *%&@!$#. There should be zeroes in bytes 0-7,
   and in 30 - 509. The data in 8 - 29 is the serial number and disk
   configuration parameters. The numbers in 510 and 511 force a zero
   checksum on the disk, telling GEMDOS that the boot sector is not
   executable. Assuming that your disk matches these requirements,
   you now have a safe boot disk, and a dis-infected system. If the
   disk doesn't have the zeroes everywhere else, (assuming you didn't
   specify an MS-DOS boot sector), destroy that copy of PENECILN.
   Destory whoever gave it to you, too!!! :^) Seriously, there should
   be zeroes everywhere, or something is very wrong.
 
6) Set aside any disks you have which must be self booting (games or other
   software which you have to insert into drive A before powering up or
   pressing reset). These disks can not have their boot sectors altered, or
   they will be useless. You should probably keep the originals aside,
   but throw your working copies into the stack of disks you are going to
   clean up.
 
7) Run PENECILN again, with the -k option specified. Feed it every disk
   you own, except for those you set aside above. This dis-infects all
   your disks.
 
 
At this point, you have a clean system, and all your disks are clean,
with the possible exception of the self-booting ones you set aside. To
keep your system clean, never power up or press reset with a disk in
drive A which you haven't dis-infected. And, keep the write protect
window open on disks unless you know you will have to write on them. Be
suspicious of disks from anyone else, and dis-infect them before using
them (unless they absolutely must be self booting). One report of the
virus came from disks purchased at a computer store. Whether intentional
or not, any disk you introduce to your system can be spreading the virus.
 
Hopefully, this plague can be wiped out. But, I doubt if we can ever
feel 100% safe from this sort of sabotage.
 
There are more questions, but related more to boot sectors and serial
numbers, which I'll cover in another posting.
-- 
*George R. Woodside - Citicorp/TTI - Santa Monica, CA 
*Path: ..!{trwrb|philabs|csun|psivax}!ttidca!woodside

I don't have a copy of PENICILIN, but maybe one of you have it and can
make it available on the net ?

For the meanwhile : I have a copy of a program called VDU.PRG that deals
with the virus and even let's you 'immunisize' your disk. I will get the
sources from it, but for the moment I only have the program.

You can copy it from BRSFSB::ATARIST:VDU.PRG.

Regards,

Cor

Note : BRSFSB is a Vaxstation 2000, so don't expect to fast response
from it. If someone could copy the program over to a more reachable
node, please feel free to do and let us know here with a reply !
BRSFSB is normally up 24hrs a day and 7 days a week !

    Per Cor's suggestion I have copied VDU.PRG to my system in the states,
    	LIBRTY::USR:[WALLACE.PUBLIC.ST]VDU.PRG
    
    It realy didn't take long to copy it from Cor's system since it
    is a relativly small program.
    
    	Ray

    Did anyone manage to get the posting of Penicilin from USENET?
    
    I dumped a whole bunch of postings to a printer and deleted them,
    and while I was sorting thru the pile I came accross the uuencoded
    posting (arrrggghh!).  Can anyone help me?
    
    Bob (I'll never delete a single thing again) K.

    Yup, I got it. I save all the USENET postings ( I have them for
    the past year or so, if anyone wants them). That listing was in
    the USENET mailing of March 30th. I'll sent it to you via Vaxmail.
    
    If anyone else wants it, let me know.
    

Perhaps you could post it -- it's quite short.

Martin.

    You can get PENICILN (with permision from your family doctor :-))
    from:	LIBRTY::USR:[WALLACE.PUBLIC.ST]PENICILN.*
    
    There are two files, a .ARC containing the executible, source, and
    documentation.  And a .INF file which I will include as part of
    this reply since it talks about the virus.
    
    Beware, tho I havent tried PENICILN yet, the docs claim it wipes
    out the boot sector regardless.
    
    I have used the program called VDU and it is real user friendly.
    It tells you when it thinks you might have a virus and gives you
    the option of "killing" it. You also have the option of "imunizing"
    the disk.  VDU recognizes MS-DOS and a handfull of other boot sectors
    and will tell you when it sees one.
    
    	Ray
    
    		What follows was posted on USENET with PENICILN.
    
    Subject: Virus Killer
Posted: 26 Mar 88 18:10:54 GMT
Organization: Citicorp/TTI, Santa Monica
 
In article <[email protected]> [email protected] (braner) writes:
>
>Another suggestion: could somebody make a dump of the boot sectors of
>a standard SS floppy, a DS one, standard HD setup, etc?  These dumps could
>be compared with what's on a disk that is suspected of having been hit
>by a virus.  One could even write a program that has these dumps embedded,
>compares with what's on the disk, reports about differences, and,
>upon request, replaces what's on the disk with the standard.
>
>Is this a good idea or am I completely ignorant as to how viruses work?
> ...[edited]...
 
It's not quite that simple, but that's not a bad idea.
 
The boot sector of an ST floppy disk contains disk configuration information
(sides on disk, tracks, sectors per track, FAT size, etc.) which can,
and frequently does, vary from disk to disk. It also contains a serial
number which must vary from disk to disk, or you get deep trouble when
changing disks (GEMDOS won't know the disk changed).
 
But, that all fits in a small portion of the boot sector, within the
first 30 bytes.
 
Many format program leave all sorts of junk in the buffer they use to
write the boot sector (including the desktop). While this will also
vary, it is not harmful.
 
When should a disk contain an executable boot? Only if
 
1) It is designed to be a self booting disk (some games, commercial
   software, alternate operating systems, etc.)
 
2) You have specifically placed a self-boot program on the disk (such 
   as a clock setter, RAMdisk loader, etc.)
 
Note that hard disk autoboot programs vary from supplier to supplier,
but generally do not expect any kind of boot code on a floppy. If your
hard disk boot does not care what disk is in the floppy drive, then
it doesn't need an executable boot on the floppy.
 
No other disk should contain self-booting code unless you are still
running with TOS in RAM (Is anyone really still doing this?).
 
The only other way I can think of a virus getting into an ST is in an
/AUTO folder program. If you have something in your /AUTO folder which
is spreading a virus, you are out of luck. 
 
If a disk is MS-DOS compatible, it must contain certain MS-DOS data
to be useable, and the statements above do not apply.
 
With that in mind, I whipped up this disk sterilizer, which I named
(with tounge only slightly in cheek) PENICILN (Yes, I know that's not spelled
correctly, but you only get eight bytes :^> ). It will kill any kind of
virus I can imagine, and anything else in the boot sector. It reads the 
boot sector, saves the disk serial number and configuration information,
wipes the rest of the boot sector clean, replaces the saved data, forces
a non-executable checksum, and re-writes the boot sector.
 
*** WARNING ***
 
This program is the equivalent of blind, deaf, and dumb flame thrower
approach to virus killing. It WILL kill anything in a boot sector. If you
use it on a disk which must contain a boot (games, etc. mentioned above)
you will destroy the disk. I therefore disclaim any responsibility for
the results of the use of this program. 
 
The program is specified as a .TTP, so you can run it from a shell or the
desktop. It expects the input on the command line. It accepts an option of
"-m" to write an MS-DOS boot sector, or an option of "-k" to become keyboard
driven. Otherwise, it expects either "a" or "b" to name which floppy to use.
If you enter the drive name only (a or b), it will clean the boot sector on
the named drive and exit. If you specify -m, it writes an MS-DOS boot sector
on the named drive. If you enter -k, it enters a loop. Each time you press
"a" or "b", it will clean the disk in that drive. Any other keypress will
exit.
 
Note that this program will not alter anything other than the boot sector,
so any files or programs on the disk are safe and unaltered, regardless of
how the disk is formatted.
 
Since I take this virus situation seriously, I am including the source
for the program so anyone can see exactly what it does before running it.
I also encourage everyone to distribute the program, with the accompanying
explanation, as widely and as quickly as possible. 
 
Nothing like a shot of "peniciln" to keep a virus from spreading :^)