Path: utzoo!utgpu!attcan!uunet!philmtl!philabs!ttidca!woodside
From: woodside@ttidca.TTI.COM (George Woodside)
Newsgroups: comp.sys.atari.st
Subject: Virus on Wordup v2.0 Disks
Message-ID: <6583@ttidca.TTI.COM>
Date: 1 Oct 89 16:38:26 GMT
Reply-To: woodside@ttidca.tti.com (George Woodside)
Organization: Citicorp/TTI, Santa Monica
Lines: 70

NEOCEPT has released an announcement regarding a virus on some copies
of their version 2.0 release disks, a portion of which is reproduced here:

"Neocept has discovered a HARMLESS virus on all of the WordUp v2.0
upgrades and new packages with serial numbers from WUP004000 to
WUP004249.  This virus is completely harmless and does nothing more
than copy itself to the boot sector of all disks that are
accessed.  In fact, this virus could arguably be called a
"virus killer", since it wipes out any harmful virus that may
already occupy the boot sector.  It is remotely possible that this
virus could be the "key" to activate some other virus, or that this
virus interacts to duplicate some other virus.  However, Neocept
has already disassembled and looked closely at the virus, and can
find no indication of how it might act as a "key".  To be safe,
users should clear out all but the first 32 bytes of the boot sectors
of their WordUp disks, using a disk editor or a virus killing program. ..."

I must raise some objection to portions of this announcement.

I will withhold comments about the responsibility of software publishers
regarding checking releases for viruses. I must, however, voice strong
protests at their attempts to downplay the significance of this event.

While I have not yet received an exact copy of the virus, it has been 
identified as the "KEY", "TYPE 1", or "SIGNUM BPL" virus, depending upon the
anti-virus software you favor.

There is no stretch of the imagination by which this virus could be 
referred to as a "virus killer".  It is a very real, fast spreading virus,
with dangerous side effects.

It WILL spread itself to the boot sector of any disk inserted into the ST
which the virus does not recognize as already containing a copy of the
virus. It will, therefore, overwrite the boot sector of a disk which must be
auto-booting, rendering the disk useless. It will spread throughout a user's
disk library quickly. It is already the most widespread virus in the USA.

More dangerous than the spread of this virus, however, is the danger it
represents if it locates the "KEY" for which it is waiting. 

While the virus must be on the boot sector of the disk in drive A during a
power up or reset to become activated, no such condition applies to the
"KEY". If the virus is active, and a disk bearing the "KEY" characteristics
is inserted into the ST, the virus will execute the code present on the
"KEY" disk as soon as that "KEY" disk is accessed. It does not require the
ST to be reset. As soon as the "KEY" disk is accessed, whatever code  is
present on the "KEY" disk will be executed immediately. Of course, I will
not make public what that "KEY" is. All version of VKILLER will correctly
identify a "KEY" disk, should one emerge.

Let me make it perfectly clear that the virus on the WordUp v2.0 disks is
reported to NOT contain that "KEY". It will not harm systems, other than to
destroy boot sectors, as noted above. It will, however, cause a system to
fall victim to whatever code is present on a "KEY" disk, should one be
inserted into a system with this virus active. As of this writing, neither I
nor any of the other virus fighters I know  have located a "KEY" disk. No
one, therefore, can warn you of what to expect if a "KEY" disk turns up.

While I applaud NEOCEPT for going public with this warning, and apparently
stopping distribution of the virus quickly, I strongly disagree with their
attempts to lessen the gravity of the situation. This virus is NOT
"harmless", and is absolutely NOT a "virus killer". Viruses hurt everyone in
this industry, and must be fought at every opportunity.




-- 
*George R. Woodside - Citicorp/TTI - Santa Monica, CA 
*Path:       ..!{philabs|csun|psivax}!ttidca!woodside