Path: utzoo!mnetor!uunet!portal!atari!apratt From: apratt@atari.UUCP (Allan Pratt) Newsgroups: comp.sys.atari.st Subject: Atari ST Virus hiding place Message-ID: <1062@atari.UUCP> Date: 9 May 88 22:28:49 GMT Organization: Atari Corp., Sunnyvale CA Lines: 35 Keywords: virus I have posted this to comp.risks, and I'll post it here. "PGN" is the moderator of comp.risks: Peter G. Neumann @ rl.sri.com. A perfect hiding place for viruses on the Atari ST has come to my attention. The reason it's interesting is it is a place where a VERY LARGE virus can live -- much larger than just the boot sector of a floppy. The hole exists because the ST formats floppies with five-sector FATs (File Allocation Tables) even though at most three sectors will be used. Since there are two FATs per disk, this leaves four sectors for the virus. A boot-sector virus could be five sectors in length without impacting the user-visible free space on the disk. The sectors in question are logical sectors 4, 5, 9, and 10 (where the boot sector is sector 0). These sectors are always zeroed by the built-in formatter (I can't speak for others). The rationale, I believe, for the five-sector FATs is so the root directory of the volume will appear on Side 1 of a double-sided disk, so a single-sided drive will not be fooled into thinking it can work with the disk. I asked PGN about posting this -- about the tradeoff between warning the friendlies and informing the hostiles about this hiding place. As PGN pointed out, "... the underground will find out anyway. The crackers are networked better than everyone else." So here is my posting. The cure for an infected disk is to make the boot sector non-bootable, and zero the four sectors listed above. ============================================ Opinions expressed above do not necessarily -- Allan Pratt, Atari Corp. reflect those of Atari Corp. or anyone else. ...ames!atari!apratt [P.S. I don't know of any viruses which use this hiding place. I only know it's there, and we should all be careful.]