Path: utzoo!utgpu!attcan!uunet!philmtl!philabs!ttidca!woodside From: woodside@ttidca.TTI.COM (George Woodside) Newsgroups: comp.sys.atari.st Subject: Virus on Wordup v2.0 Disks Message-ID: <6583@ttidca.TTI.COM> Date: 1 Oct 89 16:38:26 GMT Reply-To: woodside@ttidca.tti.com (George Woodside) Organization: Citicorp/TTI, Santa Monica Lines: 70 NEOCEPT has released an announcement regarding a virus on some copies of their version 2.0 release disks, a portion of which is reproduced here: "Neocept has discovered a HARMLESS virus on all of the WordUp v2.0 upgrades and new packages with serial numbers from WUP004000 to WUP004249. This virus is completely harmless and does nothing more than copy itself to the boot sector of all disks that are accessed. In fact, this virus could arguably be called a "virus killer", since it wipes out any harmful virus that may already occupy the boot sector. It is remotely possible that this virus could be the "key" to activate some other virus, or that this virus interacts to duplicate some other virus. However, Neocept has already disassembled and looked closely at the virus, and can find no indication of how it might act as a "key". To be safe, users should clear out all but the first 32 bytes of the boot sectors of their WordUp disks, using a disk editor or a virus killing program. ..." I must raise some objection to portions of this announcement. I will withhold comments about the responsibility of software publishers regarding checking releases for viruses. I must, however, voice strong protests at their attempts to downplay the significance of this event. While I have not yet received an exact copy of the virus, it has been identified as the "KEY", "TYPE 1", or "SIGNUM BPL" virus, depending upon the anti-virus software you favor. There is no stretch of the imagination by which this virus could be referred to as a "virus killer". It is a very real, fast spreading virus, with dangerous side effects. It WILL spread itself to the boot sector of any disk inserted into the ST which the virus does not recognize as already containing a copy of the virus. It will, therefore, overwrite the boot sector of a disk which must be auto-booting, rendering the disk useless. It will spread throughout a user's disk library quickly. It is already the most widespread virus in the USA. More dangerous than the spread of this virus, however, is the danger it represents if it locates the "KEY" for which it is waiting. While the virus must be on the boot sector of the disk in drive A during a power up or reset to become activated, no such condition applies to the "KEY". If the virus is active, and a disk bearing the "KEY" characteristics is inserted into the ST, the virus will execute the code present on the "KEY" disk as soon as that "KEY" disk is accessed. It does not require the ST to be reset. As soon as the "KEY" disk is accessed, whatever code is present on the "KEY" disk will be executed immediately. Of course, I will not make public what that "KEY" is. All version of VKILLER will correctly identify a "KEY" disk, should one emerge. Let me make it perfectly clear that the virus on the WordUp v2.0 disks is reported to NOT contain that "KEY". It will not harm systems, other than to destroy boot sectors, as noted above. It will, however, cause a system to fall victim to whatever code is present on a "KEY" disk, should one be inserted into a system with this virus active. As of this writing, neither I nor any of the other virus fighters I know have located a "KEY" disk. No one, therefore, can warn you of what to expect if a "KEY" disk turns up. While I applaud NEOCEPT for going public with this warning, and apparently stopping distribution of the virus quickly, I strongly disagree with their attempts to lessen the gravity of the situation. This virus is NOT "harmless", and is absolutely NOT a "virus killer". Viruses hurt everyone in this industry, and must be fought at every opportunity. -- *George R. Woodside - Citicorp/TTI - Santa Monica, CA *Path: ..!{philabs|csun|psivax}!ttidca!woodside