Cursed existence?
Richard Karsmakers keeps on top of viral developments on the Atari platform,...Richard Karsmakers, author of the 'Ultimate Virus Killer' (UVK) and the 'UVK Book' spin-off project has recently upgraded his software and made the book available 'on disk' - both events triggered by recent viral developments.
Ever since the first computer viruses appeared on the Atari platform, during late 1987, a steady flow of new viral strains and mutated incarnations appeared. In recent times newly discovered viruses were simple variations of earlier strains and it appeared virus innovation had ground to a halt completely. The days of the the dreaded 'Beilstein' virus seemed far behind and the gap between UVK updates increased as we relaxed - believing the perpetrators had migrated to other platforms. That was the position until developments during the summer of 1996 made it necessary to re-activate counter-measures.
Curse of the pharaohs
Early in 1996 I received a disk with an ominous 'new virus' message written on it. With the general near-despondency I had subsided into, I took my time with the analysis - in fact, and I admit this with a degree of embarrassment, it was late summer when I got around to investigating the disk! It apppears the disk was sent to me by the author of the virus itself, and included an assembler source file to assist me figure out what was going on.
This turned out to be a particularly nasty bootsector virus (see boxout). First of all the virus was reset-proof, which means it would not be removed from memory by pressing the Reset button, and secondly it employed an intricate combination of encoding algorithms to prevent detection by virus killing software.
I had to take the unusual step of rewriting sections of the 'UVK' bootsector virus recognition code to cope with this new virus. It combines two encryption processes on top of a variety of structural alterations in the viral code to create a potential total of almost 5*10^23 different versions of itself, around 500,000,000,000,000,000,000,000 - a whole whopping lot! Imagine if every disk ever owned by all the Atari enthusiasts in the entire world ever were infected, no two copies of the virus would appear the same - in fact you'd be more likely to win the National Lottery several times than encounter two identical strains so you can imagine it's not easy for virus detection software to get to grips with.
After a night involving the usual quantities of blood, sweat and tears (and lots of disks infected for test purposes) UVK was finally able to recognise all possible manifestations of the so-called 'Pharaoh Virus'.
Virus types Viruses on the Atari platform can generally be divided into two kinds: Bootsector and link viruses. Bootsector viruses infect your computer when booting with an infected disk in the drive. They usually infect any other write-enabled floppy disk you insert, which means these disks will also infect a computer if they are in the disk drive during the boot process. There are around 100 bootsector viruses on Atari platform. Link viruses do not operate from a disk's bootsector, instead they attach themselves to executable program files and infect a computer system from there. Once a system is infected, the virus spreads as other files are executed. Because the virus typically 'appends' itself to the original executable, infected program files grow in size, which makes them easier to detect bootsector viruses.
There are five known bootsector viruses on the Atari platform.Seize the day
The next day I was finishing up the updated release version of UVK when I remembered another archive I'd been sent recently. The archive supposedly contained a new link virus (see boxout). Over the years I've received dozens of hoax messages, archives and disks like these so I expecting this to be another one to add to the list.
I set about casually analysing the ZIP archive's contents and after several minutes, let out a heartfelt expletive as my hard disk became infected by a virus I hadn't seen before. For a brief moment the text 'Ruth Marcs Development Inc. (Dedicated to the memory of Lucky Lady)' flashed on-screen, then nothing. Lucky Lady was a particularly infamous creator of viruses and I broke out into beads of sweat when forty seconds later the text 'BO[BJOF' appeared at the top left hand side of the screen and my computer crashed shortly afterwards!I spent another night spent fervently hacking at the computer, initially trying to disinfect my own system and later trying and find out exactly how this virus went about its business. It eventually became apparent a file called CARPDIEM.PRG was a bogus program, a so-called 'Trojan Horse', which installs the virus in the computer's memory, infects any floppy currently in the disk drive, and writes a tiny hidden file called '~.PRG' into the Auto folder of hard disk partition C. Hidden files are normally created by changing the program header flags from the desktop, in the same way files are made Read Only. For the time being, contra-viral activities are once again in step with the threat.
To eradicate this virus completely it's necessary to remove all instances of viral infection. However, when booting with an infected floppy disk the virus would re-install the hidden '~.PRG' file onto the hard disk and booting with a clean floppy disk the hidden '~.PRG' file on the hard disk re-infects the floppy again. Either copy of the virus infects the computer's memory and either re-installs its alter ego as required, nasty!
Carpe Diem warning The 'Carpe Diem Virus' originates from a ZIP archive called 'CARPDIEM.ZIP'. The arhive contains a file called 'CARPDIEM.PRG' (91,750 bytes in size) and a small text file reading 'Sease the day, and run this great falcon enhanced game!!' (sic). Upon running this 'game' keen observers may spot the text 'Ruth Marcs Development Inc. (Dedicated to the memory of Lucky Lady)' displayed briefly before the Desktop reappears and the virus will is now installed in memory and on the floppy disk currently in the drive. There will be a small, hidden, '~.PRG' file in C:\AUTO\ and after around forty seconds, the text 'BO[BJOF' appears at the top left side of the screen to signify the virus has been activated and causes both Falcon and ST systems to crash repeatedly.
Do not de-archive any ZIP files called 'CARPDIEM.ZIP'. Do not run the program 'CARPDIEM.PRG' contained in it!
'Ultimate Virus Killer' v6.9 or later can recognise and can help you get rid of this virus completely and includes step-by-step instructions explaining how to disinfect your system and hard disk.
I wonder what the next six months will bring? For now, at least, UVK is once again up-to-date.
The 'Ultimate Virus Killer Book' The 'Ultimate Virus Killer Book', originally released in July 1995, is now available 'on disk' using a specially programmed version of the 'ST NEWS' disk magazine interface.
The book and UVK will be updated approximately bi-annually.The unregistered version is available for ftp from: ftp.uni-kl.de in the path /pub/atari/misc or by post on receipt of three International Reply Coupons, the registered version costs £5.
To be continued?...
'Ultimate Virus Killer' v7.0 now available! UVK works on all Atari systems (including Geneva, Magic, MultiTOS, Stonx and Gemulator) and is available from:
Douglas Communications
P.O. Box 119
Stockport
SK2 6HWTel: 44+(0)1625 850270
Cost: £13.95Richard Karsmakers
P.O. Box 67
NL-3500 AB Utrecht
The NetherlandsCost: £10
Cash or cheque made out to J.P. Karsmakers only
![[Home]](../images/i_info.gif){kind=small}
![[Info]](../images/i_home.gif){kind=small}
![[Back]](../images/i_prev.gif){kind=small}
![[Next]](../images/i_next.gif){kind=small}