Date: 03-29-88 (12:21) Number: 15358
To: DISK DOCTOR Read: (N/A)
From: ED JOHNSON Status: Public
Subj: THE VIRUS
There seems to be a lot of discussion
lately about THE VIRUS. In some cases,
this discussion has evolved into outright
hysteria.
Supposedly someone has written this
terrible trojan horse program that
attaches itself to perfectly valid public
domain programs. Thus it finds its way
into your computer system through any
number of innocent avenues. Once it's
there, THE VIRUS attaches itself to
COMMAND.COM. The rumor is that on one
fateful day this summer, everybody's
computer across the country will
simultaneously self-destruct.
I'm aware of many people who are taking
heroic protective measures, and spending a
good deal of time and money doing it.
I'm not totally convinced that this thing
actually even exists. While others are
working up a lather CRC-checking their
backup files, installing various
prophylactic programs, and write-
protecting everything in sight, I think
I'll just >
1+* |z
H Z#
NO CARRIER
General failure reading drive C:
Abort, Retry, Ignore? r
Abort, Retry, Ignore? r
Abort, Retry, Ignore? i
Abort, Retry, Ignore? i
Abort, Retry, Ignore? a
Specified drive is no longer valid
Insert disk with COMMAND.COM in g^Kj9-=$!
PARITY ERROR 02 21
** This message was found posted on the
Northern Lights BBS.
----------------------------------------
BEWARE OF THE VIRUS
by the Disk Doctor
This article is presented as a public
service. It is NOT a joke. A lot of
people are convinced that viruses REALLY
exist.
--------------------------------------------
Copyright (C) 1987, the Disk Doctor.
First published in the Rochester (PC)^3 News:
Picture City PC Programming Club
PO BOX 20342
Rochester, NY 14602
The Disk Doctor may be contacted at this
address, or via CIS [73147,414].
This material may be reproduced for internal
use by other not-for-profit groups, provided
this copyright notice is included.
----------------------------------------------
Okay. Now let's get serious. A year ago
I explained what Trojan Horse programs are
and how we need to work together and stop
them. It's time to update that advice,
with the arrival of VIRUSes.
A virus infects your computer via the
operating system files, lies dormant
(maybe for months), infects other
systems by replicating itself several
times (4 seems to be the magic number),
then wipes out every disk in your computer
extensively and irreversibly. Meanwhile
the 4 children continue to spread and
multiply ...
If you suspect you are infected, you
should quarantine your computer. As far
as I know, there is no cure for the virus
and no way to know for sure whether you
are a carrier. There are so many
different rumors floating around, there
may be several mutations in circulation.
The latest Dirty Dozen report cites 4
strains of VIRUS programs in order of
severity:
1. The first reports occurred at the end
of 1987, and involved only mainframe
computers. A takeoff on chain letters,
this version replicated itself as many
times as possible. The overload brought
system response to a near halt. Of
course, this prank resulted in little more
than a major nuisance, since most
mainframe systems have sophisticated
backup and security mechanisms.
2. The second version infects *.EXE and
*.COM files on the PC. Reportedly, the
programs slow down 500% on Fridays and the
13th of the month. On the next Friday the
13th, all *.COM and *.EXE files will self-
destruct. This virus was first detected
because program files increased in size
(roughly 1800 bytes) everytime they are
run.
3. The third and most-talked-about virus
hides in the stack space internal to
COMMAND.COM, so the file size remains
constant. This strain is detectable
because the file date changes (when you
do a DIR).
4. The latest and most frightening virus
adds 17 bytes to IBMCOM.COM, one of the
operating system files. This is not so
easily detected, because it is a hidden
file. If true, this is the first trojan
horse known to write past a software
write-protect!
***************************************
So what are we going to do, guys?
?????????????????????
I do not have any direct experience with
these virus programs, but I have gathered
comments from several BBS's (including the
unavoidable comparisons to communicable
sexual diseases).
First, I will repeat last year's
prescription against trojan horses. We
must rely on common sense and cooperation.
Watch for these warning signs on all
new programs you download or receive:
> a program with no documentation or
nothing but a very brief description
> a program you have never heard of
> a renamed or "new" version of an
existing popular program
> no author's name
> outrageous claims, like doubling the
speed of your PC, or emulating EGA on
your CGA monitor
> ridicuous file size - no word processor
worth anything has a file size of only a
few thousand bytes
> a BASIC program which is saved
"protected", so you can't LIST it
Now for the cooperation part:
> only use software from BBS's or
libraries where the sysop tests programs
before making them public.
> only download software from a BBS where
users must register, no handles are
allowed, the person who uploads each
file is traceable.
> do not accept any program (new or old)
from a friend unless he/she is aware of
virus programs and technically competent
enough to detect one
> if you discover a trojan, report it
immediately to all local BBS's
> watch for the latest Dirty Dozen list.
----------------------------------------
Let me add some suggestions aimed
specifically at virus programs:
> Mark COMMAND.COM as a read-only file
using FILEATTR.COM or one of the super-
disk-utilities (Norton, PCTOOLS). No
program should write to COMMAND.COM .
> Use write-protected disks. Physical
write-protection is built into the drive
controller card and cannot be undone in
software. The virus will reveal itself
if it tries to modify a write-protected
disk. If you suddenly and inexplicably
get an 'Abort, Retry, or Ignore' disk
write error, you should suspect that you
are infected.
> Print out a directory of your system
files, and check the file size and date
from time-to-time. Compare the files to
the originals on (write-protected!!!)
source disks.
> Backup your hard disk, today! Backup is
the best insurance against all types of
disk damage. Unfortunately, you can be
re-infected from your backup if you are
already a carrier of the virus.
> Daily, run the hard-disk format
protection facility found in the super-
disk-utilites (Advanced Norton, MACE,
PCTOOLS). This will help you recover
from all but a low-level format. Of
course, once you recover your files, you
will still be infected!
> Use the virus-protection programs
springing up on many BBS's (FLUSHOT,
VACCINE). These will help prevent
infection, but won't tell you if you are
already affected. But watch out for
trojan horses masquerading as un-virus
programs. The slimebags who write these
terrible programs are known to take
advantage of our paranoia.
> Rumor has it, the world of personal
computing will end on May 13, 1988
(the next Friday the 13th). Maybe you
can avoid the Apocalypse by changing
your clock date before May 13, and
resetting it the day after. Watch the
6:00 news on that date. Either this
whole thing is a hoax, or a lot of
people are going to get wiped out.
> Avoid casual diskette-passing. Have
interchanges with a single partner.
> If any of your friends show symptoms,
assume you are infected too.
> Exercise safe computing -- always wear a
write-protect tab.