THE ATARI ST VIRUS

This weekend I received a number of pd software disks from a computer 
                     
store. I found that three of these contained the 'ST Virus' that has been
                     
mentioned on the net recently. I did not however discover this until it
                     
had trashed one disk and infected a very large number of disks.
                     
    I have since disassembled the virus and worked out exactly what it
                     
does and I am posting a summary of what I found here.
                     
     
                     
What The Virus Does
                     
===================
                     
     
                     
When the ST is reset or switched on, it reads some information from 
                     
track 0 sector 0 of the disk in drive A. It is possible to set up that 
                     
sector so that the ST will execute its contents. The virus program is 
                     
written into this sector so that it is loaded whenever the ST is booted 
                     
on the offending disk.
                     
    Once loaded into memory the virus locates itself at the end of the
                     
system disk buffer (address contained at 0x4c2 I think) and attaches 
                     
itself to the bios getbpb() function.
                     
*
                     
* getbpb() returns the operating system parameter block for a disk device.
                     
*
                     
     
                     
    Every time getbpb() is called, the virus is activated. It tests the
                     
disk to see if it contains the virus. If it doesn't then the virus is
                     
written out to the boot sector and a counter is initialised.
                     
    If the disk does contain the virus then the counter is incremented.
                     
Once the counter reaches a certain value, random data is written across 
                     
the root directory & fat tables for the disk thus making it unusable. 
                     
The virus then removes itself from the boot sector of the damaged disk 
                     
(destroys the evidence??).
                     
*
                     
* The "fat table" contains the bitmap of unused sectors.
                     
*
                     
     
                     
NOTES
                     
=====
                     
     
                     
Once the virus is installed in the ST it will copy itself to EVERY non 
                     
write protected disk that you use - EVEN IF YOU ONLY DO A DIRECTORY - 
                     
or open a window to it from the desktop.
                     
     
                     
The virus CANNOT copy itself to a write-protected disk.
                     
     
                     
I *think* (but am not certain) that it survives a reset.
                     
     
                     
The current virus does not affect hard disks (it uses the flopwr() call).
                     
*
                     
* flopwr() writes a sector on a floppy disk (drives A or B).
                     
*
                     
However, if you are using an auto-boot hard disk such as Supra, and 
                     
the disk in drive A contains the virus, THE FLOPPY BOOT SECTOR IS 
                     
EXECUTED BEFORE THE HARD DISK BOOT SECTOR and consequently the virus will  
                     
still be loaded and transferred to every floppy that you use.
                     
     
                     
THE CURE
                     
========
                     
     
                     
 To test for the virus, look at sector 0 of a floppy with a disk editor.
                     
If the boot sector is executable then it will contain 60 hex as its first
                     
byte. Note that a number of games have executable boot sectors as 
                     
part of their loading. However if this is the case then they should not 
                     
load when infected by the virus.
                     
     
                     
If people are worried about this & haven't been able to get the other 
                     
killer (I have not seen it yet) then I will post the source/object 
                     
for a simple virus detector/killer that I have written.
                     
     
                     
OTHER VIRUSES
                     
=============
                     
     
                     
It would appear that this virus is not the end of the story. I have 
                     
heard that there is a new virus around. This one is almost impossible 
                     
to detect as for each disk inserted, it scans for any *.prg and 
                     
appends itself to the text segment in some way. Thus it is very difficult 
                     
to tell whether or not the virus is actually on a disk.....
                     
     
                     
FINALLY
                     
=======
                     
     
                     
Use those write-protect tabs!
                     
Check all new disks!
                     
Hopefully we can get rid of this virus totally before it damages 
                     
something important.
                     
     
                     
    Chris Allen.

Takaisin

(C) Marko, Suomen Atari-sivut / ArkiSTo 2003