3.797 ping-pong virus (50)

Willard McCarty (MCCARTY@vm.epas.utoronto.ca)
Tue, 28 Nov 89 23:20:44 EST

Humanist Discussion Group, Vol. 3, No. 797. Tuesday, 28 Nov 1989.

Date: Tue, 28 Nov 89 05:15:00 EST
From: Antonio-Paulo Ubieto Artur <hiscont@cc.unizar.es>
Subject: Eliminating Ping-Pong virus without antivirus software (re: 3.775)

Don't be alarmed by the report of two different versions of "Ping-Pong.
This report was obtained probably with McAfee's ScanVir in a version
prior to SCANV48. It was reported reciently in VIRUS-L that versions
prior to 48 gave such erroneous messages. Thus, Mr. Faulhaber (HUMANIST
3.775) has surely only one version of this virus. "Ping-Pong virus",
also known as "Italian bouncing virus", like "Typo" and "Brain", is a
virus which modifies the boot sector and marks several other sectors as
"bad" where it stores the rest of the code. If you look at the boot
sector, you can find something that has nothing to do with normal boot
sectors, the code that you normally would find in it is in the "bad"
sectors. Nevertheless, the fastest way of removing this virus (with
only one clean MS-DOS) is: 1) To be totally secure, backup your
harddisk files, at least your data files. 2) Hardware reset your
computer (CTRL-ALT-DEL is not enough). Boot with an ORIGINAL and
WRITE-PROTECTED MS-DOS diskette. 3) From the original MS-DOS diskette
and at the DOS prompt "A>" type "SYS C:<RETURN>". This restores the boot
sector and writes the hidden MS-DOS files and COMMAND.COM. After this,
the virus should have disappeared. 4) Boot from the harddrive to find
out. Try setting the time of the computer clock to 11:59 h. and 23:59
h. and wait to 12:00 and/or 24:00 h. If the dancing diamond does not
appear, you are done. If you have a virus detector like SCANVxx, it's
time to try it out one more time. 5) Look at all write-unprotected
diskettes you introduced in your infected computer. If they were
accessed by your infected computer -a DIR is enough- they are ALL
INFECTED. All of them with "bad sectors" (normally at about 2-4 Kb.)
have their boot-record infected. If you accidentally boot from one of
them, you will contaminate your computer again. COPY the files (not
DISKCOPY) to fresh formatted disks. FORMATting the contaminated disks
would be a good idea.

With my best regards:

Antonio-Paulo Ubieto Artur
Department of Modern and Contemporary History
Zaragoza University (Spain-Europe)
"History and Computers: Past, Present, and Future, Now."