Path: utzoo!utgpu!water!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!bloom-beacon!husc6!linus!philabs!ttidca!woodside
From: woodside@ttidca.TTI.COM (George Woodside)
Newsgroups: comp.sys.atari.st
Subject: Re: Atari ST Virus hiding place
Keywords: virus
Message-ID: <2499@ttidca.TTI.COM>
Date: 12 May 88 14:36:06 GMT
References: <1062@atari.UUCP>
Reply-To: woodside@ttidcb.tti.com (George Woodside)
Organization: Citicorp/TTI, Santa Monica
Lines: 58

In article <1062@atari.UUCP> apratt@atari.UUCP (Allan Pratt) writes:
[...edited...]
>A perfect hiding place for viruses on the Atari ST has come to my
>attention.  The reason it's interesting is it is a place where a VERY
>LARGE virus can live -- much larger than just the boot sector of a
>floppy. 
>
>The hole exists because the ST formats floppies with five-sector FATs
>(File Allocation Tables) even though at most three sectors will be used. 
>Since there are two FATs per disk, this leaves four sectors for the
>virus.  A boot-sector virus could be five sectors in length without
>impacting the user-visible free space on the disk. 
>
>The sectors in question are logical sectors 4, 5, 9, and 10 (where the
>boot sector is sector 0).  These sectors are always zeroed by the
>built-in formatter (I can't speak for others).  


Since I'm the person (or at least one of them) responsible for bringing
this to Allan's attention, let me expand on it a bit, and hopefully head 
off a potentially false solution.

I've been spending a fair amount of time examining suspected virus disks
sent to me. I will continue to do so. If you suspect a disk of bearing a virus,
send it to me, and I'll check it out. If there is a virus on it, I'll add
a kill for it to the next generation virus killer.

>[P.S. I don't know of any viruses which use this hiding place.  I only
>know it's there, and we should all be careful.]

I do!

One of the virus disks I have contains logic which loads an additional sector
from the disk, one of the FAT sectors Allan mentioned. Note, however, that
it determines which sector to load by examining the disk configuration data
in the boot sector. It checks the FAT size, and the number of reserved
sectors, then determines the last sector in the first copy of the FAT. It
loads that sector, and attempts to execute code it expects to find there.

So, anyone thinking that writing a formatter which allocates only three 
sector FATs, don't bother. You will not only fail to stop the spread of the
virus, you'll also get any files on the tail end of the disk wiped out.

My next generation of virus killer will check and zero (after requesting
permission) the unused FAT sectors. As Allan states, that's the safest way
to deal with the problem.

Meanwhile, if you suspect a virus, send the suspect disk to:

     George R. Woodside
     5219 San Feliciano Drive
     Woodland Hills, Ca. 91364 (USA)

Thank you.

-- 
*George R. Woodside - Citicorp/TTI - Santa Monica, CA 
*Path: ..!{trwrb|philabs|csun|psivax}!ttidca!woodside