THE ST'S VIRUS PART VI by Richard Karsmakers
There's quite a lot of news with regard to viruses on the ST on
the moment. There are several new viruses, for example, while
some companies have also published some virus killers at
exorbitant prices. Let's have a look at it all, as well as a
classification of all ST viruses that I have heard of at the
* = "VDU" version 3.0 can recognize and annihilate this virus
** = "VDU" version 3.1 can recognize and annihilate this virus
*** = "VDU" version 3.2 (not yet launched) will be able to
recognize and annihilate this virus
The Signum virus * ** ***
Discovered on November 21st 1987, after having received a
phonecall from Klaus Seligmann. This is the most commonly spread
virus, and has been found in countries as far as Greece, England,
New Zealand and the United States. It's most evidently present in
Holland and West Germany, however. This is the virus that was to
be found on several original program disks (!), like GfA
Systemtechnik's "GfA Basic 3.0 Buch" and G-Data's "GEM Retrace
Recorder". It merely copies itself to other disks, and waits for
a certain code to be found on another disk - the second step will
then become active, which is not yet found but which might be
The "Signum" virus is named thus because it was said to be found
on a "Signum" (Application Systems, Heidelberg, West Germany)
The "fun"-virus, also called "MAD" virus * ** ***
Discovered on March 16th 1988, after having received a disk that
Eerk Hofmeester of "STRIKE-a-LIGHT" suspected. This virus copies
itself to other disks, and when it has done so five times, it
start doing strange things with the screen and the soundchip
(making noise and flipping screen, etc.) every time a directory
is read. Quite harmless - it may only actually damage data
present in the bootsector in the copying process.
The "Busted Bios Parameter Block" virus ** ***
Which I received from Mr. Anton Raves from Compudress in
Kamerik, Holland (thanks, Anton!), who discovered it. In fact,
this is a slightly adapted version of the first virus, but one
which has some additional code (checking the ALT-key?!) written
over the disk's format parameters. A disk that is infected by
this virus is unreadable but can still be repaired by the "Virus
Destruction Utility" versions 3.1 and up.
The ACA Virus ***
This is the fourth known boot-sector virus. This is the most
dangerous bootsector virus I have ever seen, and it clears the
entire first track (FAT and bootsector) of a disk when it becomes
active! It was actually sent to me by someone calling himself
Little Joe (from Sweden) and I received it on June 29th, 1988.
The virus is written by a Swedish group called "ACA", and the
phone number of the virus creator is (Sweden) 0300/63350 (so
let's all phone him and start saying F-words!!).
I have heard that they are working on a worse virus, that can
infect a harddisk as well (that would be the first!).
Milzbrand * ** ***
The first known link-virus was "Milzbrand", published in the
German computermagazine "Computer & Technik" Heft 4 as type-in-
listing (!). Author is Eckhard Krabel from Germany. The original
virus checks the date stamp - when it's set to 1987, the disk's
bootsector and FAT are cleared and the info on the disk is
unreadable after that. In the bootsector, it writes: "Dies ist
ein Virus!". Since the program was a type-in-listing, everybody
can adapt this virus to specific wishes. It's simply terrible!
Virus Construction Set ***
I have not yet been able to get my hands on this program, which
allows the user to create standard or custom (link-)viruses in a
comfortable GEM environment. This program allows the stupidest
nutcases to write a real dangerous virus!
In the Austrian magazine "XEST", I have been able to read
something more about this virus: It's a link-virus that replaces
part of the old program header by its own code. The "Virus
Construction Set" costs DM 50,- and can be ordered through
Nightmare Software (Mr. Oliver Sturm). It was first launched on
the 1988 CeBit.
The "Frankie"-virus (?)
This is no ST virus, but an alleged virus on the Apple
Macintosh. Rumours go around that this virus was programmed by
the guys from Proficomp (the company behind the "Aladin"
Macintosh enhancer), but these are not certain. Anyway, the virus
operates on the ST under "Aladin", whereas I have also heard
something about it appearing in the U.S. on "Magic Sac" software.
However, this 'virus' seems to be present only on a program
called "Mac Playmate", and might thus simply be the result of the
copy protection in the program?! It does not multiply itself as
far as I have been able to see, and only works with "Mac
Playmate". Its symptoms are a system crash, just after the
message "Frankie say: No more Piracy" appears on the top of the
screen, as well as a small bomb symbol in the upper lefthand
corner of the screen. Resetting "Aladin" will only return to the
GEM desktop then.
Is this a virus? Can anyone send me a disk containing this
'virus' on another program than "Mac Playmate"?
Miscellaneous Viruses ***(?)
In a recent issue of "ST Report" (#39, to be more precise), I
read some interesting stuff about viruses outthere in the United
States. It was a modem conference with people like David Small
("Magic Sac") and Timothy Purves ("Michtron BBS"), as well as
someone called George Woodside who appeared to have some viruses
in his possession that I had never heard of before. At this very
moment, a letter of mine is heading towards this guy by air mail,
hoping that he will send them to me so that I can update the
"Virus Destruction Utility"! Let's quote some of his statements
about these viruses...
"One virus I have here it too big to fit in a boot sector. It
uses the extra FAT sector to extend itself. That way, a virus can
have 2.5 K (5 sectors) to fit into. This one uses ROM routines,
hard coded, to extend itself even more. I can't tell all that it
will do, since it uses routines in the European ROMS. It will,
however, simulate hardware errors in an ST by illegal memory
accesses after the system has been running for a while. It checks
the system clock. With that much code space to play with, the
thing could do anything, including wipe harddisk very quickly. It
could be spread, and launched, by floppies and look for hard disk
systems. Then, bang, you have a clean HD. You'd never know where
it came from."
"Another virus I've heard of, but don't have does a slow (a few
bytes at a time) corruption of the FATs on the floppies. You
don't it is corrupting all your disks, until you start turning up
bad files everywhere. That's the worst part - you never know what
they will do."
"Another virus uses the elapsed timer in the BIOS reserved
memory area. It is totally quiet until the system has run 3
hours. If it sees a non-infected disk, it spreads itself, and
sets the elapsed timer back to 2:45. After 3:00, it starts
another timer watch. Then, at random intervals, it does a memory
write to either the screen RAM or memory above the screen. It
will either corrupt the screen, or cause bombs to appear from
accessing memory above the screen area. I've discussed these
viruses with Atari, and we've agreed to make all we have learned
public. We feel that the virus writers already know what they are
doing, so we need to inform the users."
The above means that there are at least 6 totally different
bootsector viruses as well as a limitless variety of link-viruses
(with these type-in-listings and virus constructors, you NEVER
know what to find).
It's about time for people to start believing that the virus
problem is indeed a severe one - many people still underestimate
it and wave it away (daft!). I hate to admit, but I fear some
pretty awful things may be found in the future as well. There's
just one way to protect yourself against viruses: Keep your disks
write-protected as much as possible and keep on monitoring your
disks for viruses with a recent virus killer program!!
As software companies start recognizing the virus problem, it is
of course logical that they start doing something against it.
Firebird, for example, is planning to start delivering their
software on disk that cannot be de-writeprotected (the moving
thing is left out). Other companies write virus killer programs,
sometimes at quite exorbitant prizes. Let's have a look at some
of the available virus killers, starting with those belonging to
the Public Domain.
4USKILL.PRG: The original virus killer, and the first to be made
in Holland (by Frank Lemmen). There are two versions, of which
the first does not work on MEGA ST's and suspects systems with
RAMdisks and/or harddisks installed of being infected when
they're not. Both versions can only recognize and annihilate the
"Signum" virus, the first virus known.
VDU_2_?.PRG: Written by yours truly. I lost track of all version
numbers, but it suffices that the versions lower than 2.5 are all
Public Domain and may be copied freely. The higher the version
number, the better the program.
ANTI2.PRG: Full name: Antibiotikum V1.2. Written in Germany, and
I am afraid the author's name has slipped my mind. This virus
killer allows the user to create his personal database of disks
that it should recognize, for which a separate file is saved on
disk when the program is exited. Disadvantage of this program is
that many people will still not be able to separate viruses from
harmless programs when the program encounters a disk it doesn't
Now for the commercial virus killers...
ANTI VIREN KIT: Published by G-Data in Germany, and selling at DM
99,- (about £30, $50, ƒ110). It is very clever of this company to
start making a virus killer, since one of their programs used to
be infected by the good old "Signum" virus. Its features are
remarkably like the ones from my own "VDU", which I also sold to
them a month or two ago (?!).
D-4630 Bochum 1
SERUM: Published by a computershop called "Computer + Software U.
+ S. Schröter". It sells at DM 79,- (about £25, $40, ƒ90), and
appears only to recognize bootsector viruses.
Computer + Software U. + S. Schröter
VDU_3_?.PRG: Published and written by yours truly. When looking
at the price and specifications, it seems by length to be the
best bargain, selling at 19,95 Dutch guilders (that's £6,95). The
version that I am currently completing (but of which I have not
yet set a release date) will recognize at least 4 bootsector
viruses (if I can get the others, it will recognize those as
well) and 2 linkviruses, whereas it will recognize over 80
commercial bootsector programs, too, and will be able to repair
well over 50 of these. But these numbers may increase every day
now, as I get new stuff all the time.
The Virus Destruction Utility
The "Virus Destruction Utility" was launched in its commercial
form for the first time somewhere in April 1988. It has proven to
be successful, since it has sold at enormous quantities! Its main
* Recognition of virtually all software that uses the disk's
* Recognition of ALL known ST viruses - both bootsector-and
* Option to repair previously damaged boot sector software
* All data on your disks remains 100% intact!
* Immunizing of disks against all known bootsector viruses
* Option to repair damaged or destroyed Bios Parameter Blocks
* Automatic recognition of any hard-floppy-and RAMdisks attached
* Automatic recognition of all known viruses already present
in the computer system
The following table comprises the prizes:
TABLE OF PRICES FOR THE "VIRUS DESTRUCTION UTILITY" V3.0 AND UP
Country: Purchase amount: Update amount:
Netherlands* ƒ 19.95 ƒ 10.--
United Kingdom* £ 6.95 £ 4.--
United States of A. $ 11.95 $ 7.--
Belgium* Bfr 395.-- Bfr 200.--
France Fr 64.95 Fr 30.--
Germany* DM 18.95 DM 10.--
Italy L 1395.-- L 700.--
Canada $ 13.95 $ 8.--
New Zealand $ 16.95 $ 9.--
Sweden Kr 64.95 Kr 35.--
Norway Kr 68.95 Kr 37.--
Greece D 1495.-- D 800.--
Austria Sch 129.95 Sch 65.--
Switzerland Fr 14.95 Fr 8.--
Denmark Dkr 69.95 Dkr 35.--
When you want to pay in cash, please only use one of the
currencies marked with an asterisk (*)!
Note: If using foreign cheques, add 50% to the purchase amount or
75% to the update amount.
People in Holland can order by transferring the appropriate
amount of money to giro account number 5060326 t.n.v. Richard
Karsmakers, Helmond. People in England can order by transferring
£6,95 to Barclay's Cheque Account 80533408 to the name of J.P.
Karsmakers Esq., Kievitstraat 50, 5702 LE Helmond, The
Netherlands. Please specify: "Viruskiller".
Due to the fact that I will be moving to Utrecht to start
studying there, I suppose I will not be able to deliver the "VDU"
update version 3.2 until after the middle of August. That's why I
have included a very small, provisional virus killer on the ST
NEWS disk that can ONLY annihilate the currently known
bootsector viruses (and also the new and dangerous ACA bootsector
virus!) Note: It does NOT recognize ANY other viruses, such as
unknown bootsector viruses or linkviruses.
I hope to have supplied you with enough information, and I hope
that it's not yet too late to stop the viruses on the ST...
The text of the articles is identical to the originals like they appeared in old ST NEWS issues. Please take into consideration that the author(s) was (were) a lot younger and less responsible back then. So bad jokes, bad English, youthful arrogance, insults, bravura, over-crediting and tastelessness should be taken with at least a grain of salt. Any contact and/or payment information, as well as deadlines/release dates of any kind should be regarded as outdated. Due to the fact that these pages are not actually contained in an Atari executable here, references to scroll texts, featured demo screens and hidden articles may also be irrelevant.