25 May 2024

Virus removed, after 30 years. A tale of retrocomputing.

Armed with F-PROT 2.24 on a write-protected 3.5" floppy disk I tackled the infected machine.

First of all I wanted to be sure that the computer was infected. So I let it boot normally, then ran F-PROT from the floppy, which halted during RAM test with this warning:

A very visible message is printed on a computer screen informing the user that the machine RAM memory is infected.
It's a pretty alarming message.

So I booted it off a DOS 3.2 on a floppy dsk (write protected) and ran a second scan. This time the memory was clean but it obviously detected Junkie in the hard-disk MBR, which could not be cleaned. That was expected. Unfortunately DOS on that floppy would not recognise the hard-disk so I could not issue the [FDISK /MBR] command.

What's the infected program?
Time for a... reinstall! This time I used the three 3.5" floppies with MS-DOS 5.0, booted off the first one and followed the guided procedure. We should note that since it detected a formatted HDD, there was no need to format the disk and wipe the content: it simply copied itself over C:\DOS. Unfortunately this probably left me with an infected MBR and at the end of the install process it wanted to reboot. Hitting F-keys I managed to get a DOS prompt where I could run FDISK /MBR (maybe the setup wizard had already done that, but I preferred to avoid a second reinstall).

1996 F-PROT in 2024 action!
Rebooted from HDD. Loaded F-PROT from the floppy and let it scan the disk. It located two infected .COM files I remember I had executed, which were cleaned. Now we're ready to go. No, there's the pile of 5.25" floppies I DIR'ed to check!

So I spent more than a few minutes scanning all 5.25" disks that were at hand's reach and found nothing. In order to prevent similar mistakes I have now write-protected these apparently clean disks.

Side note on F-PROT. The executable can be run with /OLD option to bypass the "signatures expired" block. Apparently /OLD on 2.24 does not work so I simply set the system date a month later than the signature timestamp.

20 May 2024

Limited resources. A tale of retrocomputing

Having unlimited access to the resources of a computing history museum has diverted my free time activities to different kind of equipment: (retro)computers and (retro)computing. I do miss the hiss of SSB or the smell of soldersmoke, but I don't mind following unexplored lands of lost knowledge. Regardless, there's plenty of stuff to fix, too!

I was going through a stash of 5.25" floppy disks when I found a textual adventure in Italian language for DOS from 1986. On modern Internet I found a person looking for a copy of the game since he had played it back then: why not sharing the joy of my discovery with him?

I had to transfer the file from 5.25" floppy to 3.5" floppy on a 80386 Olivetti machine (circa 1988). Then the floppy went into a modern high-end Compaq Presario 2100 laptop (2003) to be transferred on a USB stick. Finally the USB stick went into an Internet connected machine (2023) for a final backup and delivery to my new friend.

How cool is that? I've used some 40-year old media and time-traveled its content ~20 years ahead, twice.

Since the 5.25" floppies were DS/DD with 360 kB capacity, I could fit 4 of them in a 1.44 MB 3.5" floppy. Why not? So while I was at it I copied another disk with Epic Megagames shareware game, a Tetris from 1986 and a Z80MU (Z80 emulator).

When the USB stick hit the modern computer, the antivirus detected the Junkie virus in TETRIS.COM.


The problem is not the single infection, but all the write-enabled floppies I read on the Olivetti machine once I had played a bit of Tetris myself. And, worse, the infection in the Olivetti machine! I am not sure what was infected first: the PC or the .COM program. Nevermind, now.

While I could reinstall the 80386 computer (DOS 6.x), I chose to try to preserve its content and see what can be done. This means traveling back in time in order to have a functional antivirus software on a single 1.44 MB floppy disk. That was the preferred portable media, so a time-correct antivirus had to fit on a single disk.

Everyone agrees that the free-for-personal-use F-PROT antivirus in 1980's and 1990's was the best choice. The latest version 3.16f from 2009 is just too large at 9.2 MB. Reader, I'll boot the machine off a clean floppy disk and run the antivirus from another floppy. No fiddling with multi-volume .ZIP files, especially since it's not needed.

The biggest challenge for the unexperienced retrocomputing guy that I am, was to locate an F-PROT version released after Spring 1994.

While browsing old software on archive.org I remembered that computer magazines (yes, printed on paper) usually came with a CD full of shareware software. Then in a matter of minutes I have downloaded the .ISO image of a CD and finally found F-PROT 2.24A from August 1996.

When I finally saw the folder with the wanted piece of software (in a .ZIP file, of course) I realised why most of my searches failed. In DOS days, filenames followed the 8.3 format convention. In 8 characters you had to fit both a mnemonic for your product and a version number. So it is not F-PROT_224A.ZIP (11.3) but rather FP-224A.ZIP. "FP" reader, "FP"!

Directory listing of Pegasus 5.0 CD, 1994.

At last the unzipped antivirus went in the USB key and on a 3.5" floppy. Next step will be to scan and clean as many floppies as possible, while I came up with a safe procedure to deal with the hundreds of potentially infected removable media in the warehouse. 

Modern AV detecting 30+ years old threat!

Apologies for the text-only post. At least you know I'm alive and kicking.