25 May 2024

Virus removed, after 30 years. A tale of retrocomputing.

Armed with F-PROT 2.24 on a write-protected 3.5" floppy disk I tackled the infected machine.

First of all I wanted to be sure that the computer was infected. So I let it boot normally, then ran F-PROT from the floppy, which halted during RAM test with this warning:

A very visible message is printed on a computer screen informing the user that the machine RAM memory is infected.
It's a pretty alarming message.

So I booted it off a DOS 3.2 on a floppy dsk (write protected) and ran a second scan. This time the memory was clean but it obviously detected Junkie in the hard-disk MBR, which could not be cleaned. That was expected. Unfortunately DOS on that floppy would not recognise the hard-disk so I could not issue the [FDISK /MBR] command.

What's the infected program?
Time for a... reinstall! This time I used the three 3.5" floppies with MS-DOS 5.0, booted off the first one and followed the guided procedure. We should note that since it detected a formatted HDD, there was no need to format the disk and wipe the content: it simply copied itself over C:\DOS. Unfortunately this probably left me with an infected MBR and at the end of the install process it wanted to reboot. Hitting F-keys I managed to get a DOS prompt where I could run FDISK /MBR (maybe the setup wizard had already done that, but I preferred to avoid a second reinstall).

1996 F-PROT in 2024 action!
Rebooted from HDD. Loaded F-PROT from the floppy and let it scan the disk. It located two infected .COM files I remember I had executed, which were cleaned. Now we're ready to go. No, there's the pile of 5.25" floppies I DIR'ed to check!

So I spent more than a few minutes scanning all 5.25" disks that were at hand's reach and found nothing. In order to prevent similar mistakes I have now write-protected these apparently clean disks.

Side note on F-PROT. The executable can be run with /OLD option to bypass the "signatures expired" block. Apparently /OLD on 2.24 does not work so I simply set the system date a month later than the signature timestamp.

20 May 2024

Limited resources. A tale of retrocomputing

Having unlimited access to the resources of a computing history museum has diverted my free time activities to different kind of equipment: (retro)computers and (retro)computing. I do miss the hiss of SSB or the smell of soldersmoke, but I don't mind following unexplored lands of lost knowledge. Regardless, there's plenty of stuff to fix, too!

I was going through a stash of 5.25" floppy disks when I found a textual adventure in Italian language for DOS from 1986. On modern Internet I found a person looking for a copy of the game since he had played it back then: why not sharing the joy of my discovery with him?

I had to transfer the file from 5.25" floppy to 3.5" floppy on a 80386 Olivetti machine (circa 1988). Then the floppy went into a modern high-end Compaq Presario 2100 laptop (2003) to be transferred on a USB stick. Finally the USB stick went into an Internet connected machine (2023) for a final backup and delivery to my new friend.

How cool is that? I've used some 40-year old media and time-traveled its content ~20 years ahead, twice.

Since the 5.25" floppies were DS/DD with 360 kB capacity, I could fit 4 of them in a 1.44 MB 3.5" floppy. Why not? So while I was at it I copied another disk with Epic Megagames shareware game, a Tetris from 1986 and a Z80MU (Z80 emulator).

When the USB stick hit the modern computer, the antivirus detected the Junkie virus in TETRIS.COM.

HORROR!

The problem is not the single infection, but all the write-enabled floppies I read on the Olivetti machine once I had played a bit of Tetris myself. And, worse, the infection in the Olivetti machine! I am not sure what was infected first: the PC or the .COM program. Nevermind, now.

While I could reinstall the 80386 computer (DOS 6.x), I chose to try to preserve its content and see what can be done. This means traveling back in time in order to have a functional antivirus software on a single 1.44 MB floppy disk. That was the preferred portable media, so a time-correct antivirus had to fit on a single disk.

Everyone agrees that the free-for-personal-use F-PROT antivirus in 1980's and 1990's was the best choice. The latest version 3.16f from 2009 is just too large at 9.2 MB. Reader, I'll boot the machine off a clean floppy disk and run the antivirus from another floppy. No fiddling with multi-volume .ZIP files, especially since it's not needed.

The biggest challenge for the unexperienced retrocomputing guy that I am, was to locate an F-PROT version released after Spring 1994.

While browsing old software on archive.org I remembered that computer magazines (yes, printed on paper) usually came with a CD full of shareware software. Then in a matter of minutes I have downloaded the .ISO image of a CD and finally found F-PROT 2.24A from August 1996.

When I finally saw the folder with the wanted piece of software (in a .ZIP file, of course) I realised why most of my searches failed. In DOS days, filenames followed the 8.3 format convention. In 8 characters you had to fit both a mnemonic for your product and a version number. So it is not F-PROT_224A.ZIP (11.3) but rather FP-224A.ZIP. "FP" reader, "FP"!

Directory listing of Pegasus 5.0 CD, 1994.

At last the unzipped antivirus went in the USB key and on a 3.5" floppy. Next step will be to scan and clean as many floppies as possible, while I came up with a safe procedure to deal with the hundreds of potentially infected removable media in the warehouse. 


Modern AV detecting 30+ years old threat!


Apologies for the text-only post. At least you know I'm alive and kicking.