The Software Syndrome
This week a new virus appeared on IBM computer - "AIDS" - how long before one appears in your music system? Vic Lennard looks at viruses and how you can avoid them.
ONE OF THE HORRORS OF THE '80S THAT'S GOING TO BE WITH US THROUGH THE '90S IS THE COMPUTER VIRUS; IT AFFECTS EVERYONE USING COMPUTERS IN BUSINESS AND AT HOME. YOUR ONLY PROTECTION IS KNOWLEDGE; NOW READ ON...
COMPUTER VIRUSES HAVE hit the headlines again recently. Apart from the panic-mongering of Conservative MP Emma Nicholson, there was the recent Friday 13th panic - which hit the Blind society (to name just one casualty) last October. As many of you who read MT use computers for making music, the time is ripe for your name to be added to the list of casualties. Incidentally, the subject of computer viruses and the damage they can do to people's work and businesses is not, as yet, covered by British law. You're on your oWn.
Most common on the Atari ST is the Signum virus. If you're less than convinced that viruses are a real danger to any computer user, let me give you a quick rundown of what this piece of programming does.
When you boot up with a Signum-infected disk, it immediately checks on to your system. In order to be able to write itself into your computer, it needs to know what position it can write itself into, and this will depend in part on which operating system your ST has. It copies itself into the ST's memory and ensures that it can check all disk accesses - it 'knows' whenever you put a disk into the drive and can "see" whether that disk is write protected or not. When the virus is executed, it simply clones itself into the boot sector of the disk which you have just put into the drive and accessed information from - opening a folder to check for a file is sufficient.
Before copying itself to a disk, Signum checks the first two numbers in the boot sector. If these are 60 38 in hexadecimal (Signum's calling card), then it assumes that the disk is already infected and leaves it alone. Otherwise it copies itself, ensuring that it changes nothing else about the disk so that you are given no warning.
Signum is of the "sleeper" variety of virus. It duplicates itself to each disk and sits there waiting for a second code (the "key") to appear on a disk in the drive - identified by 10 92 (hex) in the boot sector. It then checks a further two bytes to ensure that it has indeed been activated and then executes this key disk. It would appear likely that once this has carried out its dastardly deed Signum erases itself, because no-one has yet tracked down a copy of the key code. Whatever it does, the final command of the program is "only do it once". The only person who knows for certain what this second program does is the person who wrote it. Obviously, he or she is not likely to come forward for fear of meeting people who wish to discuss the pros and cons of capital punishment (or worse), but if the programmer would like to drop a line to me, I really would like to know.
Signum has already appeared on a variety of disks - in some cases these have been "legitimate" copies of programs as supplied by the companies manufacturing or distributing them. Examining just how this situation has arisen though, is outside the scope of this article. One area of the business of dealing in commercial software that is a particularly unhealthy breeding ground for viruses is the software duplication facility - once in, a virus could appear on all sorts of programs. However, such copying plants survive on the master programs they are given to duplicate...
The moral of the story, however, is that you should not assume any disk to be free of viruses unless you've checked it yourself - and remember a virus doesn't have to be active from the moment you receive it, it may be biding its time before destroying your work.
Music software isn't the only area hit by Signum; Games such as Lombard RAC Rally and Star Command have been issued with Signum on board. Most duplicating establishments now check carefully for viruses.
A wander around London's principal music stores showed that a lot of Soho Soundhouse's copies of master disks, which they use for demo purposes, were Signum infected. This would not affect the software that you actually buy from them, but could be present on any copies taken from their computers. Through running a company called MidiHELP (plug, plug) which offers a disk data recovery service, I personally have come across a lot of disks containing Signum over the past six months, and all suffer from the same problem - a confused FAT (File Allocation Table) leading to files being overwritten.
"IT WOULD APPEAR LIKELY THAT ONCE SIGNUM HAS CARRIED OUT ITS DASTARDLY DEED IT ERASES ITSELF, BECAUSE NO-ONE HAS YET TRACKED DOWN A COPY OF THE KEY CODE."
SOME VIRUSES ARE innocuous and have obviously been written as a practical joke. The Ghost virus keeps count of how many times it has been transferred and after the fifth copy it reverses the vertical motion of the mouse - up becomes down and vice versa. The Mad virus uses a similar counter and then selects one of eight different routines. Seven of these cripple the screen display while the eighth creates a tune. These routines cause delays and may cause your computer to crash but no permanent damage is done.
Other viruses are not as friendly and have a more sinister intent. A virus called ACA keeps a ten copy counter and then destroys the boot sector, FAT and Directory of every disk inserted into the computer. Another called BHP wipes the boot sector and then leaves its calling card - "VIRE 87".
Some viruses check the ROM of the computer and only become active when they find one with a particular date. Consequently they will only be found when working with certain computers. Anything to add to the randomness of the situation which makes it more difficult to check the spread of a virus.
TOWARDS THE END of 1987, the Virus Destruction Utility (VDU) appeared. This was a program which could check for the calling cards of several viruses and erase the program code. Any such program would have to deal with two problems: how do you tell the difference between the virus program in the boot sector and an executable program which is part of the main data on the disk, and how can you immunise a disk so that it cannot be hit by the same virus again?
The first is simple. Wipe all code from the boot sector and then re-write the code that should be there. The latest version of VDU (now distributed by CRL in the UK and called Virus Killer) can repair over 150 boot sectors from commercial software - typically games.
Immunising a disk is more difficult. You need to know precisely what a virus is looking for when it determines whether or not to duplicate itself. In the case of Signum, leaving the first two bytes on the boot sector fools it into believing that the rest of the code is still on the disk when it has actually been erased. CRL's Virus Killer can currently recognise and destroy 24 known boot sector viruses, five link varieties and can check the internal system of your computer to tell you whether a virus is lurking in there.
George Woodside in America has been tracing and destroying viruses for some years now and also has a piece of public domain software written by himself, called VKiller. This program not only allows you to check your disks for viruses but will also give you the format of the disk - sides, number of tracks and sectors and so on. It does have two shortcomings - it doesn't recognise a boot sector containing the Atari operating system for those who boot up their Atari from disk (it tells you the disk may be dodgy - too true) and it doesn't immunise a disk once it has evaporated the code for the virus. Nevertheless, it is extremely easy to use and can be obtained through Music Technology - refer to the end of this article for details.
The biggest problem with both these programs is that they cannot check the boot sectors of hard drives. Certain viruses, including Signum, will write themselves to your hard drive if they have had the chance to virus the disk that you keep in the floppy drive when you boot up.
"A WANDER AROUND LONDON'S PRINCIPAL MUSIC STORES SHOWED THAT A LOT OF COPIES OF MASTER DISKS, WHICH ARE USED FOR DEMONSTRATION PURPOSES, WERE VIRUS INFECTED."
THE OBVIOUS PRECAUTION to take against "contracting" a virus is to keep the write protect tab on your disks open. Unfortunately, this makes saving data to disk a bit awkward. Alternatively, the thing to do is to get a virus killer and check your entire disk collection, "killing" whatever viruses you may find there. This must be followed up by checking every new disk which is to be loaded into your computer before you load it. Alternatively, you can keep a boot-up disk which you know is clean and always start with this. If necessary, turn the computer off for 15 seconds or so to ensure that anything held in memory has been erased.
To put it in a nutshell, unless you boot up with a virused disk the virus cannot execute itself and so is very unlikely to be able to copy itself into your computer. A clean boot disk is imperative.
While too many people are apathetic about the danger of computer viruses, others are inclined to cry "Virus!' whenever anything unusual happens to their computer. Imagine that you are booting up with your usual disk and that when the desktop appears, the names under the icons are gibberish. A virus?
Probably not; it's more likely to be a faulty disk - perhaps surface coating is bad or it's been affected by a magnetic field. This type of occurrence is far more likely and could give the same results. Software copy protection could also be the culprit. A standard disk has 80 tracks but can be formatted with up to 83 on some computers. However, Atari only guarantee 80 tracks for their disk drives. For example, Steinberg's Twelve sequencing software used track 81 for its copy protection, meaning that some computers couldn't load up the program. Dr Tirric - a cheap, speech-synthesised piece of software has a routine built in which will burn out one of the Atari ST chips if you attempt to run a pirate copy.
ONE OF THE most efficient devices for spreading viruses is the modem - this effectively networks a group of computers together. An American software house, on hearing that a hacked version of one of their programs was on a bulletin board, downloaded it via modem for examination and promptly wrote a virus to their hard drive.
There is little doubt that computer viruses are here to stay. What is needed is public awareness of the situation - hence this article. The problem is certainly expanding. George Woodside estimates that he gets around 40 disks a week from people who suspect that they have discovered a new virus. If only a small proportion of these are accurate then we have trouble with a capital "T" because to protect against a virus, you need to know what that virus does. The worst possible attitude is one of complacency.
Now that the research for this article is complete, I can reconnect my hard drive...
Thanks to George Woodside for help in compiling this article.!
Reading: Computer Viruses - a high-tech disease by Ralf Burger. (Abacus - Data Becker) £17.45.