25 May 2024

Virus removed, after 30 years. A tale of retrocomputing.

Armed with F-PROT 2.24 on a write-protected 3.5" floppy disk I tackled the infected machine.

First of all I wanted to be sure that the computer was infected. So I let it boot normally, then ran F-PROT from the floppy, which halted during RAM test with this warning:

A very visible message is printed on a computer screen informing the user that the machine RAM memory is infected.
It's a pretty alarming message.

So I booted it off a DOS 3.2 on a floppy dsk (write protected) and ran a second scan. This time the memory was clean but it obviously detected Junkie in the hard-disk MBR, which could not be cleaned. That was expected. Unfortunately DOS on that floppy would not recognise the hard-disk so I could not issue the [FDISK /MBR] command.

What's the infected program?
Time for a... reinstall! This time I used the three 3.5" floppies with MS-DOS 5.0, booted off the first one and followed the guided procedure. We should note that since it detected a formatted HDD, there was no need to format the disk and wipe the content: it simply copied itself over C:\DOS. Unfortunately this probably left me with an infected MBR and at the end of the install process it wanted to reboot. Hitting F-keys I managed to get a DOS prompt where I could run FDISK /MBR (maybe the setup wizard had already done that, but I preferred to avoid a second reinstall).

1996 F-PROT in 2024 action!
Rebooted from HDD. Loaded F-PROT from the floppy and let it scan the disk. It located two infected .COM files I remember I had executed, which were cleaned. Now we're ready to go. No, there's the pile of 5.25" floppies I DIR'ed to check!

So I spent more than a few minutes scanning all 5.25" disks that were at hand's reach and found nothing. In order to prevent similar mistakes I have now write-protected these apparently clean disks.

Side note on F-PROT. The executable can be run with /OLD option to bypass the "signatures expired" block. Apparently /OLD on 2.24 does not work so I simply set the system date a month later than the signature timestamp.