Path: utzoo!mnetor!uunet!portal!atari!apratt
From: apratt@atari.UUCP (Allan Pratt)
Newsgroups: comp.sys.atari.st
Subject: Atari ST Virus hiding place
Message-ID: <1062@atari.UUCP>
Date: 9 May 88 22:28:49 GMT
Organization: Atari Corp., Sunnyvale CA
Lines: 35
Keywords: virus

I have posted this to comp.risks, and I'll post it here.  "PGN"
is the moderator of comp.risks: Peter G. Neumann @ rl.sri.com.

A perfect hiding place for viruses on the Atari ST has come to my
attention.  The reason it's interesting is it is a place where a VERY
LARGE virus can live -- much larger than just the boot sector of a
floppy. 

The hole exists because the ST formats floppies with five-sector FATs
(File Allocation Tables) even though at most three sectors will be used. 
Since there are two FATs per disk, this leaves four sectors for the
virus.  A boot-sector virus could be five sectors in length without
impacting the user-visible free space on the disk. 

The sectors in question are logical sectors 4, 5, 9, and 10 (where the
boot sector is sector 0).  These sectors are always zeroed by the
built-in formatter (I can't speak for others).  The rationale, I
believe, for the five-sector FATs is so the root directory of the volume
will appear on Side 1 of a double-sided disk, so a single-sided drive
will not be fooled into thinking it can work with the disk. 

I asked PGN about posting this -- about the tradeoff between warning the
friendlies and informing the hostiles about this hiding place.  As PGN
pointed out, "...  the underground will find out anyway.  The crackers
are networked better than everyone else."

So here is my posting.  The cure for an infected disk is to make the
boot sector non-bootable, and zero the four sectors listed above. 

============================================
Opinions expressed above do not necessarily	-- Allan Pratt, Atari Corp.
reflect those of Atari Corp. or anyone else.	  ...ames!atari!apratt

[P.S. I don't know of any viruses which use this hiding place.  I only
know it's there, and we should all be careful.]