This weekend I received a number of pd software disks from a computer 
store. I found that three of these contained the 'ST Virus' that has been
mentioned on the net recently. I did not however discover this until it
had trashed one disk and infected a very large number of disks.
    I have since disassembled the virus and worked out exactly what it
does and I am posting a summary of what I found here.
What The Virus Does
When the ST is reset or switched on, it reads some information from 
track 0 sector 0 of the disk in drive A. It is possible to set up that 
sector so that the ST will execute its contents. The virus program is 
written into this sector so that it is loaded whenever the ST is booted 
on the offending disk.
    Once loaded into memory the virus locates itself at the end of the
system disk buffer (address contained at 0x4c2 I think) and attaches 
itself to the bios getbpb() function.
* getbpb() returns the operating system parameter block for a disk device.
    Every time getbpb() is called, the virus is activated. It tests the
disk to see if it contains the virus. If it doesn't then the virus is
written out to the boot sector and a counter is initialised.
    If the disk does contain the virus then the counter is incremented.
Once the counter reaches a certain value, random data is written across 
the root directory & fat tables for the disk thus making it unusable. 
The virus then removes itself from the boot sector of the damaged disk 
(destroys the evidence??).
* The "fat table" contains the bitmap of unused sectors.
Once the virus is installed in the ST it will copy itself to EVERY non 
write protected disk that you use - EVEN IF YOU ONLY DO A DIRECTORY - 
or open a window to it from the desktop.
The virus CANNOT copy itself to a write-protected disk.
I *think* (but am not certain) that it survives a reset.
The current virus does not affect hard disks (it uses the flopwr() call).
* flopwr() writes a sector on a floppy disk (drives A or B).
However, if you are using an auto-boot hard disk such as Supra, and 
the disk in drive A contains the virus, THE FLOPPY BOOT SECTOR IS 
EXECUTED BEFORE THE HARD DISK BOOT SECTOR and consequently the virus will  
still be loaded and transferred to every floppy that you use.
 To test for the virus, look at sector 0 of a floppy with a disk editor.
If the boot sector is executable then it will contain 60 hex as its first
byte. Note that a number of games have executable boot sectors as 
part of their loading. However if this is the case then they should not 
load when infected by the virus.
If people are worried about this & haven't been able to get the other 
killer (I have not seen it yet) then I will post the source/object 
for a simple virus detector/killer that I have written.
It would appear that this virus is not the end of the story. I have 
heard that there is a new virus around. This one is almost impossible 
to detect as for each disk inserted, it scans for any *.prg and 
appends itself to the text segment in some way. Thus it is very difficult 
to tell whether or not the virus is actually on a disk.....
Use those write-protect tabs!
Check all new disks!
Hopefully we can get rid of this virus totally before it damages 
something important.
    Chris Allen.


(C) Marko, Suomen Atari-sivut / ArkiSTo 2003