MEMOIR4.CVP 921214
Memoirs of an (infected) virus researcher
I've just finished reviewing another antiviral program. During the
testing, I found out something interesting.
My primary test machine was infected.
Now, this, one would think, is not necessarily remarkable. But, you
see, I have a grave shortage of equipment. The test machine is also
the communications machine. And, it wasn't supposed to be infected.
Still, it happens from time to time.
There was the time, rushing the Michelangelo deadline, that I had
made the world's only copy of Michelangelo on a 3.5" diskette. And
then booted from it. Just after midnight on the evening of March
5th. (Well, it was late, and all ...) Took me another 20 minutes
to put it together again.
That's another thing. The primary test machine is a laptop. Dual
3.5" floppies. No hard drive. Safer that way. When I'm using it
for communications, I simply use another diskette. Bootable.
Write-protected. Except when I have to make corrections. But I do
that on the desktop machine. No chance of infection, if I never put
it into the test machine, unprotected.
But I must have. Sometime. And that sometime had to be more than
three weeks ago, because that was the last time I did any live
testing.
And what was it I was infected with? DIR-II. Stealth to the max.
Fast infector with a vengeance. I must have infected everything in
sight.
Except I didn't.
First of all, communications generally deals with either text files
or archives. Unless the archives are self extracting, they are not
targets for infection, and neither are the test files. So for over
three weeks, I was shuttling files from one machine to another and
the virus never had a chance to transfer. Must have been
frustrating for it.
A couple of points about the DIR-II. It *does* infect text files.
At least, it infected one of mine. The filename was SIGBLOCK.NTE,
for those who are wondering. Only 340 bytes, so only the first
chunk of the viral code shows.
Secondly, the business of renaming your programs to non-executable
extensions, with the virus active, works like a hot darn for
disinfection. Remember to do a CHKDSK /F, *after* you have finished
and booted clean, in order to reclaim lost disk space. I got
everything back fine. Except SIGBLOCK.NTE :-)
copyright Robert M. Slade, 1992 MEMORI4.CVP 921214
==============
Vancouver ROBERTS@decus.ca | This message contains not less
Institute for Robert_Slade@sfu.ca | than 70% post consumer electrons
Research into rslade@cue.bc.ca | and not less than 80% post
User p1@CyberStore.ca | harangue opinions.
Security Canada V7K 2G6 | Please recycle. Thank you.