THE ST'S VIRUS PART... (I FORGOT WHICH - WASN'T IT VII?)
by Richard Karsmakers
This issue of ST NEWS is terribly late. Apart from the fact that
I had to begin studying at Utrecht University (moving,
studying, RAGGING!) and that Stefan had the sudden and heavy
urge to visit the United States for several weeks, this was
mainly caused by an incredible boom in "Virus Destruction
Utility" sales. The new and even more versatile version 3.2
succeeded in breaking even my highest hopes and sold over 1000
units (when taking into account that every single one of those
was produced, distributed and filed by yours truly, this explains
some of the ST NEWS delay...)! At the moment, the "VDU" is
happily used by hundreds of people in Holland, West Germany,
Hungary, England, Belgium, Luxemburg, France, China, Australia,
the United States and Sweden.
Now....what is all the fuss about this new "VDU" version? Allow
me to go through the main specifications and update changes
* 12 Viruses (of which 2 are link viruses) are recognized (also
when already present in the system). Well over 100 innocent disks
are also detectable, whereas over 70 of those can also be
* A new option has been introduced: The possibility to write an
Anti-Virus after a disk has been repaired. This Anti-Virus, once
installed in your system (much like a Virus), automatically
detects executable disks and warns the user when one is found.
When no executable disk is found, it copies itself onto it. Some
caution is needed when working with MS-DOS disks, that are not
found to be executable as far as TOS is concerned...
* When a suspected disk is encountered (containing either a Virus
or a harmless bootsector program/loader), one can now also write
a so-called boot-file. This means that the bootsector data is
written onto a small file, so that only that file needs to be
sent to me and not the whole suspected disk or a copy of that
* The Drive C/D bug is removed (though a fraction of it still
appears to be left, which will of course be removed in version
3.3). All other bugs were removed and some code drastically
* The program is now MUCH more compact. All 'Repair' data files
are stored in a data file instead of in data lines in the basic
source code. This saves about 66% storage space. Overall, the
program only shrank a little, due to enormous recognition
* When a suspected disk is encountered, the program semi-
intelligently calculates a so-called "Virus Probability Factor"
(VPF). It hereby monitors a bootsector's machine code and checks
for typical virus characteristics. Theoretically, about all
unknown bootsector viruses can be detected this way.
* A German manual is now included on the disk right from the
beginning (as well as a Dutch and English manual).
* The 'Display License Number' option has been removed. A user-
specific number is now coded onto the program using some
techniques that will make it virtually impossible to find them
(let alone change them).
* All time-consuming code was optimized. This can result in time
savings of up to 1000% (especially when repairing disks). The
user interface has been slightly enhanced, and userfriendlyness
This new "Virus Destruction Utility" is of course still sold at
the same, rather LOW, price. The update service remains valid,
and people that send unknown viruses to me get a FREE copy (or
update, when they already have one).
TABLE OF PRICES FOR THE "VIRUS DESTRUCTION UTILITY" V3.0 AND UP
Country: Purchase amount: Update amount:
Netherlands 19.95 10.--
United Kingdom 6.95 4.--
United States of A. $ 11.95 $ 7.--
Belgium Bfr 395.-- Bfr 200.--
France Fr 64.95 Fr 30.--
Germany DM 18.95 DM 10.--
Italy L 1395.-- L 700.--
Canada $ 13.95 $ 8.--
New Zealand $ 16.95 $ 9.--
Sweden Kr 64.95 Kr 35.--
Norway Kr 68.95 Kr 37.--
Greece D 1495.-- D 800.--
Austria Sch 129.95 Sch 65.--
Switzerland Fr 14.95 Fr 8.--
Denmark Dkr 69.95 Dkr 35.--
If payed in cash, please only use paper money - NO COINS!!
Note: If using foreign cheques, add 50% to the purchase amount
or 75% to the update amount (to cover cheque cashing costs).
The money should be transferred to giro account number 5060326
of Richard Karsmakers, Utrecht, The Netherlands (Bank: Postbank,
Arnhem. No more specs needed), and cheques should be made payable
to the same.
The known viruses
Many (MANY!) people request information about viruses. Since it
is quite impossible to do that for all those individuals, I will
hereby supply you with a neat list of viruses that are known to
me (and recognized, of course, by the "VDU" version 3.2).
There it is again...the good old "Signum" virus, the virus that
had the dubious honour of being 'the first', the virus that
frightened us all, the virus that turned out not to be that
harmful after all. Rumours go that it waits for an illegal
version of "Aladin" to come by, which it will then destroy.
Hence, it is also said that it was in fact developed by the
people that made "Aladin": Proficomp. Nothing is certain with
regard to this, however! Its name is derived from the alleged
fact that it was first found on Application Systems' "Signum"
advanced word processing package. Nothing is quite certain with
regard to this, either. I decided to call it "Signum" virus
because this was already done earlier by the author of
"Antibiotikum" (a Public Domain viruskiller). I found it on the
22nd of November 1987, but I must have had it maybe a month
No symptoms yet known, as this virus is only the key to a virus
that still appears unknown and that still has to be written. Once
written, this can have an enormous variety of effects. The key
section (the current "Signum" virus) can only destroy bootsectors
of boot-loading programs (that will then be unfunctionable).
This virus is one of the more harmless (and also potentially
harmless) viruses, discovered on March 16th 1988 after Eerk
Hofmeester of STRIKE-a-LIGHT sent me a disk he suspected.
Unfortunately, this virus seems to have been used as a basis for
three or four other bootsector viruses.
After having been installed in the system, the virus waits until
it has been multiplied to another disk for five times. When it
has, it will randomly execute some routines, which include a
'screen flip', a 'beep sound' and a color change routine, or a
combination of these. It does not destroy any data on the disk
except for data present on the bootsector to which it was copied.
MAULWURF I (bootvirus)
While writing the "VDU" version 3.2, someone sent this virus to
me (the person's name, I am afraid, seems to have slipped my
mind). Anyway, the discovery date is set to September 3rd, 1988.
It was designed by the Subversive Software Group (SSG), seemingly
a German hack group (a bunch of mothers if you ask me!).
When the virus gets activated, it locks up your system by
displaying a message on the screen (name of the virus and name of
the author) and copying a part of the Operating System to $10000
Mr. Tarik Ahmia of 68000'er/ST Magazin sent me a new virus
killer program called "Sagrotan", which contained some complete
viruses in its recognition database (not really smart, guys! If I
can rip 'em out, others can do so, too!). One of those was the
BHP Virus (BHP stands for Bayerischer Hacker Post). The BHP is a
more or less legal usergroup in Germany, that originally
announced this virus over half a year ago. It was said to be able
to ignore the write-protect notch and to be reset-resistant. None
of this seems to be true. Anyway, my discovery date is September
The virus only seems to copy itself, and doesn't appear to do
This virus I also obtained by taking it out of the
aforementioned "Sagrotan" virus killer. Its discovery date is
thus set to September 10th as well. According to that virus
killer, this was a "Lab-virus fur Testzwecken", and this leads me
to the conclusion that they wrote it themselves. I'm not sure
about this, though.
Due to the enormous heaps of work I've had to do (with some
studying along the line), I have not yet been able to check the
symptoms out. Most important is that it can be recognized and
destroyed using the "VDU" (but then, you hadn't a doubt about
that, or had you?).
This is one of the adapted MAD virus versions I meant earlier. I
received it on July 12th 1988, and this was done by the author of
the German PD viruskiller "Antibiotikum", Carsten Frischkorn.
I am afraid I'm not quite sure about what triggers the thing,
but when it actually gets triggered, it hangs up the system so
that nothing can move anymore. Your system has to be reset (or
maybe even turned off/on) to function properly again. This is
thus quite harmless for actual disk data (except for things in
the bootsector), but quite lethal for files currently in memory
(especially large databanks or text files that you had not yet
written to disk).
This virus was also sent to me by Carsten Frischkorn, and thus
its discovery date (as far as I am concerned, that is) is July
12th 1988 as well. It is COMPLETELY HARMLESS if you do not have a
German pre-Blitter TOS machine - it doesn't even bother to copy
itself in those cases!
No known symptoms, as this virus accesses OS addresses and I do
not have that particular OS in my system.
On June 29th 1988, I received one of the first REALLY DANGEROUS
bootsector viruses: The ACA virus (sometimes also called OMEGA
virus). It was sent to me by someone calling himself Little Joe
(hi again!), and it appears to have been written by someone
calling himself Omega from The ACA crew. The telephone number of
this guy is (Sweden) 0300/63350. This lunatic was also
interviewed in 68000'er/ST Magazine number 9/88. A more dangerous
virus is said to be ready (including write-protect ignore and
stuff like that), but that do not launch it for obvious reasons
(then, why did they spread the first?!).
The ACA guys, in the interview, claim that the virus is harmless
and only copies itself. Well, I've had a look at it, and my
opinion is that the virus does not only copy itself, but also
clears all of track 0 (FAT and directory as well as bootsector)
when it finds it's already present on a disk. Dangerous, this
Somewhere in the summer of this year, I found out how an other
virus killer recognized this virus, so I could include it in the
"VDU" as well. I have never has 'the honour' of getting a full
version, though. What I DID get, was an article published in the
"C'T" magazine (yes, THEM again!!) that featured this virus
practically as a type-in-listing! The author of the article
claims to have found the virus on one of his disks, and decided
to write an article about it. If you ask me (since the virus has
never ever been seen elsewhere), this stinks like High Heaven! I
don't believe his claim (even worse: I strongly disbelieve it!).
Well, those "C'T" guys have done worse before (publishing the
"Milzbrand" linkvirus as an easy and convenient type-in-listing),
so I would't in the least be surprised.
I don't know much about this, as I have not really looked into
the listing deep. It seems to be reset-proof due to an
undocumented TOS features, and can copy itself to harddisk as
well using a random (undocumented) value of certain parameters in
the 'rwabs' BIOS function.
The first known link-virus was "Milzbrand", published in the
German computermagazine "Computer & Technik" Heft 4 as type-in-
listing (!). Author is Eckhard Krabel from Germany. It was
published as a type-in-listing that even the biggest nutcakes can
adapt to their own specific (no doubt EVIL) uses. Krabel was so
free as to supply an Anti-virus, too, which can be just as
harmful to your programs (NEVER use it!).
The original virus checks the date stamp - when it's set to
1987, the disk's bootsector and FAT are cleared and the info on
the disk is unreadable after that. In the bootsector, it writes:
"Dies ist ein Virus!" (German for "This is a Virus!"). But, due
to the type-in-character of the virus, anyone can change these
Read all about this terrible computer freaks's nightmare in a
full review of this program, elsewhere in ST NEWS.
A "new" Virus Killer
I was quite amused when I recently obtained a 'new' virus killer
from Sweden, called "Doctorin' the House". It was a virus killer
in which samples were used (applause when no virus found, stuff
like that) as well as graphics. Great was my surprise when it
turned out to be nothing less than an upgraded version of my old
Public Domain (versions 2.x) "VDU" program! The author, An Cool
(don't know if that's his real name or not), made it very nice.
Only now, it's about twenty times as large as the original
Hilfe! Die Viren kommen! - A publication on the "Virus
Through the guys of The Exceptions (hi, Erik!) that were at the
time writing their first articles for 68000'er/ST Magazin, I was
brought into contact with the mag's chief editor, Tarik Ahmia.
Soon, the question arose whether or not I was interested in
writing an article for him with regard to viruses on the Atari
ST. Of course, I agreed (my ego won over my modesty - as usual).
So, in issue 9/88, a four-page long feature article appeared in
the magazine, together with some splendid advertisements and even
third-party adds (thanks, CCD Eltville! I am sending a free "VDU"
copy to you soon!). That was the main reason why I have sold over
800 copies in Germany alone, and another 100 in Switzerland and
Austria. I am proud to say that I have received very many
positive reactions to the article, and that really lifted my
heart. Thanks to all of you that reacted so nicely, and of course
especially those that also bought my "VDU"! You have taken care
that I can now live reasonably in Utrecht, where life is ghastly
expensive for a first-year's Biology student, torn away from the
financial support of his parents as well as the safety and
protectiveness that used to be present there.
The text of the articles is identical to the originals like they appeared in old ST NEWS issues. Please take into consideration that the author(s) was (were) a lot younger and less responsible back then. So bad jokes, bad English, youthful arrogance, insults, bravura, over-crediting and tastelessness should be taken with at least a grain of salt. Any contact and/or payment information, as well as deadlines/release dates of any kind should be regarded as outdated. Due to the fact that these pages are not actually contained in an Atari executable here, references to scroll texts, featured demo screens and hidden articles may also be irrelevant.