A LETTER TO THE DISK DOCTOR Date: 03-29-88 (12:21) Number: 15358 To: DISK DOCTOR Read: (N/A) From: ED JOHNSON Status: Public Subj: THE VIRUS There seems to be a lot of discussion lately about THE VIRUS. In some cases, this discussion has evolved into outright hysteria. Supposedly someone has written this terrible trojan horse program that attaches itself to perfectly valid public domain programs. Thus it finds its way into your computer system through any number of innocent avenues. Once it's there, THE VIRUS attaches itself to COMMAND.COM. The rumor is that on one fateful day this summer, everybody's computer across the country will simultaneously self-destruct. I'm aware of many people who are taking heroic protective measures, and spending a good deal of time and money doing it. I'm not totally convinced that this thing actually even exists. While others are working up a lather CRC-checking their backup files, installing various prophylactic programs, and write- protecting everything in sight, I think I'll just > 1+* |z H Z# NO CARRIER General failure reading drive C: Abort, Retry, Ignore? r Abort, Retry, Ignore? r Abort, Retry, Ignore? i Abort, Retry, Ignore? i Abort, Retry, Ignore? a Specified drive is no longer valid Insert disk with COMMAND.COM in g^Kj9-=$! PARITY ERROR 02 21 ** This message was found posted on the Northern Lights BBS. ---------------------------------------- BEWARE OF THE VIRUS by the Disk Doctor This article is presented as a public service. It is NOT a joke. A lot of people are convinced that viruses REALLY exist. -------------------------------------------- Copyright (C) 1987, the Disk Doctor. First published in the Rochester (PC)^3 News: Picture City PC Programming Club PO BOX 20342 Rochester, NY 14602 The Disk Doctor may be contacted at this address, or via CIS [73147,414]. This material may be reproduced for internal use by other not-for-profit groups, provided this copyright notice is included. ---------------------------------------------- Okay. Now let's get serious. A year ago I explained what Trojan Horse programs are and how we need to work together and stop them. It's time to update that advice, with the arrival of VIRUSes. A virus infects your computer via the operating system files, lies dormant (maybe for months), infects other systems by replicating itself several times (4 seems to be the magic number), then wipes out every disk in your computer extensively and irreversibly. Meanwhile the 4 children continue to spread and multiply ... If you suspect you are infected, you should quarantine your computer. As far as I know, there is no cure for the virus and no way to know for sure whether you are a carrier. There are so many different rumors floating around, there may be several mutations in circulation. The latest Dirty Dozen report cites 4 strains of VIRUS programs in order of severity: 1. The first reports occurred at the end of 1987, and involved only mainframe computers. A takeoff on chain letters, this version replicated itself as many times as possible. The overload brought system response to a near halt. Of course, this prank resulted in little more than a major nuisance, since most mainframe systems have sophisticated backup and security mechanisms. 2. The second version infects *.EXE and *.COM files on the PC. Reportedly, the programs slow down 500% on Fridays and the 13th of the month. On the next Friday the 13th, all *.COM and *.EXE files will self- destruct. This virus was first detected because program files increased in size (roughly 1800 bytes) everytime they are run. 3. The third and most-talked-about virus hides in the stack space internal to COMMAND.COM, so the file size remains constant. This strain is detectable because the file date changes (when you do a DIR). 4. The latest and most frightening virus adds 17 bytes to IBMCOM.COM, one of the operating system files. This is not so easily detected, because it is a hidden file. If true, this is the first trojan horse known to write past a software write-protect! *************************************** So what are we going to do, guys? ????????????????????? I do not have any direct experience with these virus programs, but I have gathered comments from several BBS's (including the unavoidable comparisons to communicable sexual diseases). First, I will repeat last year's prescription against trojan horses. We must rely on common sense and cooperation. Watch for these warning signs on all new programs you download or receive: > a program with no documentation or nothing but a very brief description > a program you have never heard of > a renamed or "new" version of an existing popular program > no author's name > outrageous claims, like doubling the speed of your PC, or emulating EGA on your CGA monitor > ridicuous file size - no word processor worth anything has a file size of only a few thousand bytes > a BASIC program which is saved "protected", so you can't LIST it Now for the cooperation part: > only use software from BBS's or libraries where the sysop tests programs before making them public. > only download software from a BBS where users must register, no handles are allowed, the person who uploads each file is traceable. > do not accept any program (new or old) from a friend unless he/she is aware of virus programs and technically competent enough to detect one > if you discover a trojan, report it immediately to all local BBS's > watch for the latest Dirty Dozen list. ---------------------------------------- Let me add some suggestions aimed specifically at virus programs: > Mark COMMAND.COM as a read-only file using FILEATTR.COM or one of the super- disk-utilities (Norton, PCTOOLS). No program should write to COMMAND.COM . > Use write-protected disks. Physical write-protection is built into the drive controller card and cannot be undone in software. The virus will reveal itself if it tries to modify a write-protected disk. If you suddenly and inexplicably get an 'Abort, Retry, or Ignore' disk write error, you should suspect that you are infected. > Print out a directory of your system files, and check the file size and date from time-to-time. Compare the files to the originals on (write-protected!!!) source disks. > Backup your hard disk, today! Backup is the best insurance against all types of disk damage. Unfortunately, you can be re-infected from your backup if you are already a carrier of the virus. > Daily, run the hard-disk format protection facility found in the super- disk-utilites (Advanced Norton, MACE, PCTOOLS). This will help you recover from all but a low-level format. Of course, once you recover your files, you will still be infected! > Use the virus-protection programs springing up on many BBS's (FLUSHOT, VACCINE). These will help prevent infection, but won't tell you if you are already affected. But watch out for trojan horses masquerading as un-virus programs. The slimebags who write these terrible programs are known to take advantage of our paranoia. > Rumor has it, the world of personal computing will end on May 13, 1988 (the next Friday the 13th). Maybe you can avoid the Apocalypse by changing your clock date before May 13, and resetting it the day after. Watch the 6:00 news on that date. Either this whole thing is a hoax, or a lot of people are going to get wiped out. > Avoid casual diskette-passing. Have interchanges with a single partner. > If any of your friends show symptoms, assume you are infected too. > Exercise safe computing -- always wear a write-protect tab. > Protect yourself -- don't share contaminated disks. ----------------------------------------- If you succumb to this dreaded disease and find your hard disk messed up: 1) Warn your friends (and your enemies; I wouldn't wish this on anyone). 2) Reformat your hard disk. Restore only data files (hopefully, no one has found a way to infect data files). 3) Format all floppies you (or anyone) have accessed since Fall '87. 4) Do not restore programs from a co- worker's computer, or from a recent backup (you don't want to get re- infected). 5) Copy programs only from original software disks (these are suspect too, if they were not write-protected and have been used since Fall '87). -----------------------------------------