Seems that way.
Boot with a write protected floppy and run a virus scanner...

The question is if the noncompatibility with IBM wouldn't make an issue here?

weedeewee wrote on 2023-10-07, 17:30:

Seems that way.
Boot with a write protected floppy and run a virus scanner...

+25 years ago, I had dome that without hesitation.
But today, isn't it kind of worth to be preserved for history reasons?
Maybe inserting a spare floppy with a copy of MS-DOS, so it can infect it?

After that, it can still be wiped from fixed-disk.
An anti-virus program like F-Prot, MS Anti-Virus or Turbo Antivirus etc can still be used to clean the HDD.

Bernkastel7734 wrote on 2023-10-07, 17:34:

The question is if the noncompatibility with IBM wouldn't make an issue here?

Good question. I don't know.
But it's possible that the virus is portable and only needs to know DOS/FAT.
Anti-virus programs like Carmel Turbo Antivirus (TNTVIRUS) can run on older DOSes, too.

I found this, from what looks to be old virus defs:

%%File: VIRS0053.TXT %%Name/Aliases: Perfume, 765, 4711 %%Platform: PC/MS-DOS %%Type: Program., %%Disk Location: COM applicatio […]
Show full quote

%%File: VIRS0053.TXT
%%Name/Aliases: Perfume, 765, 4711
%%Platform: PC/MS-DOS
%%Type: Program.,
%%Disk Location: COM application., COMMAND.COM.
%%Features: Memory resident; TSR.
%%Damage: Corrupts a program or overlay files., Interferes with a
running application.
%%Size: 765
%%See Also:
%%Notes: It infects .COM files, and after 80 executions, it demands a
password to run the application. The password is 4711 (the name of a
perfume). A password request for a program that does not need one, or
the printing of code on the screen when a program is run, much like
using the DOS TYPE command with an excutable file. One version
contains the following strings: "G-VIRUS V2.0",0Ah,0Dh, "Bitte gebe den
G-Virus Code ein : $" <CRLF> 0Ah,0Dh,"Tut mir Leid !",0Ah,0Dh,"$";
(translated 2nd and 3rd strings: "please input G-virus code"; "sorry")
Another version has a block of 88(dec) bytes containing 00h.

source: https://dl.packetstormsecurity.net/advisories … -Database-11-93

A code to try, at least!

Another edit, just google the virus' text, https://wiw.org/~meta/vsum/view.php?vir=1276

Virus Name: Sorry Aliases: G-Virus V1.3, Perfume-2 V Status: Rare Discovered: June, 1990 Symptoms: .COM grow […]
Show full quote

Virus Name: Sorry
Aliases: G-Virus V1.3, Perfume-2
V Status: Rare
Discovered: June, 1990
Symptoms: .COM growth; decrease in system and free memory
Origin:
Eff Length: 731 Bytes
Type Code: PRhCK - Parasitic Resident .COM Infector
Detection Method: ViruScan, F-Prot, AVTK, Sweep, IBMAV, PCScan, NAV,
NAVDX, VAlert, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
NAV/N, IBMAV/N
Removal Instructions: NAV, or delete infected files

General Comments:
The Sorry virus was isolated in June, 1990. Its name comes from a
German phrase in the virus: "Tut mir Leid !". This virus is based
on the Perfume virus from West Germany, and some anti-viral
programs will identify it as Perfume or 4711.

The first time a program infected with the Sorry virus is executed,
the virus will install itself memory resident in high memory.
Total system memory and free memory will both decrease by 1,024
bytes. Interrupt 21 will be hooked by the virus. COMMAND.COM is
immediately infected by the virus, thus insuring on later system
boots that the virus becomes memory resident immediately.

After the virus is memory resident, it will infect any .COM file
which is executed, increasing the file's length by 731 bytes. The
viral code is located at the end of infected files.

The Sorry virus contains the following text strings:

"G-VIRUS V1.3"
"Bitte gebe den G-Virus Code ein"
"Tut mir Leid !"

It is unknown what the Sorry virus does when it activates.

See: Perfume

Wow, a Virus from the cold war times. 😲
Thanks a lot for the information, progman!

progman.exe wrote on 2023-10-08, 00:19:

Another edit, just google the virus' text, https://wiw.org/~meta/vsum/view.php?vir=1276

Have just found the same site. Amazing, isn't it.
Beside the virus the HDD seems to contain someone work in cobol/turbo pascal/ modula ect.
So I guess it was used by someone who knew stuff about computers.
Sadly he didn't use to set the time so I have no idea when the files were created, but the computer got a badge ' Shipped 8609'.
I am not sure, but it came with a card that seems to be a IBM-PC emulation board, so maybe that why it was infected.

I think I'll keep it this way to preserve the history.

Just wonder, if the virus is dangerous for my WinXP computer that I'm using to make floppies.

Bernkastel7734 wrote on 2023-10-08, 05:47:

Just wonder, if the virus is dangerous for my WinXP computer that I'm using to make floppies.

Possible but unlikely, Windows NT has a synthetic DOS that doesn't allow direct manipulation of the FAT, for example.
Or direct access to a HDD via BIOS (int13h).
And even if it did, the Windows XP PC uses FAT32 or NTFS format.

To be a treat, the virus would need to be well behaved and use the normal MS-DOS API (int21h).
But since it runs on an MS-DOS compatible PC, that may or may not the case. I seriously can't make a promise here.

Back in the day, resident anti-virus guards (TSRs in background) would have stopped the virus if it attempted an file access, though.
Which means that they normally showed a strange behavior that's unusual to an ordinary MS-DOS application.

Hm. So it's hard to say. Without knowing about the internals of the virus.

If your want to be on the safe side, you can try running Virtual PC 2007 and give it exclusive access to the physical floppy drive.
That way, you can run an imaging software inside a virtual machine.

Or use VirtualBox. It can take control of USB devices.
So an USB floppy drive can be exclusively mounted inside a virtual machine (if the Guest OS has USB floppy support).

For DOS, there's DCF, Disc Copy Fast.
For Windows 3.1, there's WinImage v3.
For Linux, there's rawrite.

Windows 9x is a bit dangerous to original disks, because it does modify the boot sectors of unprotected floppies.
https://www.os2museum.com/wp/the-ihc-damage/

Just to add. WinXP isn't able to open the A: floppy due to I/O error so I'm using WinImage to make the floppies. Wonder if this is some kind of barrier to this virus.

From the information posted, the virus infects .COM files, so unless you run a .COM file from a floppy which you also ran on the old computer, there is no chance the virus will install on your computer.

weedeewee wrote on 2023-10-08, 08:15:

From the information posted, the virus infects .COM files, so unless you run a .COM file from a floppy which you also ran on the old computer, there is no chance the virus will install on your computer.

I second this.

The safest way is maybe to run WinImage first and select drive A: as source.
Then, insert floppy and click on read floppy.
Once done, remove floppy and save image to image file.

If the Windows Explorer isn't checking A: drive, nothing except WinImage will access the drive at this moment.

I'm saying this, because I remember from back in the day that Windows Explorer was checking floppy drives for icons inside EXE files, as well looking for thumbnails.

In the Windows 3.x/9x days, this could be exploited. Things like WMF (Windows Meta File Format) were vulnerable.

Anyway, this has nothing to do with DOS viruses in particular. It just came to mind.

Having Windows Explorer's window (My Computer) closed is a good idea, maybe.

Got the code.

so it is a german virus?
4711 (Echt kölnisch Wasser) was a pretty well known german parfume by the generation of my grandmother...
"Echt kölnisch Wasser" says something like "Genuine water from (a town called) Cologne".

It smells like old people 😁

It seems to be. This computer comes with German DOS version so I bet it was used there.
Date code early 1986 so I'm pretty positive it comes from Western Germany.

DerBaum wrote on 2023-10-08, 17:05:

so it is a german virus?

If you like, have a look at German Burger "virus".
It (Virdem) was a proof of concept and from same era.. 🙂

can you try my DOS antivirus on it and see if detects anything? but it only runs on 286+ cpu..thanks

Okay, I'll try it, although I am not sure if this will work in non-IBM compatible mode on 8086.