marge@vu-vlsi.Villanova.EDU (Marge Luecke) (07/22/88)
THIS IS A PLEA FOR HELP!!!!! If anybody has ANY infromation on Computer Viruses, Immunizations, etc., please forward the infromation. I am working on a senior project on computer viruses. I would like to try to write an immunization program, however, I cannot obtain enough information from published literature to do so. How do viruses work inside the computer. What are some present methods of detection? Are there any public domain immunization programs available? Where? Somebody wrote in one article that one could write a virus using the pc-dos appendices as reference...I looked this up and was not too successful... how do I do this?...What was meant by this? What are some infected programs which were available? What is the SCORES virus? How about VirusX?, etc... Thank you, Marge Luecke Senior EE, Villanova University P.S. I can be reached several ways: 1. This computer system. 2. FAX: (609) 723-8461 (USA) 3. Mail: Marge Luecke 980 Wakeling Street or Dept. of EE Philadelphia, PA 19124 Tolentine Hall USA Villanova University Villanova, PA 19085 USA 4. PHONE: (215) 645-4970 Day (215) 537-9633 Evening
avenger@runx.ips.oz (Troy Rollo ) (07/24/88)
I was recently asked to consider this problem. The easiest solu- tion I came up with was to write a Virus Immunisation Program (VIP) which calculated cyclic redundancy check numbers for each file on a given device and stored these numbers on a safe medium prior to backup. Regular checks could be made using the VIP, and if the CRC on any program (exe- cutable, source, object or script) does not match (and should not have been modified) the suspect file should be restored from the backup medium. Precautions: 1) The machine should never automatically boot from the hard disk. The operating system on that disk may be infected, and if you subsequently run your backup program or VIP, they may become infected. 2) The machine should be turned off before running either the backup program or the VIP for much the same reasons as (1). 3) Along the same lines as (1) and (2), the backup program and VIP should be contained on separate floppy disks, each with its own operating system. ---------------------------------------------------------------- Internet: avenger@runx.ips.oz.au UUCP: uunet!runx.ips.oz.au!avenger "Watch out for Gobbledocks - they'll steal all your silicon chippies"
nubode@ndsuvax.UUCP (Spyro Gyra) (08/05/88)
One of the most devious virus attempts I have seen is a 'virus eliminator' that supposedly looked for CyberAIDS (supposedly written by Tom E. Hawk) in SYS files and 'destroyed' it. Well, a friend and I tried it on a backup copy of ProTERM which we obviously knew was NOT contaminated. When the program came up with a 'this disk is contaminated, file PRODOS has been cured' or something to that effect, we became curious. The program itself installed CyberAIDS in the PRODOS file. Quite nasty, eh? I suggest writing thy own virus debuggers! Clint Fleckenstein ("SpyroGyra") NU132271@NDSUVM1.BITNET nubode@plains.nodak.edu nubode@NDSUVAX.BITNET 45% of all statistics are made up.
craparotta@kyoa.DEC.COM (Physical T5--Virtual T7) (08/06/88)
Clint writes.... >One of the most devious virus attempts I have seen is a 'virus >eliminator' that supposedly looked for CyberAIDS (supposedly >written by Tom E. Hawk) in SYS files and 'destroyed' it. Well, >a friend and I tried it on a backup copy of ProTERM which we >obviously knew was NOT contaminated. When the program came up >with a 'this disk is contaminated, file PRODOS has been cured' or >something to that effect, we became curious. The program >itself installed CyberAIDS in the PRODOS file. Quite nasty, >eh? I suggest writing thy own virus debuggers! >Clint Fleckenstein ("SpyroGyra") NU132271@NDSUVM1.BITNET nubode@plains.nodak.edu nubode@NDSUVAX.BITNET Clint, I know "Tom E Hawk" personally, and KNOW FOR A FACT [something you don't] that he DID NOT write ANY VIRUS for the APPLE II!!! Please try not to post things about people that you obviously don't know anything about!!! Joe
cdm@pro-freedom.cts.com (Carl Macdonald) (02/26/89)
I've noticed a lot of talk on the net lately about viruses and concern over suppressing information about how they work. This is a very ligitamate concern, however, a virus program is one of the easiest pieceses of software to write, and really doesn't involve much sophistication. When I was in college (Many years ago), we were doing research on how fast viruses spread and what could be done to stop them in a mini-computer environment. We discovered two things, 1) It was very easy to create a virus, and was usually a very small piece of code, and 2) It was very difficult to stop them. The most prommissing line of prevention we found was to make frequent backups that went back at least a month. Then we had a program that would install a small piece of code at the top of likely target files (Program files). This piece of code would perform a checksum on the file at load time and compare it to the checksum that was performed when it was installed. If they didn't match it would signal a detection and stop the program. Then it was a matter of loading from the backups. Carl MacDonald, programmer Central Point Software DISCLAIMER: All opinions expressed here are my own, not those of my employer or anyone else, living or otherwise. UUCP: crash!pnet01!pro-freedom!cdm ProLine: cdm@pro-freedom ARPANet: crash!pnet01!pro-freedom!cdm@nosc.mil InterNet: cdm@pro-freedom.cts.com Programmer: Red-eyed mumbling mammal capable of conversing with in-animate objects.
rdlanctot@instr.okanagan.bc.ca (Ryan Lanctot) (03/04/89)
As anyone knows, a checksum is only effective if the person who wrote the virus doesn't have the smarts to make the checksum add up after the virus has inserted itself. Some really smart cookie would probably have the virus checksum the program itself before insertion, then rebalance the checksum...... Or they could corrupt the checksum program itself to produce the same result every time , no matter how the program looked. By the was, is the Core wars society still around? I read about it in Scientific American some time ago..... Ryan Lanctot <rdlanctot@instr.okanagan.bc.ca>
nicholaA@moravian.EDU (03/04/89)
> As anyone knows, a checksum is only effective if the person who wrote the vir > doesn't have the smarts to make the checksum add up after the virus has inser > itself. Some really smart cookie would probably have the virus checksum the > program itself before insertion, then rebalance the checksum...... Or they > could corrupt the checksum program itself to produce the same result every ti > no matter how the program looked. Actually, a more precise method would be to calculate a CRC-16 or CRC-32 on the image of the program. Of course, what should be done first is to read the first 3 bytes off the disk (the first JMP in most cases), and to check the length of the program against what it's _supposed_ to be. This is what ShrinkIt does, and it works fairly well. You mention that a virus program _might_ be able to look into an executable file, find the code used to generate a checksum, and somehow change the way it works. That, at best, at least on an Apple II, is laughable -- A virus would have to be _very_ special case sensitive to work right since the routines used by programs which protect themselves from virusii (?) vary tremendously. > Ryan Lanctot > <rdlanctot@instr.okanagan.bc.ca> > ------------- Andy Nicholas CsNET: nicholaA@moravian.edu Box 435 InterNET: nicholaA%moravian.edu@relay.cs.net Moravian College liberty!batman!nicholaA@sun.com Bethlehem, PA 18018 lafcol!lehi3b15!mc70!nicholaA@rutgers.edu Bang: rutgers!lafcol!lehi3b15!mc70!nicholaA AppleLink PE: ShrinkIt rutgers!liberty!batman!nicholaA -------------
dtroup@carroll1.UUCP (Dave Troup) (03/06/89)
In article <123*rdlanctot@instr.okanagan.bc.ca> rdlanctot@instr.okanagan.bc.ca (Ryan Lanctot) writes: > >, no matter how the program looked. By the was, is the Core wars society still >around? I read about it in Scientific American some time ago..... >Ryan Lanctot ><rdlanctot@instr.okanagan.bc.ca> Funny you should mention the Core Wars Society. I have their address and I have sent them $25 for a membership and information on getting the code for my room-mates PC. That was about 8 months ago. I have received notihng except the origional "Thank you for your interested in the society" and a form for another $25 membership. I was highly distressed by all of this because our computer club (chich --which-- I was getting it for missed the international core wars turnement and we were quited pissed). If anyone has had success with them, let me know...PLEASE! Thank you. David C. Troup : SkunkWorks dtroup@carroll1.cc.edu "Sometimes life sucks, then we go surfing..."
dtroup@carroll1.UUCP (Dave Troup) (03/06/89)
Sorry bout the header, but if anyone would be kind-enough to send me Moria vi Email, I would appreciate it. Thanx... David C. Troup dtroup@carroll1.cc.edu
brianw@microsoft.UUCP (Brian Willoughby) (03/08/89)
In article <123*rdlanctot@instr.okanagan.bc.ca>, rdlanctot@instr.okanagan.bc.ca (Ryan Lanctot) writes: > Some really smart cookie would probably have the virus checksum the > program itself before insertion, then rebalance the checksum...... Or they > could corrupt the checksum program itself to produce the same result every time > , no matter how the program looked. Who says that you must use a predictable 'checksum'. A lot of the copy protected software that I looked into used tricky methods to combine each byte of a program into a unique value. If you want to fight these 'smart' viruses, then use multiple checksum equations simultaneously. It would be very hard to modify a program enough to make it generate the same result to two different checksum algorithms. Especially if one or both of the algorithms were unknown to the virus. Brian Willoughby microsoft!brianw@uunet.UU.NET or just microsoft!brianw #include <std.disclaimer> /* just an idea */
cdm@pro-freedom.cts.com (Carl Macdonald) (03/22/89)
Well, since the virus debate is still going hot and heavy, I thought I'd throw my two cents in. In my opinion it is certainly ludicris to think that censoring virus information on the net will make a bit of difference. Even if all information was to be suppressed on the net, there are still a lot of other forms of information on the subject. There are books on the subject that go into great detail on how to construct a virus, magazine articles, etc... It seems to me that the best way to put a stop to this non-sense IS to provide as much information as possible. After all, where would we be today if information were suppressed about other crimes such as murder, or robbery, because nobody wanted to give someone an idea? Carl MacDonald, programmer Central Point Software DISCLAIMER: All opinions expressed here are my own, not those of my employer or anyone else, living or otherwise. UUCP: crash!pnet01!pro-freedom!cdm ProLine: cdm@pro-freedom ARPANet: crash!pnet01!pro-freedom!cdm@nosc.mil InterNet: cdm@pro-freedom.cts.com Programmer: Red-eyed mumbling mammal capable of conversing with in-animate objects.
ST802148@BROWNVM.BITNET (Evan) (09/15/89)
Have any of you encountered an Apple II virus where upon each boot of Prodos, t he computer scans available volumes (obviously to spread them), and then boots fine UNTIL one day when prodos doesn't show up on your hard drive - intead a gr aphics screen with some skulls and crossbones followed by a text screen of how everything on the drive has been anniliated and was the work of some sadistic h ackers? Well, I did and I must say I wanted to punch my monitor. For you uplo aders and downloaders, watch out. I used to think there were NO apple II virus es... I learned the hard way..... Oh yeah, if the creator of that monster is out there right now.... SCREW YOU! F ind somethig better to do (ahem... excuse my laguage!....) Oh by the way, this happened at the beginning of the summer. All that was irrevocable lost was THE MOST AWESOME BBS SYSTEM I EVER CREATED... ahem... excuse me again.
bbean@pro-sat.cts.com (Bruce Bean) (09/18/89)
Network Comment: to #12567 by ST802148%BROWNVM.BITNET@mitvma.mit.edu
<From: ST802148%BROWNVM.BITNET@mitvma.mit.edu (Evan)
<Subject: Viruses
<
<Have any of you encountered an Apple II virus where upon each boot of Prodos,
<the computer scans available volumes (obviously to spread them), and then
<boots fine UNTIL one day when prodos doesn't show up on your hard drive -
<intead a graphics screen with some skulls and crossbones followed by a text
<screen of how everything on the drive has been anniliated and was the work
<of some sadistic hackers?
I though people might like to hear about this, Source for VIRUS.KILLER
follows...
July 10, 1989 * * LOAD RUNNER * * (virus title)
*****************************************************************
VIRUS WARNING !! VIRUS WARNING !! VIRUS WARNING !! VIRUS WARNING !!
*****************************************************************
Well folks, here it is...installment number 3 in th Saga of the virus
le II world and was particularly insidious as it;
infected (usually) the first .SYSTEM file in the root directory, usually
Basic.System, would infect more than one file per disk, would infect files in
sub-directories, and when it 'went off' would destroy all volumes currently
on-line at the time. This included RAM disks and Hard Drives!
By now, most of you are aware of Festering Hate and that there are
several good virus detecting/protecting programs available that have virtually
eradicated the FH virus. It is to the credit of the Apple II community in
general, and selfless people like Glen Bredon that FH was halted before it got
too out of hand. As a matter of fact it was the very vehicle that spread the
virus so rapidly that was also responsible for its quick demise. After I did
my initial research on FH last year I wrote a brief study of it and uploaded
the study to most of the active BBS's in Canada and the U.S. I also sent
copies to Glen Bredon and others who acted very quickly to develop the
'cures'.
But it was the massive telecommunications network of been able to pull
together so far:
SOURCE
- Although we're not 100% positive it appears that the program called
SPEEDY SMITH is the culprit. A recent import from France, Speedy Smith is one
of the fastest copy programs for the IIgs. A full 800K disk copy takes about
50 seconds (without verification) to 70 seconds (with) using SS. It has an
excellent SHR screen with 'thermometers' that indicate the copy's progress.
Unfortunately the reason we cannot either convict or acquit SS is that its
creators have seen fit to invent their own DOS. This DOS is not readable by
standard Apple II sector editors such as the one in Copy II Plus. There are
several reasons, however, for suspecting Speedy Smith. First SS's displays
are
in French and the virus's text screens are as well. When catalogued Copy II+
indicates that there are 292 used Prodos blocks, but adding up the individual
files' blocks only totals 148. And lastly, what better vehicle for the spread
e member found that his Test Drive II
refused to run. This was followed by backups and originals of Space Quest I
and Police Quest. At first it was thought that the member's IIgs was having
hardware problems. But at the same time another friend from Eugene, Oregon
contacted us about having seen a French hi-res screen appear on his monitor
just before his Copy II+ disk was trashed. Not being Canadian he was only
able
to pick out the word "virus". Armed with this info and the 'damaged' Space
Quest disks I spent a weekend checking things out. At the same time other
friends in Oregon & California were independently analyzing infected disks.
HOW DO YOU KNOW IF YOUR DISKS ARE 'INFECTED'
- There are 4 ways of detecting Lode Runner:
1) When the virus "goes off" and erases your disk...not exactly the most
desirable way,
2) If you have a copy of Space Quest I then you can use it to check all your
disks. Boot any suspect disk and wait until the drive stops. Replace the
tty sure that the previous disk is OK. If Space Quest
trashes with an error message (#206) then the previous disk is likely
infected.
If you DO get an infected disk then you MUST either power down your IIgs or
run the self-test before continuing with your testing to clear the RAM as
the virus seems to install itself there.
3) A better check (and much faster) is to boot Copy II+ and run the 3.5"
Sector
Editor. Do a read of Block 0000 (Track 00, sector 00, side 01). If the
first 3 bytes are 01 A9 50 then the disk is infected. Those 3 bytes
aren't the only bytes that are different but they are all that is necessary
to identify the virus.
4) If you recall, last year during the Festering Hate panic it was noted that
disks then it would automatically detect
and correct modifications to Block (0). Now for LODE RUNNER this will also
work.. that is, it WILL detect LODE RUNNER and it will try to correct Block
(0). BUT, it appears that due to the method of spreading of LR Guy's
program cannot correct it. Every time you boot the disk it'll give you the
virus detect error. I think the reason for this is that LR installs itself
in RAM upon bootup in preparation for infecting a new disk.. and the only
way you can be sure that its gone is to either power down or run the
self-test.. and since Guy Rice's program does an auto-reboot and corrects
the block (0) all in one step then the RAM never really clears and the
virus
re-infects the disk. And since you cannot write-protect the disk it
becomesrks with disks that are bootable. LODE RUNNER can infect
ANY Prodos disk because it resides in one of the blocks created when a disk
is formatted.
There is a 5th way.. the friends in Eugene, Ore have written a Binary
program to detect and disarm the virus and I will try to include it in this
file when I upload it. The reason theirs is successful is that the detector
is
not part of the disk being checked and thus the "circle" is broken.
METHOD OF SPREADING
- As far as we can tell the virus is spread two ways: by being copied
with a copy program and by booting an uninfected disk (using OA-CTRL-RESET)
immediately after running an infected disk. NOTE: For a disk to be infected
it
must not be write-protected. The virus does NOT infect actual files so none
of
your files will look modified in either their f
cannot get rid of the virus just by re-copying the files...the virus is
actually part of the Prodos kernel created when the disk is formatted.
WHAT HAPPENS WHEN IT "GOES OFF"?
- To get Lode Runner to "go off" you must set your Control Panel's
clock to the following: the MONTH must be October, the DAY must be an odd
numbered day and the minute must be a number divisable by 8. Next you must
boot an infected disk then boot (using OA-CTRL-RESET) any other disk. This
second disk must NOT be write-protected or the virus won't activate.
- Once the second disk is booted the virus will appear. Its a red
screen with text characters as follows:
+++ SYSTEM FAILURE in : +++
08
==
Premier virus NON-DESTRUCTEUR sur IIGS
par SUPER HACKER & SHYRKAN
du MASTERS CRACKING SERVICE 1988 Lyon
By the time you've read the first screen the disk that you just booted
has been rendered useless. LR does not appear to erase more than the current
disk and doesn't seem to affect 5.25" disks. Not being an expert in French I
am unable to determine whether the phrase below the title means: "The first
non-destructIVE virus for the IIgs" or "The first non-destructIBLE virus for
the IIgs". This is a 'moot' point however as it DOES destroy one disk when it
goes off. In addition, and I believe that the writers of LR didn't plan this,
LR will destroy Space Quest 1 and Police Quest for the IIgs if they are booted
AT ANY TIME after an infected disk.. and if they are not write-protected. It
is not necessary for LR to "go off" for these programs to be rendered useless.
on the research for this virus. Many thanks go out to:
APPLES BC members,
Ross Woodhouse - for being so insistant that something WAS wrong.
Pat Daley - for gathering data, programs and relaying info.
EUGENE, OREGON users,
Jack Stalcup - for accidentally setting the virus off because the
battery in his IIgs was dead. And for sending the programs and
keeping the communications alive.
Neil Parker and Mike Suiter (sp?) - for analyzing LR and writing the
detection/correction program.
PLEASE upload this file and Virus.killer to all bulletin boards.
Please
tell everyone you know about this virus so that we can wipe it out as fast as
Festering Hate. PLEASE.. if you find out any more information that is either
not in these notes or that refutes any of th be in
attendance at Applefest in San Francisco Sept.22, 23, & 24th. Messages can
also be left on Compuserve...to 76475,642 (>>>---Brian--->).
>>>---Brian---> (Brian McCaig, Virus Busters)
******************************************************************************
--- cut here ---
FiLeStArTfIlEsTaRt
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789()
LVIRUS.KILLER AoAAAAAAAYw4GIADzKBAWcRF)DwsAoAAAgEG
MAI
tXez5L)7vPOogmP8ga(7ynu9gOf9sn(6kXO7N2YoDACAunMDyX(8kDK9rPf6vTPo
lLOopTOoun(8jXu5kXO9w3IrzXu8iC68gK60g(O9hP(8vDq7iCq8gKa0g(O9pXf8
gqL9MACAgnc)pIAkTn83JrA8vDd093OI97IT93OI97II97II)CAIOECgINCkMMAI
vLP0z)O5yXOoy)u8AQKoaDCadDS)OCy(OCS)fzU)QIKDWAQvOcT3KXA0wUPEDAiH
pTMDgu(8gOf60)u7unOojXu5kXO9N2orfzEADACDpbNDzXv8lTOojXO9kXO9gCqr
znOxm7e60Pe5ZjKop68rAA6v9zAIQCeyfniAwndyOnMEg8O0g0f7g0vjM1vjgww3
g0f7g0vjg0vjB(LAQ6wJMx0AAASDtE4vDApDNwETMMAIznOxjD665D)7m)OopbPo
zXv8pvOolzO7NGK5MBQjDww3WAAUDAAASAAUDAAAUAAUcBQAh3riQlaAtOUhNW8)
klgMMRmSk5EZAAwRAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ynu1gOf9sn(yyXO75LOol7Mogye6yHO0yX(6qqKoEDqqpPf5l7(50DK5lD67tnO7
h7e6gWO9ljO9PzMogScwOXt0SXszpbPozXv8AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoCAAhj(1hDK9gWu81)e(vTOon7e6lLPopTe4ge
tDa(v3e5hmv8AAQqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
wiTAyw0ADZYoIMQywliiKpkSAngSgmUhIR4)xiMK6ANSp6AsA04A9YOCIlUpItVq
AVIYgiUhIF7YJQZmrDMyiaP0dwrBk0bCynZCr0bC)1ZCQosCJkq7pmUhAAqhwmfy
IV4LECGhMRoSE6EhEi8REisQMkqRFGWhSAySoBbCmHm5GZeYJbUpvDpBMAQrMEQD
p2G0CANBYoUpMMSbNAJqluk5wq0SKksBgWF8KRIBJIQro(QKZrUsQngAQg42wni9
QDSyQA6OJrUszA9)KFLyIbUhFqUsAk6RgqUhLRoHIHGhg0EhwmgEhZ(FkGm5OZuT
FqUsMFrRRcUhnDtSgAATJ8DTSBlJPR0TgAyUgACIgACIgVKIlSUhFVYYAgEbk4BC
HV0PXTvdLZb0myKtghxKJwLTI9ZqI9fqiGQq5xEAYBC9cAK)JAVuF4am3DBiJ0ET
qqqqOXNoMLcwUDaxMD6zEH8zSDNoPT8zqC60lqqqDkyUrUgKA2rqskKwKHhop3P0
3DdAgtippYUpEk8BIMQKqgiCl2Thlq0RKpmRBVoSRVoCFWUprY6JAnYvJwLImfi5
9YePgMAs8mAvgBMiKAUppOVhUVIAFOVpljDUUAfUmTAsCA5U4MlxJ0GIYAVpJ8GI
gOO0SR4f4gCCwLlxIghz1DPiAzYvAsPEAAAAAAAAMBAATBqbgM1TP9kQgACVx4SM
TpAIuM1TSV0SMVkTgACITBCIgM1TOJ1SvkETFByTPJlUAggUMlkRnASRT90UFtkL
F5kUgcCTU9kTPZEIE5UVJBQJBZlTElETFtEIF5kUGBCTFxUSAAgOeAADE4hDYjHp
NeXqi()3so5(pCMEK3IQHk6)))ejODgoO()7tCCAQDCABka9pCehhXIAFCQqimah
gYYhmHqvAkK4mbehGauhgYu5gGqvFGrAIDehFWYsqDd4QDeps1q5iXIog2WrYMeh
pNeplXoAiXKOkOS7lSehAke5gWehiHLAN)QKQDaExiaIRkt4ZANo2DNixCAowni4
kKA
leYhhbK40nHIgFAsgKjrMlAoEGK1piz5nXOKlhhS9i65ZCaKKXwpnbMitSP0MBMQ
AE67AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Acx9
--- cut here ---
~~BBEAN PRO-sat San Diego,CA
greyelf@wpi.wpi.edu (Michael J Pender) (09/22/89)
In article <8909151534.aa10599@SMOKE.BRL.MIL> ST802148@BROWNVM.BITNET (Evan) writes: >Have any of you encountered an Apple II virus where upon each boot of Prodos, t >he computer scans available volumes (obviously to spread them), and then boots >fine UNTIL one day when prodos doesn't show up on your hard drive - intead a gr >aphics screen with some skulls and crossbones followed by a text screen of how >everything on the drive has been anniliated and was the work of some sadistic h >ackers? I really feel terrible saying this now instead of earlier, but there is a new virus out there that only seems to be on the GS so far. Its called Lode Runner. I read up on it, and while the programs supplied work fine to check your GS disks, the virus can apparently also hit our II machines, and the detector won't run on anything but a IIgs. I wrote a detector program, but never got arounnd to uploading it to apple2-l. I think I'll go do that now... --- Michael J Pender Jr Box 1942 c/o W.P.I. I wrote SHELL and Daemon, greyelf@wpi.bitnet 100 Institute Rd. send bug reports, suggestions, greyelf@wpi.wpi.edu Worcester, Ma 01609 checks to me.
nparker@CIE.UOREGON.EDU (09/23/89)
In article <4152@wpi.wpi.edu>, greyelf@wpi.wpi.edu (Micheal J Pender) writes: :In article <8909151534.aa10599@SMOKE.BRL.MIL> ST802148@BROWNVM.BITNET (Evan) writes: :>Have any of you encountered an Apple II virus where upon each boot of Prodos, t :>he computer scans available volumes (obviously to spread them), and then boots :>fine UNTIL one day when prodos doesn't show up on your hard drive - intead a gr :>aphics screen with some skulls and crossbones followed by a text screen of how :>everything on the drive has been anniliated and was the work of some sadistic h :>ackers? :I really feel terrible saying this now instead of earlier, but there is a :new virus out there that only seems to be on the GS so far. Its called :Lode Runner. I read up on it, and while the programs supplied work fine :to check your GS disks, the virus can apparently also hit our II :machines, and the detector won't run on anything but a IIgs. Sorry...as I said in a previous posting, these are NOT the symtoms of LOAD RUNNER. I have made a complete disassembly of LOAD RUNNER, and I assure you, there are no graphics screens in the virus, nor does it scan the drives. The reason that LOAD RUNNER has only been seen on the GS is that its code is GS-specific. It contains instructions that only execute on the 65816, and it makes GS toolbox calls. Booting an infected disk on any other Apple will NOT infect the Apple--instead, it would probably crash spectacularly. (I haven't actually seen this happen, but I can guarantee that LOAD RUNNER won't work on anything but a GS.) :I wrote a detector program, but never got arounnd to uploading it to :apple2-l. :I think I'll go do that now... A good idea anyway--anything done to help eliminate the threat of LOAD RUNNER can't be all bad... (All things considered, however, LOAD RUNNER isn't that much of a threat--it doesn't kill any data; it just makes disks unbootable.) Has anybody else out there seen the described virus? Is this a return appear- ance of an old virus, or have we got a new one to worry about? :Michael J Pender Jr Box 1942 c/o W.P.I. I wrote SHELL and Daemon, :greyelf@wpi.bitnet 100 Institute Rd. send bug reports, suggestions, :greyelf@wpi.wpi.edu Worcester, Ma 01609 checks to me. Neil Parker | nparker@cie.uoregon.edu (if that bounces, try 1810 Harris, #123 | PARKER@astro.uoregon.edu) Eugene, OR 97403-1334 |----------------------------------------------- (address subject to change) | (insert witty quotation here)