• Please review our updated Terms and Rules here

Lurking Vintage viruses can still get ya!

T

tezza

Veteran Member
Joined
Oct 1, 2007
Messages
4,731
Location
New Zealand
The virus post in the off-topic section prompted me to write a note on something I experienced just this morning.

As some might know, I've been having fun setting up a recently acquired AT. This weekend I just finished loading the hard drive with classic software from my old 80's disks and recent internet downloads.

In the computer shack, I have an old PIII windows machine which IS NOT wired to the Internet. The PIII runs Windows XP. I use it for file storage, disk imaging and as a replacement casstte player for my old machines. So all the files I use for my old machines are stored there, including copies of files from all my old 1980s floppies.

As it's not networked, I usually transfer files from my main Internet-capable computer to this machine (and vice versa) via pen-drive. As my main internet computer has a good virus checker AND the PIII file storage machine is not networked in any way, I considered the virus risk to the PIII (and hence my vintage machines) very low. Windows XP is fast enough on a PIII with all the Internet Services off, but only just. I didn't want to slow it down more by putting a virus checker on it.

Anyway, before I finished off last night I copied my updated MS-DOS archive (which had expanded somewhat due to the AT activities) from the PIII to my pen drive to transfer to my main machine for backup.

I did that transfer this morning. While I was doing this, I got a virus altert from my antivirus checker. Several of the MS-DOS files were infected with the CPW.1527 virus!! This virus leaps to *.com and *.exe files and infects them, including command.com. Some of these files identified as infected were ones I donwloaded from the Internet. I went back to the original source and scanned them. They were clean.

I think the virus was lurking on a version of Checkit on a pair of floppies someone gave me.. It spread from this. So now lots of my AT files (and probably command.com) will have it, and possibly a few more of my floppy disks. A few files on the archive on my PIII are obviously infected (hopefully not the command.com...unlikely as I never activated any of the software on that machine.).

Lesson:

1. Old floppy disks (especially someone else's disks!), could have time bombs sitting in them, so they are worth a scan when setting up a hard drive system. Old viruses may fade from memory but they never die, they just sit dormant.

2. Floppy transfer of viruses is rare these days so it's easy to forget not all viruses come from the Internet. Even a non-networked machine can hold infected files if sourced from floppies, so there is a risk.

I'll be installing a light virus checker on the PIII (and maybe the AT), after cleaning up the infection.

Tez
 
Last edited:
So what virus checking program do you use on an old floppies, not connected to the internet machine?
I probably need something for DOS, and something for CP/M if there was even viruses back then.
 
In the day I used a program called SCAN (Scan.exe) to keep viruses at bay. Apparently this virus I've got may have ways to negate SCAN, which I why I looked for something different.

I'm never heard of a CP/M virus, but that doesn't mean to say they don't exist.

Tez
 
Yikes, a real virus too, ie one that self replicates and embeds itself into files. (Most viruses on my kid's PCs are actually Trojan Horses, which the user does have take some responsibility for, as they were the one that clicked the flashing banner saying you have just won a lottery you didn't enter)

True viruses are nasty.

My first experience with a real virus was in the late 80s doing some work on an Apple Mac in a big hospital. A very harried IT support guy came through, did some testing and announced the computer had a virus. I asked where it had come from, and he said he had just been cleaning it off computers in the gastroenterology department. 'So my computer has a gastro bug?' I quipped. But he didn't seem amused.

As for CP/M viruses, I hope they don't exist. Off to check my source files now...
 
Yes yes yes on F-Prot Dos version. I was a super loyal fan of F-PROT for years and years. DOS one works well.

Unfortunately, their modern Windows product has had a bad performance problem. It's been over 1 year and still not fixed. I had to drop my subscription as they just can't seem to fix the problem.
 
Avast! is a free antivirus for modern machines and it has a very low system performance impact.

Tezza,

If it were me I would network the machine to my main, map the drive and run the scan on it. Then when I am sure it is clean, simply unplug the network cable. Then I would periodically (weekly) plug it back in and re-scan to make sure nothing new has arrived.

Better yet, just share and map the floppy drive, and scan those before copying files from it.

Virus don't always come from the internet or networks, but IIRC they had to actually be run in order for the infection to spread. So my networking suggestion should work like a charm.

Thanks for the warning though, I would have never remembered/thought of it myself.
 
I haven't run an antivirus program for many years. I used to like F-Prot for DOS and have a copy hidden away. I'm wondering though, could a modern antivirus program, such as those used for MS-Windows, recognize all those outdated bugs that have long since disappeared from public view and live only on old floppies?
 
lutiana said:
If it were me I would network the machine to my main, map the drive and run the scan on it. Then when I am sure it is clean, simply unplug the network cable. Then I would periodically (weekly) plug it back in and re-scan to make sure nothing new has arrived.

Better yet, just share and map the floppy drive, and scan those before copying files from it.
Click to expand...

Thanks for the suggestion. I actually did try to network the PIII once using a wireless network card (my wireless reaches the garage) but for some reason neither card I used worked on it. I did a lot of searching to find out why...really to no avail but I decided in the end it was because my P3 was too old (2001) and the wireless network cards were too modern and they just didn't seem to like each other. But also, the P3 with XP runs much faster with all the network stuff disabled so I'll probably keep it that way. I will install a virus checker on it though. I won't have working in memory but will just configure it to check files on the floppies every time I use them.

Tez
 
Ole Juul said:
I haven't run an antivirus program for many years. I used to like F-Prot for DOS and have a copy hidden away. I'm wondering though, could a modern antivirus program, such as those used for MS-Windows, recognize all those outdated bugs that have long since disappeared from public view and live only on old floppies?
Click to expand...

Well, I am sitting here in the computer shack right now and F-Prot for Windows is chugging away on my PIII (I downloaded it before chuckcmagee posted his note about it). Anyway, it has already picked up CPW.1527 on the two infected files in question and cleaned them. So, at least it knows that one.

Another thing that is chugging away is an RS232 transfer from my PIII machine to my 386DX (which I also used the infected programs on). Why? Because f_prot for DOS is about 5MB in size and way too big to fit on a 1.2 MB floppy.

It's taken about 40 mins at 19200 (fastest speed the 386 supports). Another 10min to go.

Then I'll have to do the same with my AT.

I don't know much about this virus. Hopefully, it is not smart enough to protect itself or infect every new file it sees coming into the machine, even if it is resident in memory.

Just in case it is smart, does anyone know of a good DOS virus disinfector that will fit on a single 1.2MB bootable floppy?

Tez
 
lutiana said:
Avast! is a free antivirus for modern machines and it has a very low system performance impact.
.
Click to expand...

Thanks I might try that out.

Well, I;ve just run F-Prot on the 386. After all that, F-PROT for DOS seems to think this 386 is clean after all.

At least I THINK it does?

I'm not entirely sure just what check it's done though. First it won't run in the interactive mode. Not sure why? However on issuing the appropriate command it does seem to chug through the disk checking something. Nothing appears on the screen though? Weird.

Second, at the end of what is presumably a thorough scan, the words come up "The SIGN.DEF file is too old to be of any use. It will probably only detect a fraction of the viruses that exist today. Please obtain and install an up-to-date version." I figure this message comes up if the System date is far ahead on the date on the DEF file.

Anyway,...too late to do any more today. I'll have to check my floppies tomorrow with the F-PROT for windows and maybe look at something else for these two MS-DOS machines of mine. Preferably something I can boot from a floppy and will tell me what's going on.

Tez


Tez
 
Right,

Got a copy of Mcafee's scan circa 1996. Small as in 900k, with CPW.1527 listed in the definitions file. It will fit on a boot floppy. I'll give that a go tomorrow.

Tez
 
yeah, i'm a bit late. but i still agree with you, i think i have some floppy disks around that have WYX on them.
 
It sucks but yeah, something to still consider with used software. That ended up with a project on one of my Amiga 2000's that I never finished.. wanted an AV app before scanning a few thousand disks it came with but ran into lots of dumb little issues trying to get the largish files over to it at the time.

On the bright side viruses do have to be run to activate, the little worse side MBR/boot sector viruses are run when booting off the infected disk (not a file based infector). Lots of viruses started incorporating both techniques to ensure their "survival". A few figured out how to copy themselves to memory that doesn't get wiped out after ctrl+alt+delete which was interesting (before I came across that I had the incorrect assumption that it reset all low level memory). So just a heads up from that. I'm not sure if it's an interrupt overwrite or something like copying itself to high memory that gets it around a soft-reboot. Hard reboot of course your memory is clean, no TSRs will survive without writing to disk.

So an ideal scanning machine would be a write protected virus scanning floppy, two floppy drives and no hard drive. Then you can scan pretty freely and worry free.

Actually I'll modify my "best" scanning machine idea. A bootable CDROM distro with a RAM disk that you can then download the latest definitions (and hope it's not dumb enough not to scan MBR and older infections.. I really worry about products thinking older viruses are obsolete). Still no hard drive is good, then your OS can't get infected being on CD and your floppy is fine long as you don't boot off the floppy accidentally (disable in BIOS?). Then a low level 3(/4/5)86 would be perfect.
 
I still think that it is not necessary to use a modern scanner since recent viruses may not even be able to work in "primitive" environments like16 bit. A newer scanner may also be unable to detect the early primitive infections and thus an unwise choice. My take:

FP-228B.ZIP 1137444 bytes - Jan 1998
1548244 bytes unzipped

FP- 227.ZIP 993934 bytes - May 1997
1399645 bytes unzipped

The archive contains many files that can be removed to create space if needed. These are free of charge to private users and are suitable for BBS distribution. Note that even the larger one can be put on a 1.2 diskette. I have both versions if anyone is interested.
 
Ole Juul,

Hmm..F-Prot for DOS didn't work so well for me? I managed to get the whole 5 MB over eventially, but a scan came up with the message I mentioned in an earlier post.

Although it seemed like it was scanning prior to the message it actually wasn't. There is a "test" virus included with the package which I activated and it didn't spot that (the windows version on the PIII did), so I assume it actually didn't work at all. I could be that the virus was protecting itself but I doubt if it is that sophisticated.

My two HD vintage machines with hard drives have only 1.2MB Drives, not 1.44s. Although the F-Prot versions you mention can be transferred by floppy, really what I need is one that can be used from a bootable floppy. So it needs to be unzipped and be small enough to co-exist with command.com and the other system files.

I suspect these HDs are infected, and running a virus scanner from the HD in a machine where the virus is already active may not always work. Anyway, I'll try out SCAN on a bootable floppy tonight and see what happens.

Thanks for you suggestions on this anyway.

It could be a clock issue that's causing F-prot not to work. If I set the clock back so the definitions file doesn't seem so outdated maybe it will? I'd still prefer checking to be done from a floppy though, which the machine has also booted from.

Tez
 
Last edited:
Hm.. interesting to read the virus notes from AV folks. Of course symantec had me thinking it was released in 2000 then later I find stats of it from 1994 and I suppose per the date in the virus it was written in 1992.

You know I almost forgot about the PITA when different vendors name a virus differently. How annoying.. reading the description I was going to warn you (though you probably already read this) that if it's 1AM on Sept 11, May 27th, or Dec 28 and the virus is active in memory it'll go through and delete the first .com or .exe in (each? or current from execution) directory.

So while you're playing with backdating things and again, this is assuming it's not in memory (a clean bootdisk with known uninfected command.com) .. and ALWAYS write protect your scanning floppy :) I swear I've seen corporate companies who didn't do that and end up with a wonderful collection of infections they spread with each system they booted off their AV floppy.
 
Yes, I read about those activation dates where I first researched the virus. I wonder why the author selected those dates, considering this was a time way before Sept 11th was 9/11?

I was almost tempted to set the clock to one of those dates (a few seconds before 1am) just to see what happened!. I say "almost" ;)

I agree, write-protecting your bootable virus-checking floppy is compulsory. I too, have seen a few examples of people caught with that oversight.

Tez
 
ok, just to conclude the story.

Arned with my Boot-floopy enabled SCAN program, I checked my 386 DX Hard Drive. Command.com wasn't infected but the same diagnostic files picked up by my windows virus checker were.

Once these were scanned I installed SCAN onto the 386DX's hard drive, rebooted, and started to check all my 1.2 and 360k floppies.

A total of eight floppies were infected including my master disks of XTPro and TurboBasic. All infected floppies were ones I had used in setting up the AT.

I then dragged the AT out, and checked that. It was infested! Twenty two files infected including command.com. All cleaned now though.

I decided the source of the epidemic was an infected GW-BASIC.EXE file I found in my MS-DOS 3.3 installation disks. I used to be quite vigilant about viruses in my MS-DOS days, but these particular disks had been gifted about a year ago and I'd just assumed they were ok. I used them to set up the AT originally (it now has PC-DOS 3.1 on it, btw).

There is something more. I have in my disk library an old set of Microsoft Mouse programs including Paint and Show Partner (precursor to PowerPoint). I remember getting them for our IBM PC at work, when we got a Mouse Bus Card. Of course I hadn't even looked at them since 1985 or so. I was amused to find SCAN picked up the "Stoner" virus on the Mouse Driver disk. I remember this was rampant in our department when it first came out. Those disks haven't been used since about then, and they still had a relic of that time. :)

This experience was a wake-up call for me. People have donated a number of floppies to me, and it didn't cross my mind that they might contain viruses. Now I'll be giving them a health check as they come in!

Tez
 
You're right about predating the 01 attack but it was more likely just because 9/11 looks like 911 which is our nation-wide local emergency number. Who knows what dates a virus writer chooses though.. could be a birthday or a loved one or ex, some day they were pissed off and wrote the thing, day they got fired, whatever.

It's kinda funny and reminiscing, I used to hang out in a virus and antivirus usenet group early on and helped folks who posted about having malware, although the group had it's share of virus writters also chatting. What was funny was one dude who wrote quite a few viruses that were spread to the public (I don't believe they were damaging, just spreadable) would gladly help anyone remove them. We used to joke that his viruses had better support than some commercial products.

While re-reading the posts I realized one major hitch from some techniques mentioned. Scanning over a network won't detect an MBR or boot-sector virus that will run and TSR whenever that computer is rebooted. Thus you'd waste some cycles cleaning files then finding an infection again later and wondering why. Back in the day I also used to be much more conscientious of malware and viruses. I guess it took so much longer to download things and everything was much smaller (not 1.5GB of random files) that I'd check almost all files in a hex editor also, looking for plaintext that looked malicious or for the word "del" or "format", etc. Virus scanners didn't tend to find files that spawned a shell and blew away a directory or all directories in the background.

The *BIG* thing that pissed me off with certain AV products was their lack of intelligent removal. Just like I saw one yesterday suggested cleaning removal "find files with this string. Delete all the infected files." uh.. wtf?!.. that's not a virus scanner.. I used to see that crap a lot (this is why I went with Norton all those years back) their competition would lie about what they could detect and eventually count every possible variant as a virus (dumb metrics of known viruses game) and then scan and find things it couldn't clean or didn't know how to clean. If it can't do anything about it I'd almost be more tempted not to know about it in the first place (ok not really, but still.. why do that to a customer).
 
You must log in or register to reply here.
Back
Top