Vintage Viruses - Dormant but not dead
So, My IBM AT was now fixed, configured and fully loaded. I'd added it to my collection website and written a couple of blog entries. The project was wrapped up. That was that - end of story.
However, before I tell the tale, bear with me while I describe my setup. It's important to know that, so you can see how the following happened.
In my computer shack I have a non-Internet Pentium II (PII) 500Mhz machine running Windows XP which I use to store all my vintage programs and disk images. I used this machine to write 5.25 inch floppies and connect up to non-MSDOS machines via the serial port and other output devices for software transfer.
Why non-Internet? For two reasons..
- This machine has quite an old motherboard and I've had problems getting a wireless card to work and..
- Windows XP runs as slow as our dog (an old overweight dog with arthritis) when fully-Internet ready. By switching off all network services, the machine achieves a modicum of speed.
I use the second rational to excuse the absence of a virus checker on this machine. These background programs can be resource hungry and the constant checking reduces performance. If not disk imaging directly, the PII gets its files via pen drive, normally from my own Internet-capable laptop which has the latest virus checker. As the PII wasn't connected to the Internet, and most incoming files came from a machine with a virus-checker, I figured I didn't need one of the latter. Right? Wrong!
The infection uncovered
On occasions I also transfer files the other way, i.e. from the PII to my laptop to backup the PII's software archive. This archiving episode was the final postscript to the AT restoration. The latter was now loaded with software, and I wanted to store a second backup of all programs on the AT (primarily stored on the PII) on my laptop. I gathered the AT files from the PII and wrote them to a pen drive. I then started to copy these files onto my own machine.
Suddenly the file transfer stopped! What? CPW.1527 virus detected? What the hell was that??
Figure 1. Symantec quickly cleaned and quarantined the infected files
I was horrified to see that the two files listed as infected (and now quarantined) were files I had used extensively to diagnosis and rebuild the AT. More than that, they were also files I'd recently been using on another machine, my 386DX40!
A quick google revealed the virus originated in Chile around the early nineties. This infective MS-DOS parasite attaches itself to .exe and .com files (including to the boot system file, command.com) and lies dormant waiting for 1am on Sept 11, May 27th, or Dec 28 to arrive. If the infected machine is running at this time, the virus activates and trashes whatever hard drive it happens to find itself on! Nasty!
But how did it come to infect those files? And what else was infected?
Possible source of infection
I could think of three possible sources of contamination:
- The AT's original hard drive contents. Although I couldn't boot from the hard drive I could list and run programs from it.
- The original AT setup zip files I'd obtained from the Internet. One program I'd downloaded off the Net, the other had been send to me by email.
- From my own disk collection. I'd added a number of my favourite programs from the 1980s using a real disk library I had.
I figured an infection from the AT's original hard drive contents was unlikely although not impossible. Apart from BASICA I hadn't run any other programs before I low-level-formatted it. The Internet-sourced files were chief suspects and I immediately checked the zips with a modern virus checker. However, they were clean. That left my own disk collection as the most likely point of origin.
I needed to do the following...
- Put a Windows virus checker on the PII and clean the files in the archive (they were bound to be infected as these were the source of the copies on my pen drive).
- Using a clean write-protected boot disk containing an MS-DOS virus scanner, check (and clean if necessary) both my 386DX40 machine and the IBM AT.
- Check ALL my (150 or so) floppy disks to see in any viruses lay dormant on them.
To check the PII, I used a demo version of F-PROT for Windows. It immediately found the infected files and cleaned them. So far, so good.
To check the MS-DOS machines I first looked at using F-PROT for DOS, downloadable as a freebie on the F-PROT site. However, when I ran this, there were two problem. First the package was so huge (4MB) I had to transfer it to the 386DX40's hard drive via (slow) serial cable transfer, rather than launching it from a clean boot floppy. Second (and more importantly) the software decided that the virus definitions file in the zip was so old, it simply wasn't going to bother to check for any and simply shut down!
(ii) McAfee's SCAN
McAfee's SCAN program, the second anti-virus tool I looked at, came to the rescue. The 1996 version took up a mere 800k and hence could reside on a bootable floppy. I could clean boot the machines, then run the program from the floppy disk. Sweet!
SCAN.exe was executed. If it found the CPW.1527 virus, it was instructed to remove it.
(i) The 386DX40
This scan picked up and cleaned both the files originally caught by my laptop scanner. They were the only infected items on that machine.
(ii) The IBM AT
This scan showed a huge haul of 22 CPW.1527 virus-infected com and exe files including command.com! The machine was a virtual virus incubator!
Figure 2. Scan.exe having done its work
(iii) My floppy disk collection.
Now this was interesting. A total of eight floppies were infected. Amongst those were my original disks of TurboBasic, and XTPRO. However, all disks containing infected files had programs I had used with, or copied onto, the IBM AT during setup.
The source? I believe it came from a commercial MS-DOS 3.1 Supplementary installation disk I was given a while ago (see opposite). This disk was not automatically write-protected, as some are. SCAN identified GWBASIC.EXE as having the virus attached. I remember using both disks in the installation set to originally setup the AT when it first arrived. I also vaguely seem to remember running GWBASIC just to see if the MS-DOS version would run in these IBM machines It seems I'd infected the machine right at the very start of software installation!
Another lurking virus
One more thing. Scan.exe found one other virus in my floppies. This was the legendary "Stoned" virus (allegedly first written in New Zealand). It was sitting in a Microsoft Bus Mouse installation disk, I had inherited from the department I worked in way back in the 1980s. The last bus mouse I had anything to do with would have been around 1988 at the latest. I remember we had an outbreak on the stoned virus about then, so it was probably infected at that time. It had remained dormant and hidden on that disk in my disk collection until now!
Had I not copied my AT files to my laptop for a second archive backup (hence causing the virus to be picked up by my antivirus program), these gremlins would have gone undetected and would have continued to spread throughout my MS-DOS machines and collection. Even worse, I might have spread them to others in an emailed or downloadable zip file.
The whole experience was a wake-up call for me regarding these vexing vintage artifacts. They are still around, and even though we tend to use these machines for less critical purposes, old viruses still need to be considered and our disks protected.
I've now got a virus checker on the PII. The contents of any MS-DOS zip files I get from the Internet will be checked before writing them to floppy for use in my old machines. Any disks I get given, will be scanned in the 1.2 MB drive of my PII machine before I insert them in my MS-DOS computers.
These viruses may be old, but they still pose a threat.
30th August, 2009