THE ULTIMATE VIRUS KILLER BOOK
2 - VIRUS CLASSIFICATION
virus, n. venom: contagious or poisonous matter (as of ulcers,
etc.): the transmitted cause of infection: a pathogenic agent, a
combination of chemicals, but capable of increasing rapidly
inside a living cell: any corrupting influence.
Chambers Twentieth Century Dictionary
Viruses (or virii, or whatever you want to call them - though
'viruses' seems to be the word that is most commonly used) and
all things even remotely connected with them are as old as
computers are. The term 'computer virus' seems to indicate a
connection with biological viruses which is, as we will see
later, highly appropriate due to the striking similarities.
In the early days of computing, viruses and associated programs
predominantly appeared on networks and large mainframe systems,
but as time proceeded and home computers became more affordable,
viruses also became known to lesser mortals like us. More about
2.1 WHAT ARE VIRUSES?
Indeed, the word 'virus' in the term 'computer virus' has quite
some affinity with its biological counterpart. The latter infects
living cells, in which they then manipulate the gene information
so as to cause those living cells to start reproducing other
virus cells instead of their former, healthy selves. A very
clever piece of work of mother nature, and all of us have no
doubt been confronted with it more than once - any common case of
cold, for example, is a virus disease. Other 'popular' virus
diseases are flu and, indeed, AIDS and the recently re-arisen
Computer viruses function very much like biological viruses, the
only difference being that they don't infect living cells but
'prey' on programs and floppy disks instead.
Well...er...we already knew that viruses can turn out to have
rather negative consequences for computer users, and we also know
that they tend to copy themselves - or don't they actually have
to copy themselves to be called a virus? What is a virus,
A definition might be in order here.
In his "Computer Viruses: Theory and Experiments", published in
1984, Fred Cohen defines a computer virus as follows...
"We define a computer 'virus' as a program that can 'infect'
other programs by modifying them to include a possibly evolved
copy of itself. With the infection property, a virus can spread
throughout a computer system or network using the authorisation
of every user using it to infect their programs. Every program
that gets infected may also act as a virus and thus the infection
Of course, this description is somewhat outdated now. For
example, bootsector viruses, like we will see shortly, will not
infect other programs but other disks instead. And the bit about
'user authorisation' is also somewhat vague to mere humble
mortals like you and me.
It is not the intention of this book to come up instead with an
up-to-date description of what a virus might then be. Apart from
the fact that many authors have already tried it - and that other
authors later always changed and updated them - this is
completely beyond the scope of this book. Remember, it aims
primarily to tackle the practical side of things. There is
limited use for theories and definitions, so let's happily throw
them in the bin and temporarily retrieve them only when really
All you need to know is that viruses can infect other disks or
programs quite autonomously by copying or appending themselves to
them respectively, and that most viruses contain a destruction
routine that can later be triggered by something. It is also
important to know that the destruction routine is likely to do
something bad. These events described as 'something' vary
independently from the virus you're dealing with and are limited
only by the somewhat warped mind of the virus programmer.
The destruction routines are the main reasons why computer
viruses should be got rid of. They can principally vary from
harmless operations such as changing the colours of your screen
or making the sound chip produce a bit of noise right up to
rather more evil proceedings such as entirely clearing your
floppy disk or even formatting a partition of your hard disk,
with just about anything conceivable in between. You will find
mention of more specific examples of destruction routines
incorporated in the descriptions of various Atari-specific
viruses in appendix A.
The destruction routine is usually not invoked immediately after
a virus is executed or once it has multiplies itself. As a matter
of fact, the "success" of a virus can be measured by the time it
can remain alive to produce copies of itself, the time it can
continue to infect other disks or programs. The longer it lives,
the longer it can multiply. The more copies it succeeds in making
of itself (with each copy creating yet more copies, and so on and
so forth in a distinctly exponential way), the larger the damage
will be when eventually it comes out of its hiding. And until
that time a computer virus is invisible, copying itself without
the user ever finding out anything about what's happening. The
moment the destruction routine is invoked, often the virus itself
ceases to be and can no longer multiply itself.
That is why, usually, a trigger routine is built into a virus to
control the moment when the destruction routine will be called.
It generally assures the destruction routine is not invoked until
after a specified time or after a specified number of events,
such as a specific date in your computer's internal clock, or
having reached a specific generation number, or by finding
certain file names on your storage media. Other examples of
trigger routine specifications can be found, again, in appendix
2.2 BOOTSECTOR VIRUSES
The kind of virus that is most widely spread on the Atari TOS
computer platform is the bootsector virus. To understand what a
bootsector virus is and how it works, however, one should first
know something about the way a disk is built up: The disk format
of Atari TOS computers (which, incidentally, happens to be
identical to that of MS-DOS machines). We also need to know
something about the machine's booting process and the way the
Operating System works.
Please have a look at figure 1 in the "pictures" folder for a
glance at what a disk format looks like, in this case that of a
standard Double Density disk.
Figure 1 shows that a disk is divided in a number of concentric
rings that are called tracks. These tracks are again divided in
parts that are called sectors. The number of tracks on a disk can
vary, though it is usually 80. The number of sectors per track on
Double Density (DD) disks is usually 9, but can vary up to 11.
High Density (HD) disks usually have 18 sectors per track, though
this can be increased to up to 22. Extra High Density (ED) disks
in general have 36 sectors per track, though this can run up to
40. There is space for 512 bytes of data inside each of those
Double-sided disks are built up identical on the second side;
thus, double-sided disks have each track twice, resulting in
twice as many sectors and, correspondingly, twice the storage
Because the format of individual disks can vary (various number
of tracks, sectors and sides can be specified, among other
things), a disk needs to have some way to 'tell' the disk drive
and your computer what its specific amount of tracks, sectors and
sides are. That is why, when a disk is being formatted, your
computer's Operating System writes that information on the disk's
bootsector, the first sector on the first track on side A of
every disk. This bootsector is always at the same location
irrespective of what disk you are using, so your computer can
always determine how the disk has been formatted.
In the bootsector there is a specific area that is used
exclusively to store these values in. This segment is called the
BIOS Parameter Block (or BPB for short), which takes up about 20
of the 512 bytes available in that sector. The BPB is loaded and
analysed by the Operating System each time you insert a disk and
the Operating System has to access it (such as happens, for
example, when it reads the the list of the files present on a
disk, the directory). All of this happens automatically and
rather quickly, without the user really noticing.
When resetting an Atari TOS computer or switching it on, the
Operating System (TOS) immediately takes over control and starts
installing all kinds of necessary things in memory - like system
variables, a reserved space where the screen memory will be, and
lots more. Don't be confused by these names just yet as they will
be explained later - and in case you haven't got the patience,
you may care to refer to appendix J, the glossary.
This process, anyway, is called booting, and it takes care of a
whole lot of things before the GEM desktop actually appears and
you can start using the machine (see appendix I for everything it
actually does). Again, this happens quite fast and
One of the many things booting takes care of is reading into the
computer's memory whatever is on the bootsector of the disk that
is currently in the disk drive. Once that's done successfully, a
checksum of the 512 bytes that have just been read will be
calculated. Should that checksum equal a hexadecimal value of
$1234, the Operating System will execute whatever program happens
to be loaded from the bootsector at that moment.
Yes, apart from the aforementioned BIOS Parameter Block, a
bootsector may also contain a small program that will be executed
during booting, i.e. on boot-up. This possibility was included so
that alternative Operating Systems could be loaded this way,
before enormous chunks of memory would already have been
allocated for use by GEM and the like. Apart from the old Atari
TOS 'on- disk' versions and alternative Operating Systems, many
commercial games and demos use this feature to load (hundreds of
them, actually). Apart from the fact that this usually assures
faster loading, the software companies or demo crews involved
often implement this as part of their software protection.
Unfortunately, the flexibility offered by this method also
allows for less savoury little programs to be installed into
memory such as, indeed, bootsector viruses. Instead of being used
to load an Operating System, game or demo, the program in the
bootsector now installs itself into a safe spot in your
computer's memory, makes itself resident and active by patching
onto a few Operating System vectors, and gives control back to
the computer as if nothing has happened, the virus installed and
ready to strike.
Safe spots?! Patching!? Operating System vectors!? Strike?! All
will be explained forthwith. Just bear with me for a little while
There are various safe spots in memory where a virus can locate
itself without there being much danger of being overwritten by
other programs that may be loaded into memory at some later
instance. Only a part of your computer's RAM - the so-called
Transient Program Area - is used to actually load and execute
regular programs, and basically viruses just make sure that they
locate themselves somewhere else. There are plenty of small bits
of memory unused by anything else in which a virus can hide
itself. After all, especially bootsector viruses are usually no
bigger than 512 bytes, so that's all they'll need. An amount like
512 bytes is peanuts to the 524,288 bytes that even the most low-
spec 520 ST computer has, let alone something like the 4,193,304
bytes that a 4 Mb system has.
The next step we need to look at is the thing that was just now
referred to as patching. To understand how this works, we have to
take a somewhat deeper look at how your computer's Operating
System works exactly.
A large part of the Operating System consists of small sub-
programs that do very specific things. There are, for example,
special sub-programs that set the colours, display a line of text
or even play a sequence of sounds. There are also, however, sub-
programs that function to read a sector from or write a sector to
Because one such sub-program can be located at various different
addresses in your Operating System's ROM memory, depending on the
Operating System version you're using, some kind of method had to
be developed to make sure that programmers would be able to use
those routines, too, without first having to find out the ROM
memory addresses on which to find the sub-programs they would
want to use.
What Atari came up with, basically, was agreeing on certain
specially documented and reserved memory addresses - safely
outside the Transient Program Area - that would always contain
the ROM memory address for a particular sub-program in the
current version of the Operating System. The Operating System
itself, upon boot-up, would make sure the proper ROM addresses
were stored there.
These specially documented and reserved addresses are called
system variables or system vectors. If the Operating System or a
regular program wants to read a sector from disk, for example,
whether it is part of a bigger file or just on its own, it will
jump through the address contained on the specifically documented
system vector that will get access to the desired sub-program to
read a disk sector.
Besides maintaining inter-version Operating System
compatibility, however, the whole setup involving system vectors
has another reason, even more important. You see, the Operating
System's sub-program to change the colours of your screen is
quite adequate for your machine's standard graphic resolutions
but will be quite improper if you have installed a better
graphics card that will yield a higher resolution, for example,
with more colours. Similarly, the sub-program to read a sector
from floppy disk functions properly but it is not quite
sufficient to handle other, larger media such as hard disks or CD
To allow for the installation of extended screen drivers or
similar drivers for larger storage media, system vectors are a
necessity. Suppose an extended screen driver is installed and a
programmer 'tells' the Operating System, for example, to change a
colour. It will jump through the address contained on the
specified system vector that would normally get to the desired
Operating System sub-program. However, when an extended screen
driver is installed this causes the system vector not to 'point'
to the Operating System's sub-program but to one within the
driver software that, unlike the original one, will be able to
handle a bigger screen resolution with more colours. Only when it
determines the screen is of regular dimensions with a regular
amount of colours will it give back control to the original
Operating System's sub-program. For this purpose it has stored
the original address it found on that system vector in an
internal buffer somewhere.
In a way much the same as described in the above example, a hard
disk driver will cause the system vector through which the
Operating System jumps when it wants to access a disk sector to
be pointed to the extended routines that, unlike that of the
Operating System, can handle hard disks the way they ought to.
And only when the extended driver software notices it's dealing
with a regular floppy disk (this is easily done by checking if
the drive identifier is "A" or "B", which are never hard disks)
will it pass control on to the original sub-program contained
within the Operating System.
The people at Atari weren't lazy by not implementing extended
screen drivers themselves, nor by not implementing right within
the Operating System the sub-programs that are needed to use a
hard disk and a CD ROM. They were merely taking into
consideration the development of new storage media that weren't
even known at the time the Operating System was written. They
tried to keep things as flexible as possible, and decided to keep
the Operating System down to the bare necessities. Producers of
extended hardware (whether graphic cards or larger storage media
or whatever) were, via the system vectors, given the ability to
write their own specific routines.
I hope you're still with me. Maybe it will console you if I say
that you have now behind you probably the most difficult part of
the entire "Ultimate Virus Killer Book". It was, incidentally,
also the most difficult to write.
Bootsector viruses would, logically, benefit from 'knowing' when
your computer is accessing the disk drive; they could, for
example, copy themselves to the disk currently in the drive when
they notice that the Operating System is writing to or reading
from that disk anyway. So what a bootsector virus does, when
installing itself, is make sure the system vectors for the
various disk-associated sub-programs point to a small part within
itself instead of to the addresses originally present on the
system vectors (which would point to sub-programs within the
Operating System or an extended storage media driver, usually).
The virus would now, whenever a disk-associated sub-program is
called either by a program or the Operating System, get executed
before anything else and check if it wants to copy to the disk
currently in the drive and, if needed, do so. And, of course, the
virus will have stored elsewhere within itself the old addresses
so the originally intended sub-programs will be invoked
immediately once the virus has finished whatever it needed to do.
The delay will only be minimal and will, certainly when you're
not paying special attention, go by unnoticed.
You will have noticed that bootsector viruses can only work if
they're in memory all the time, in other words if they're
resident. You can load other programs and quit them again, but
bootsector viruses will remain in memory once they have installed
themselves. They won't disappear until someone resets the system
or turns it off. Principally, that means we're supposed to be
talking about resident bootsector viruses. As all bootsector
viruses on TOS computers are resident in some way or another,
this full name is usually not specified (and therefore will not
be here, either).
Bootsector viruses also exist on a variety of other computers.
The only things that usually differ from the principles mentioned
above (apart, of course, from the actual program code that has to
be suitable for the machine's actual main processor) are the
checksum values, bootsector sizes and the system vector
addresses. On MS-DOS, by the way, all bootsectors are executed
regardless their checksum. Most MS-DOS bootsectors contain a very
small program that displays "This is not a system disk" or
something along similar lines.
More about viruses on other computer systems can be read in
2.2.1 RESET-RESISTANT BOOTSECTOR VIRUSES
There are two specific kinds of bootsector viruses, of which the
first is the reset-resistant variety (reset-resistant is also
often called reset-proof). To fully understand what this means,
it must first be explained what 'reset-resistant' actually means
and what programs have to do to be classified as such.
Reset-resistant means that the program in question will
'survive' a soft reset. A soft reset is performed when you press
the 'reset' button on the back of your computer, an operation
that can also be performed by pressing [CTRL-ALT-DEL] on TOS
versions 1.04 and up. During this reset, most of your computer's
memory will be cleared and the system will again appear as if it
has just booted. Its counterpart, the hard reset, by the way, has
one difference: It clears all your computer's memory. A Hard
reset is performed whenever you turn on your system, or press
[CTRL-ALT-DEL-RIGHT SHIFT] on newer TOS versions. Nothing
survives a hard reset, not even a virus that is reset-resistant.
There are two ways to make a program survive a soft reset on
your computer: The legal and the illegal one. Both of them have
been built into the Operating System by Atari themselves. After
all, they reckoned, there may be perfectly valid reasons for a
program to have to survive a soft reset, so that's why provisions
were built in to assure that such can be achieved. One of the
methods is referred to as 'legal' because it is officially
documented and will not change in possible future versions of the
Operating System. This on the contrary to the 'illegal' way,
which has never really been officially documented even though
many people know about it. Although the illegal method has
continued to be supported in all TOS versions up to and including
Falcon TOS 4.04, it is still not official and might vanish if
Atari ever decide to make a new Operating System version.
A valid program that might want to make sure it - and its
contents - would remain intact after a soft reset, for example,
is a reset-proof RAM disk. This RAM disk, basically a virtual
disk drive in your computer's memory, could then survive a soft
reset with all files stored in it left intact. If it weren't
reset-proof, all those files would be lost upon a soft reset
Hexadecimal address: Name:
System variables for 'legal' reset resistance
When your system is reset (in other words during booting, see
appendix I), at a certain stage the Operating System will check
the resvalid system variable (four bytes at hexadecimal address
$426), and look if there is a so-called 'magic' longword stored
there. When this 'magic' longword happens to contain a
hexadecimal value of $31415926 (the first eight numbers of "pi")
it will not continue the rest of the regular Operating System
reset sub-program but instead first jump to the memory address
contained on the resvector system vector.
A reset-resistant application, now, would cause resvalid to
contain that specially documented magic longword, and cause
resvalid to point to a segment within itself that makes sure it
is safeguarded before the old reset sub-program is called.
During a soft reset, by the way, not all memory is cleared. So,
basically, a virus only needs to make sure that it is re-
installed in a previously cleared patch of memory and the system
vectors correspondingly patched again. All of this happens
quickly and smoothly, so it will appear once again as if nothing
out of the ordinary has happened.
The illegal way, the non-officially documented method, is rather
more complex. Somewhere in its reset routine, after having booted
from floppy or DMA (hard disk), the Operating System will check
all RAM memory locations at 512-byte intervals starting at the
physical top of RAM memory and going down to hexadecimal address
$600 inclusive to see if it finds there another one of those
'magic' longword values, in this case a hexadecimal longword
value of $12123456. If this is found, the Operating System
performs another check to see if the next longword value contains
the address on which the $12123456 value was found. When this is
found, too, it performs a third check by calculating a checksum
for the 512-byte part of memory starting at the memory location
where the magic longword was found. If the checksum is equal to
$5678 hexadecimal, it will invoke whatever program code it finds
at the magic longword's address + 8.
Address (hex): Contents:
$600 $12123456 ----+
$604 $00000600 |
$608 Start of program \
Checksum of $5678
$800 End of program ----+
Non-documented reset-resistant: Example
You see that these three special checks are very much similar to
the function of resvalid, explained earlier. Instead of something
similar to resvector, though, the Operating System just expects a
program at a specific memory address and calls that. Again, this
program would re-install the virus on the place in memory where
it wants to be and patch the necessary system vectors
The bottom line is that, no matter which of these two methods is
used, viruses can be made to survive a soft reset.
2.2.2 NON-EXECUTABLE BOOTSECTOR VIRUSES
Earlier, we already learned that a bootsector needs to have a
special checksum of $1234 in order to be executable and to cause
a program contained within that bootsector and loaded into memory
to run. We also learned that this was the way bootsector viruses
got loaded and installed into memory. However, there are also
bootsector viruses that don't even require a bootsector to be
executable: Non-executable bootsector viruses.
To many of you this will sound like some kind of contradiction
in terms - as indeed it did to me when I first heard of it. If we
have a closer look at the booting process once more, however,
things will suddenly become much clearer.
On start-up, as was already mentioned before, the Atari TOS
loads in the bootsector of the boot device (floppy-or hard disk)
and then looks if the checksum of that equals $1234. If it does,
the bootsector is executable and a JSR (Jump to SubRoutine) will
be performed on it. This results in the program present in the
bootsector being executed (and thus, should a virus be contained
there, for it to be installed). Nothing new there. But what
happens exactly when the bootsector is not executable?
The system now has a copy of the bootsector's contents still in
memory, starting at the memory address contained in the system
variable called _Dskbufp, an address at which is located the disk
buffer. Even though the program in this bootsector has not
actually been executed, it is still there. And because all memory
was already cleared at a much earlier stage of the booting
process, it is in no danger of being erased.
Next, the Operating System starts to do its check for programs
that are reset-resistant in the undocumented way, such as was
explained in 2.2.1. This check also includes the part of memory
where the disk buffer is located - the part of memory where a
copy of the bootsector's contents now resides. Because a
bootsector is 512 bytes in size and the Operating System checks
for programs that are reset-resistant in the undocumented way at
512-byte intervals, it will always check for that special magic
$12123456 value somewhere within the disk buffer.
If a virus makes sure a $12123456 magic longword is located on
the exact 512-byte interval that the Operating System happens to
check while it's within the disk buffer area, it's well on its
way to being executed. And if it also makes sure the two further
criteria listed in 2.2.1 are met, it will be executed.
TOS version: _Dskbufp: Offset off $200 page boundary:
TOS 0.00 (Das Boot TOS) $12BC Not applicable
TOS 1.00 (Old or ROM TOS) $167A -$186 off $1800
TOS 1.02 (Blitter TOS) $16DA -$126 off $1800
TOS 1.04 (Rainbow TOS)* $181C -$1E4 off $1A00
TOS 1.06 (STE TOS Rev 1) $181C -$1E4 off $1A00
TOS 1.62 (STE TOS Rev 2) $181C -$1E4 off $1A00
TOS 2.02 (MEGA STE TOS) ?
TOS 2.05 (MEGA STE TOS) $1410 -$1F0 off $1600
TOS 2.06 (ST Book TOS) $16E8 -$118 off $1800
TOS 3.01 (TT TOS 030) $1630 -$1D0 off $1800
TOS 3.05 $1630 -$1D0 off $1800
TOS 3.06 ?
TOS 4.01 (Falcon) $1CC6 -$13A off $1E00
TOS 4.02 (Falcon) $1CC6 -$13A off $1E00
TOS 4.04 (Falcon) $1CC6 -$13A off $1E00
_Dskbufp addresses with different TOS versions
* = Also goes for KAOSdesk
Suppose a virus will want to work on the Falcon, which always
has its disk buffer located at memory address $1CC6. As you see
in the above column, that means that the next 512-byte
(hexadecimal $200) interval that falls within the disk buffer is
located at $1E00, meaning that the actual $12123456 magic
longword will need to be present at offset $13A ($1E00 minus
$1CC6) within the bootsector for it to be encountered by the
Operating System at the exact 512-byte interval within the disk
buffer where it needs to be to work.
Using this technique, viruses can get themselves installed into
your computer's memory even when a disk's bootsector is not
executable. This is especially dangerous because many virus
killers and other pieces of virus detection software only notice
anything in a bootsector after it's found to be executable in the
first place. It is easy to imagine such non-executable bootsector
viruses going around and spreading prolifically without anyone
noticing them for quite a long time.
Due to lack of contiguous space in a bootsector infected by such
a non-executable bootsector virus, they often use whatever space
there is left just to load in some more sectors which contain the
rest of the actual virus program. To see where these additional
sectors may be stored, please refer to 2.4, "Call Viruses".
2.3 LINK VIRUSES
The second virus type is the link virus, not to be mistaken for
what some other publications about viruses call a 'link virus'
and which refers to a virus included in the linker of a compiler
program, that automatically infects programs that are linked
using that compiler (see 2.8, "Source-and Compiler Viruses",
The link virus type is harder to find than a bootsector virus,
difficult to recognise and virtually impossible to destroy
without damaging the program it is attached to, because the link
virus does not write itself to a bootsector but merges itself to
an actual program file on disk. It is then executed (and it may
multiply itself) each time such an infected program is loaded and
Since the link virus is not restricted to the mere 512 bytes
usually available to a bootsector virus, it can be as big as the
programmer needs it to be. It can potentially do things that are
quite repulsive. It can do virtually anything, actually.
Using the "file layout" table, below, we can have a look at the
structure of a program file (program files generally have the
extensions ACC, PRG, TTP, APP, TOS or GTP). This will help when
trying to see how link viruses work.
File header (offset $0-$1C exclusive)
(the actual program code)
BSS (Block Storage Segment)
File layout (top is start of file)
$00 BRA.S ($601A; BRanch Always instruction,
jumps to $1C)
$02 Bytes in text segment
$06 Bytes in data segment
$0A Bytes in BSS (Block Storage Segment)
$0E Bytes in symbol table
$12 Zero (reserved)
$16 ph_flag (longword)
Bit 0 = Fastload on/off
Bit 1 = Load program into TT RAM
Bit 2 = Use TT RAM only
ST/STE/TT/Falcon, sensible with "MultiTOS":
Bit 3 = Reserved, always 0
Bit 4-7 = Default memory protection mode
None set = Private
Bit 4 = Global
Bit 5 = Super
Bit 6 = Readable
Bit 8-11 = Reserved, always 0
Bit 12 = Share text segment on/off
Bit 13-27 = Reserved, always 0
Bit 28-31 = Minimum amount of TT RAM needed
(value * 128) in Kb
$1A Zero if no relocation bits
$1C Start of program text segment
(The BRanch Always makes sure it is started)
File header contents
When a link virus appends itself to a program (links itself to a
program, hence the name), it usually stores itself between the
TEXT and the DATA segment of a file, as well as at the very start
of a file. This principally means that the TEXT segment and,
thus, the total program file itself, become longer (exceptions to
this rule are substitute link viruses, see 2.3.6).
The link virus changes the program's file header so that the
Operating System recognises the new length of the TEXT segment
for when the file is being loaded and executed at some later
As soon as an infected program has been loaded and executed by
GEMDOS, the little bit of the virus at the start of the TEXT
segment will be executed. This will then cause to virus to
multiply and, if necessary, install itself elsewhere in memory.
After that it will change back the original file header, restore
the beginning of the TEXT segment where it had stored itself and,
last, execute the original program as if nothing has happened.
Especially on floppy disk, running a file that is infected by a
link virus will take noticeably longer. After all, the virus has
to find another file, then search for the DATA segment, copy
itself to it (increasing the file length), buffer the start of
the original program code and patch itself to the program start
routine before the original program even gets as much as a chance
at getting executed. In this case, it is relatively easy to
recognise link virus infection.
On top of that, most link viruses use regular Operating System
calls to open another file, read from it and write to it. Should
your disk be write-protected, for example, their use of regular
Operating System calls will cause a display of a "Disk Write-
protected; please remove write-protect" alert box. Programs that
suddenly attempt disk accesses whereas they never did this
before, especially at start-up, are surely worth checking with
the "Ultimate Virus Killer"!
There are two ways of classifying link viruses: The first
classifies them according to their behaviour in the computer's
memory (2.3.1 - 2.3.3), the other according to their behaviour in
infected files (2.3.4 - 2.3.5). In the following, both
classifications are used independently.
2.3.1 NON-RESIDENT LINK VIRUSES
There are two possible ways for a virus to manifest itself in
memory. The first type, the non-resident link virus, is the one
that is least complex and that spreads slowest.
Upon starting a program infected by a non-resident link virus,
the virus executes itself and infects one (or, indeed, several)
files on the disk. After checking if the condition for the
destruction routine to be executed is true, it calls it or simply
leaves again, jumping back to the original code of the old
program (i.e. the program it was located in, which it has in the
mean time restored in memory), at which time the virus itself
will have disappeared from RAM completely.
This is called non-resident as the virus does not remain
(reside) in memory at all after it has fulfilled its purpose.
2.3.2 RESIDENT LINK VIRUSES
The other type of link virus is the resident link virus,
sometimes also called interrupt virus. This differs from the non-
resident link virus by the fact that it remains in memory
starting at the moment it does its job for the first time.
As with bootsector viruses, the resident link viruses patch some
Operating System vectors to point to their own sub-programs
before executing the ones the Operating System actually wanted to
access in the first place. Whereas the bootsector virus varieties
need to 'know' when a disk sector is being accessed, the resident
link virus varieties have more benefit from 'knowing' whenever a
file is opened or loaded into memory so that they can promptly
infect whatever file is currently being accessed. The basic
difference between resident bootsector viruses and link viruses
is that they patch different system vectors; link viruses patch
system vectors that point at the Operating System's file-related
sub-programs such as those needed to open a file, change a file's
status, or create/load a file.
Resident link viruses can spread a lot faster than their non-
resident counterparts: Each time when another program is loaded
after your system has been infected, this program will be
infected automatically, too. Even when the originally infected
program has been removed from memory (usually by exiting it), the
resident link virus program parts are still in memory somewhere.
This means that resident link viruses can also infect programs
that are in a different (sub-)directory of a disk or drive
partition, or even on a totally different disk. Especially the
latter is usually impossible with non-resistant link viruses.
2.3.3 RESET-RESISTANT LINK VIRUSES
The more persistent variety of the resident link virus is the
reset-resistant link virus. This is not only resident, but also
survives a reset using one of the methods described in 2.2.1.
Therefore, it is even more dangerous than the 'ordinary' resident
link virus, and will be even more prolific at spreading itself.
2.3.4 OVERWRITING LINK VIRUSES
Now that we have gone through a link virus classification based
on the way they behave themselves in memory after infected
programs having been loaded and run, let us now have a look at a
classification based on the ways they behave themselves within
the infected file, before they get executed by the user
unwittingly loading the contaminated program.
A division can be made into two kinds, of which by far the least
complex would be the overwriting link virus. This link virus does
not bother about placing itself somewhere between some of the
program segments, buffering the program part it replaces, or
changing any of the values contained in the program header. No,
this type of link virus just writes itself right across a part of
the original program file, hence its name.
Overwriting link viruses are quite rare because they are quickly
noticed - a program file infected with one will no longer work at
all - and can, consequently, be battled quite effectively. It is
far simpler to design and program such an overwriting virus,
however, because the programmer would not need to take into
consideration all the things that were mentioned before.
Files that are infected with this type of link virus can never
be repaired; not by the "Ultimate Virus Killer" nor by any other
virus killer anywhere on any system (not even if they claim to).
This can be explained by the fact that part of the original
program, which would be needed to restore the file to its full
(non-infected) working order, has disappeared altogether and can
thus impossibly be restored.
2.3.5 NON-OVERWRITING LINK VIRUSES
All link viruses that don't overwrite part of the program they
infect are called non-overwriting link viruses, which form the
majority of the link viruses existing on any computer system.
The trick of the non-overwriting link virus is that it buffers
all parts of the program it infects that would otherwise have
been overwritten. That way it can restore all these parts after
it has done its job, allowing the original software to be
executed properly so that the user does not notice anything, at
least not until it is too late and the virus has already spread
Below you will see a diagram of a non-infected file, followed by
one of the same file infected by a non-overwriting link virus
(file start at the left).
The original program in this case consists of a program header
(H), a TEXT segment (here divided in two hypothetical blocks,
TEXT 1 & 2), a DATA segment (DATA) and a BSS (BSS). When the link
virus infects the file, it buffers a part of the TEXT segment
(TEXT 1), writes a piece of its own code which replaces it (V1),
and then writes its second part with the buffered part of the
TEXT segment (V2 & TEXT 1) between the TEXT and DATA segments.
The contents of the program header are changed to match the new
length of the TEXT segment.
|H| TEXT 1 & 2 | DATA | BSS |
|H| V1 | TEXT 2 | V2 & TEXT 1 | DATA | BSS |
Non-overwriting link virus infection
When the infected file is loaded and run, first V1 will be
executed. This will execute V2, which will do whatever the virus
does (copy itself, make itself resident, do something nasty...),
then restore TEXT 1 to its original position, copy the DATA-and
BSS segment back to their original offsets in memory and execute
TEXT 1. The actual program will then be started as if nothing
Non-overwriting link viruses, I think you'll readily agree with
me on the grounds of the evidence presented so far, are a lot
more difficult to write than their overwriting cousins.
Unfortunately, however, type-in listings and construction kits
for these non-overwriting link viruses have appeared from various
sources. With the aid of these it has been made easy for even the
most utter laymen to successfully create link viruses.
The one 'good' thing about non-overwriting link viruses is that
they can be spotted by suddenly increasing program file lengths,
2.3.6 SUBSTITUTE LINK VIRUSES
There is in fact another link virus type that should be
mentioned: The substitute link virus, which is basically a non-
overwriting link virus that does not change the length of the
programs it infects, as opposed to regular non-overwriting link
viruses which, as we know, make a file longer.
Substitute link viruses use compression techniques (also called
compacking, packing, crunching or compacting, among many other
names) to make sure that the original file length a program had
before infection is reached again. This way, substitute link
viruses significantly decrease their chance of discovery because
they cannot get detected by suddenly increasing program file
Substitute viruses seem quite, well, 'popular' on MS-DOS
systems. On Atari TOS computers, however, they seem not to exist
outside the realms of rumour.
2.4 CALL VIRUSES
In 2.4 to 2.10, a couple of virus types will be mentioned that
have arisen from various different virus classifications. They
are included here for the sake of completeness. Principally,
however, they can be classified as specific types of bootsector-
or link-viruses mentioned so far.
The principle of the call virus is simple: It stores a segment
of itself elsewhere, to be called and used later. In case of a
bootsector virus this usually means it has additional sectors
apart from the bootsector elsewhere on a disk in which more of
its program code is stored; in the case of a link virus it means
that there are parts of the virus not within the infected program
file itself but instead located either in additional sectors or
in a hidden file.
The advantage for a bootsector virus is that it can now have
access to more space for its program code (and potentially more
elaborate destruction routines) to be located in. Especially in
the case of non-executable bootsector viruses (see 2.2.2), in
which there is preciously little space left in the actual
bootsector, this is the required way out. The advantage for a
link virus is that part of it does not need to be appended to
each infected file, causing a diminished file size growth and a
shorter infection time.
A call virus will need to find some way to make sure that its
external segment is not overwritten by other files on the disk. A
call virus with its external program code destroyed would be
quite harmless or would simply crash.
The most straightforward way would be the use of an external
file. It would be just like any other file on your disk, only its
"hidden" attribute (similar to the "read only" one that you may
be more familiar with) would be switched on. Both MS-DOS and
Atari TOS computers have this facility built into their file
management system. A "hidden" file is present on the disk, like
any other file, but will not be displayed when double-clicking on
a drive icon to display its list of files, its directory.
A rather less straightforward way, primarily used by bootsector
call viruses, is the principle of hidden disk sectors. This is a
bit more complicated than the hidden file, as it requires that
the virus find some extra sectors on a disk, besides the
bootsector, that are in some way safe from later write access to
When a disk is formatted, certain of its areas will be reserved
and cannot be used to store files on. The bootsector is such an
area, for example, but there are also the FAT and the directory,
generally taking up the first two tracks on a disk. The directory
is needed to keep track of which files are in a disk's root
directory, when they were created, how long they are, what file
attribute they have and at which disk sector they start. The FAT
(the File Allocation Table, of which two copies are maintained on
each disk) keeps track of the order in which disk sectors are
allocated to files, as disk files need not necessarily take up
contiguous sectors only.
An entire track is set aside for the FAT and, similarly, an
entire track is allocated for the disk's directory. But there are
a few sectors that are not used just after each of the two copies
of the FAT, and if you don't have too many files and/or folders
in your root directory there are quite a few sectors available at
the end of the track that is allocated for that, too.
Call viruses are known to use, for example, the last directory
sector to store extra information or program code in. And the
'spare' sectors of the 'backup' copy of the FAT are also quite
popular. In case of a long directory, infection by a call virus
may cause part of your disk's file list to be demolished,
rendering those files inaccessible and unsalvageable. The other
way around, however, writing more files to a disk so that the
entire directory list is filled up would also destroy the call
virus' external segment, rendering the virus quite harmless.
The FAT does more, though, than just keeping track of which
sectors belong to which files and in which order. When a disk is
formatted, the Operating System also checks to see whether any of
the formatted tracks and sectors are damaged or faulty, i.e. bad.
After all the tracks have been formatted, the Operating System
installs the default FAT and an empty directory, and it will mark
any bad sectors in the FAT as 'used' bad sectors so they won't
ever be used again to attempt to write files onto.
Call viruses can 'simulate' these bad sectors; their external
segments would be written to specific disk sectors, after which
the virus would mark these as 'bad' in the disk's FAT. The end
result would be the same as the methods described above, but even
safer insofar that not even an extra long directory, for example,
could damage the call virus' external program code.
In a way similar to the simulation of bad sectors, call viruses
can also just allocate the extra disk sectors they use to a non-
existing file, this way generating what is known as a 'lost
2.5 BOOT VIRUSES
A boot virus, is, quite simply, a link virus (either overwriting
or non-overwriting, resident or non-resident) that only infects
the boot file of MS-DOS machines, usually a file called
"COMMAND.EXE". Not to be mistaken for a bootsector virus.
This virus type is only useful on MS-DOS computers, as Atari TOS
computers use no boot file as such.
2.6 BUFFERED VIRUSES
Principally, any known virus type can be a buffered virus. A
buffered virus is a virus that is not only resident, but that
also finds a way of making sure that it survives even if the
computer which it has infected is turned off.
Luckily, this is only possible with computers that have battery-
backed RAM or battery-backed clock cards with some RAM of their
own. When the system is turned off, the batteries will prevent
the RAM from being erased (hence the term battery backed). Also,
many portable computers using CMOS RAM chips actually only
disable the display when you switch them off. This makes sure
that everything in memory, viruses included, remains intact.
Atari TOS computers have no battery backed RAM except for a
'massive' 128 bytes somewhere in the intelligent keyboard
processor (the HD 6310 chip or something like that) in MEGA STs,
MEGA STEs, TTs and Falcons only. This hardly suffices for a
virus, so we need never worry (see 5.3).
Should you worry anyway, you can simply remove the battery
during power-off and you will be perfectly safe. Insert it again
after thirty seconds.
2.7 BATCH VIRUSES
MS-DOS computers without "Windoze" or a similar graphical user
interface have a so-called CLI (Command Line Interface), which
allows the user to type in a certain command which will then be
executed. Whereas we, fortunate TOS computer users, use the mouse
and the desktop to format a disk, copy files or generally do
anything in a very user-friendly way, MS-DOS CLI-based life forms
have to enter long lines of extensive syntax with a load
parameters instead. Have a look at the full syntax of the
"format" command, for example...
dc:padc\FORMAT d: /S /1 /8 /V /B /4 /N /N:ss /T:ttt
If you add a couple of such instructions together (there are a
lot more different ones than just the FORMAT command, of course)
and write them into an ASCII text file with the extension .BAT,
you have created a so-called batch file. Typing the name of that
batch file at the CLI prompt suffices to execute all the commands
that you have entered in that text file. Some of you may know
this principle from the various shell programs that are available
for your computer ("COMMAND.PRG", "NeoDesk CLI", "Gemini" built-
in CLI, Michtron's "Shell" utility and "Gulam", to name but a
Viruses that manipulate these batch files are, quite logically,
called batch viruses. As MS-DOS-type CLI commands include
commands like FORMAT and DELETE, a batch virus by no means has to
be harmless. It can even multiply itself.
The good thing about batch viruses is that they are quite easily
recognised, as a batch file's contents can be displayed and
examined on the screen with the MS-DOS TYPE command.
As Atari TOS computers normally do not use a CLI (though these
so-called shells are available in quite an abundance both in the
Public Domain and commercially), batch viruses do not have much
of a chance. On MS-DOS computers, however, they are quite
2.8 SOURCE CODE-AND COMPILER VIRUSES
It is quite difficult to get to grasps with how these viruses
are supposed to be able to spread, how they are built up, and how
it is possible that they exist.
Compiler viruses, also sometimes confusingly called link
viruses, are pieces of source code that will automatically be
included in any given program when compiled. Sounds rather
complicated, whereas it sounds rather impossible that they can
live on as actual pieces of source code after actually having
infected another program. This would mean that the infected
program would get considerably longer (as source code is not
quite compact). Such a virus would be easily noticeable.
Probably, these viruses can only be built in by people actually
making compilers, or maybe people that know how a compiler is
built up, disassemble it, patch it, and assemble it again. This
means that there seems to be a fair way of evading them by
avoiding pirated copies of these programs, as official
manufacturers would rather not have their name dragged through
the dirt by spreading viruses on their own accord in their own
Lucky for us, they have not been sighted on TOS systems and it
is to be doubted sincerely whether they ever will, although it
would be conceivable that they could spread via, for example,
Public Domain C library extensions of some sort.
Source code viruses are easier to write, and are often
variations on the call virus theme. High-level programming
languages can be used to write them (even Basic, Lisp or
Prolog!), and they are only difficult to recognise when the
original (non-infected) source code is quite big. Source code
viruses, however, have never been seen on TOS computers, either.
2.9 XP VIRUSES
XP Viruses, sometimes also called line viruses, are a really
tough cookie. They are possible only within so-called Expert
Systems. There is not much to tell about these viruses that would
be of any practical use to you, and truly explaining how they
work would take up too many pages.
Also, let's be honest, I don't know anything about them.
To whet your appetite, it can be mentioned that they can be
dangerous in Hospital's disease analysing systems and that they
multiply inside a program, generally manipulating all lines of an
Expert System, quite inconspicuously causing it to malfunction.
2.10 ENCRYPTING VIRUSES
Suppose you would get infected by a virus. You could get rid of
it using a virus killer, right? Right.
Suppose you would get infected by an encrypting virus. Upon it
infecting your system it would encrypt your hard disk's FAT,
causing you to be able to work with your hard disk only as long
as you're still infected. You could get rid of it using a virus
killer, right? Indeed you could, but your hard disk would
instantly become inaccessible because of your drive's FAT no
longer being decoded by the resident virus whenever your system
accesses it. The only way you could come out on top again would
be if you had a mirrored copy of your boot record and FAT tables
(such as is made by "Diamond Mirror" on Atari TOS computers).
These encrypting viruses really only get destructive when
they're no longer there, almost calling for a rather drastic re-
evaluation of most concepts involving trigger-and destruction-
Although these viruses are unheard of on the Atari TOS platform
so far, it might really only a be matter of time.
2.11 ACQUAINTED TUMOURS
Whenever people mention computer viruses, they often mention
various other tumours of computer science. The most well-known of
these will be mentioned here.
2.11.1 TROJAN HORSES
"A long time ago, some kind of Lord wanted to conquer some kind
of city in ancient Greece called Troy. Since the master of the
city did not particularly like the fact that this weird Lord
wanted to take the city away from him, he defended it with all
power he could (of course). The fact that it had all started off
with a woman with a face that launched a thousand ships made the
idea no less bearable to him.
The Lord thought deep for a long while and came up with a
brilliant idea that was to be echoed through the halls of history
during long times yet to come: He built a large wooden horse,
filled it with soldiers and left it standing before the gates of
Troy one night - a token of 'goodbye'.
The next morning, whoever ruled the city looked over the sturdy
walls and saw the plains totally empty. The army had disappeared
and they had left behind a present - a large wooden horse.
They rejoiced, flipped out and generally had a ball: The enemy
had not been victorious and had even left behind a present!
The city gates were opened and the large wooden horse was
brought to the city centre. People celebrated, food was devoured
and drinks were drunk in excessive amounts.
But that night, after even the last bozos had gone home and the
city streets were empty again, a hatch somewhere in the wooden
horse was opened and the soldiers came out.
They opened the city's gates and whistled three times. Over the
plains came the legions of the Lord that conquered the city, ate
its men, slaughtered its women and raped its pigs (or something
A smile wrought itself upon the wooden lips of the Horse, that
was to be known throughout history as the Trojan Horse."
So far a bit of (rather freely interpreted) history.
In the world of computing, the term Trojan Horse has become a
synonym for something that looks like something but really isn't.
An illustrative example would be a game that simultaneously
formats your hard disk: It's not quite what you had expected it
Trojan Horses are not viruses. Although we have shunned away
from precise definitions as to what viruses are exactly, I think
we'd all at least have to agree on the fact that they
autonomously copy themselves. Trojan Horses don't copy themselves
at all; it's a thing that all computer science boffins seem to
agree upon, remarkable though this may seem.
Dozens of Trojan Horses seem to exist on MS-DOS machines. One
of the varied programs like this, for example, is something
called "SEX.EXE" that shows some rather naughty things happening
on the screen during which the hard disk is formatted.
Perhaps barring funny accessories such as "CRABS.ACC",
"FUNNY.ACC" or "WOWBAGGR.ACC" (that, strictly taken, are what
they seem to be and can therefore not actually be called Trojan
Horses at all), Trojan Horses have never been seen on Atari TOS
Worms are programs that have so far only been sighted on
networks. They can also transfer themselves through data lines
between several computers, and can eventually knock down an
There are endless variations on this theme, too. There are worms
that trap all passwords entered in a network, thus gradually
working up to the system operator. Other types can destroy
database files. And the list is, actually, virtually endless.
This may all sounds terribly exciting and, in a Robert Redford
"Sneakers" kind of way, romantic, but the heart of the matter is
that a worm would not be of much use on a machine like an Atari
In the battle against viruses, anti-viruses have done quite some
excellent work ever since they first arrived on the ST scene in
early 1988. Even so, they have also been the reason for much
It is quite difficult to define exactly what an anti-virus is,
for some of them multiply and some of them do not; some of them
are resident and some of them are not.
They really only have a couple of things in common: They reside
in the bootsector, they do not aim to do anything negative
against the user or his system, they are generally not reset-
resistant and they try to warn the user for (bootsector) viruses
when there is a reason to believe that these are present. This
warning generally consists of flashing the screen and/or making a
beeping sound, sometimes also allowing the user to press a
certain key that will cause memory to be cleaned (i.e. that will
cause the virus to be removed).
For first aid and quick virus infection recognition, anti-
viruses are quite helpful. But, once the suspicion of the
presence of a virus exists, the "Ultimate Virus Killer" should be
used. Anti-viruses are too small to be able to determine whether
the bootsector includes a virus or a harmless program: Many of
them do not even recognise the advanced "Ultimate Virus Killer"
advanced disk bootsector immunization method, either.
2.12.1 CLONING ANTI-VIRUSES
These have been the reason for quite a stir because, as their
name implies, they clone - which basically means that they copy
themselves to other disks. As a matter of fact they are virtually
exactly the same as viruses, whereas most typical virus code
characteristics are also present. Some virus killers therefore
classify these cloning anti-viruses as viruses, too. There are
two distinctive differences between these cloning anti-viruses
and regular viruses, though.
First of all, these cloning viruses first check whether or not a
bootsector is executable before they clone themselves across it.
This means that they will never copy themselves on bootsectors
needed by games and such. Modern anti-viruses even leave IBM-
compatible disks untouched (which would lose IBM compatibility if
they didn't). The second difference is that they should not harm
your system or your data in any way.
All cloning anti-viruses are resident, too, and thus need to
patch onto system vectors to work properly.
2.12.2 NON-CLONING ANTI-VIRUSES
Non-cloning anti-viruses are probably the best. They are still
resident in your system and will warn you when virus infection is
likely, but they never copy themselves onto other disks. Non-
cloning anti-viruses are no longer viruses by definition, and are
commonly regarded as being very safe and a pretty good help.
Most of the latest anti-viruses exist in a non-cloning as well
as a cloning version. For non-cloning anti-viruses to work
properly, they need to patch onto the usual system vectors, too.
2.12.3 NON-RESIDENT ANTI-VIRUSES
If a definition of these non-resident anti-viruses would have to
be given, it would be something like "all non-resident bootsector
programs that check certain system vectors on start-up and/or
that call themselves 'anti-viruses'". They do not and cannot copy
themselves to other disks, as they vanish from memory right after
they have served their purpose. They also do not patch onto any
Usually, they get loaded and executed immediately after a reset,
during the booting process, and then start checking whether
certain system vectors point to RAM addresses. When this is found
to be the case, they print warning messages on the screen and/or
bleep and/or invert colours.
Strictly taken they are not viruses nor even anti-viruses, even
though they sometimes do call themselves 'anti-virus' and have
been classified as such by various virus killers. Non-resident
anti-viruses generally only recognise reset-resistant viruses
(and possibly other reset-resistant applications), since all non-
reset-resistant viruses will already have vanished from your
computer's memory by the time the non-resident anti-virus gets
loaded off the bootsector and executed, after a reset.
2.12.4 VIRUS FREE DISKS
These have nothing to do with anti-viruses or viruses as such,
actually, but are considered worthwhile mentioning since there
are such an awful lot of them. Also, the line between virus free
disks and non-resident anti-viruses is an awfully thin one.
A virus free disk is none other than a disk containing a small
program in its bootsector that tells the user, in some way or
other, that there is no virus on the disk. A 'virus free disk' is
never resident in any way. Most virus killers and even most
computer crews have their own ones. There must be more than a
hundred of them, which is actually far too many and not making a
virus killer programmer's life any easier. On top of that,
various viruses are known to be travelling in the guise of a
'virus free disk'.
A 'virus free disk' works with a simple concept: When its
message appears, there is no virus on the disk. When the message
does not appear, something has overwritten it, which may jolly
well be a virus! The method of negative proof used by 'virus free
disks' is not a very reliable one, though.
Some 'virus free disks' work more extensively; for example, they
may also check for reset-resistant applications or viruses in
memory. In this particular case it's basically a non-resident
anti-virus that calls itself a 'virus free disk'. Yes, it's all
quite complicated, especially when the programmers of these
particular little bootsector programs don't even know what to let
it call itself.
2.13 'GOOD' VIRUSES
Many publications on the subject also mention good viruses, and
therefore it will be done here, too. The example that is always
quoted from Cohen's virus research is the virus that spreads
itself and compresses all programs it 'infects', making sure the
files take up less space on disk. In the case of program files,
it even makes sure that they de-compress themselves when they're
being loaded and run.
A 'good' virus indeed, though compression can also have
disadvantages (increased loading + decompression time when using
a fast storage medium, or the compressed program simply no longer
working properly or not at all). In a non-viral form - without
the multiplication characteristic - these programs are quite
popular on Atari and other computer systems, and are used to
compress program-and data-files. Need I mention "DC Squish",
"Squish II", "BA Pack", "PA Pack", "Happy Computer Packer",
"Sentry Packer", "Ice Packer", "Atomic" and "Pompey Pirates
Packer" on our Atari platform?
2.14 KILLER DISKS
Now, since we are talking about destruction of data and computer
systems, why not mention the so-called killer disks? Killer disks
are disks that can actually inflict physical damage on your
computer system - quite specifically on your floppy disk drive.
The difference between viruses and killer disks is very simple:
A killer disk contains no program that assists it in the
'killing' and is created purely on a hardware basis. The German
Bayrische Hacker Post wrote quite an extensive article on killer
disks quite a few years ago (August 1987) which was very
unsettling. It explained in detail which chemical compounds had
to be put on disks to allow the read/write head of the disk drive
to be irreversably damaged, and how to replace the actual
magnetic data carrier by fine sandpaper. However, killer disks
have actually never been sighted (or, at least, these sightings
have not been documented) and I think we can be thankful for
This mentioning of killer disks, however, was only included for
the sake of completeness. As stated before, they have never
occurred and hopefully never will.