jlai@pro-sol.cts.com (Jack Lai) (08/27/89)
Original artical by Brian McCaig as follows:
VIRUS WARNING !! VIRUS WARNING !! VIRUS WARNING !!
* * LOAD RUNNER * *
Well folks, here it is...installment number 3 in the
Saga of the virus for the Apple II. First it was CyberAids,
which wasn't all that great and was quickly defused. It was
followed in June of 1988 by Festering Hate, a more
sophisticated and deadly evolutionary offspring of
CyberAids. F.H. spread rapidly throughout the Apple II
world and was particularly insidious as it infected
(usually) the first .SYSTEM file in the root directory,
usually Basic.System, would infect more than one file per
disk, would infect files insub-directories, and when it
'went off' would destroy all volumes currently on-line at
the time. This included RAM disks and Hard Drives!
By now, most of you are aware of Festering Hate and that
there are several good virus detecting/protecting programs
available that have virtually eradicated the FH virus. It
is to the credit of the Apple II community in general, and
selfless people like Glen Bredon that FH was halted before
it got too out of hand. As a matter of fact it was the very
vehicle that spread thevirus so rapidly that was also
responsible for its quick demise. After I did my initial
research on FH last year I wrote a brief study of it and
uploaded the study to most of the active BBS's in Canada and
the U.S. I also sent copies to Glen Bredon andthers who
acted very quickly to develop the 'cures'. But it was the
massive telecommunications network of Apple II users that
spread the details so quickly and stopped FH.
Now, number 3 virus has just appeared. Called,
rather nostalgically, "LODE RUNNER", it is not quite as
destructive as its predecessors but its a virus nonetheless.
Here's what I've been able to pull together so far:
SOURCE - Although we're not 100% positive it appears that
the program called SPEEDY SMITH is the culprit. A recent
import from France, Speedy Smith is one of the fastest copy
programs for the IIgs. A full 800K disk copy takes about 50
seconds (without verification) to 70 seconds (with) using
SS. It has an excellent SHR screen with 'thermometers' that
indicate the copy's progress. Unfortunately the reason we
cannot either convict or acquit SS is that its creators have
seen fit to invent their own DOS. This DOS is not readable
by standard Apple II sector editors such as the one in Copy
II Plus. There are several reasons, however, for suspecting
Speedy Smith. First SS's displays are in French and the
virus's text screens are as well. When catalogued Copy II+
indicates that there are 292 used Prodos blocks, but adding
up the individual files' blocks only totals 148. And
lastly, what better vehicle for the spread of a virus than a
copy program?
HOW WAS IT DISCOVERED? - Lode Runner was discovered almost
by accident by several members of the Apples BC Computer
Society. Shortly after receiving several new disks of IIgs
software, including Speedy Smith, one member found that his
Test Drive II refused to run. This was followed by backups
and originals of Space Quest I and Police Quest. At first
it was thought that the member's IIgs was having hardware
problems. But at the same time another friend from Eugene,
Oregon contacted us about having seen a French hi-res screen
appear on his monitor just before his Copy II+ disk was
trashed. Not being Canadian he was only able to pick out
the word "virus". Armed with this info and the 'damaged'
Space Quest disks I spent a weekend checking things out. At
the same time other friends in Oregon & California were
independently analyzing infected disks.
HOW DO YOU KNOW IF YOUR DISKS ARE 'INFECTED' - There are 4
ways of detecting Lode Runner:
1) When the virus "goes off" and erases your disk...not
exactly the most pleasant way to find out.
2) If you have a copy of Space Quest I then you can use it
to check all your disks. Boot any suspect disk and wait
until the drive stops. Replace the disk with Space Quest
and do the 3 or 4 fingered salute (OA-CTRL-RESET). NOTE:
Keep Space Quest write protected so that it dosn't get
screwed up. If Space Quest boots to the point where it asks
you to press a joystick button then you can be pretty sure
that the previous disk is OK. If Space Quest trashes with
an error message (#206) then the previous disk is likely
infected.
If you DO get an infected disk then you MUST either
power down your IIgs or run the self-test before continuing
with your testing to clear the RAMas the virus seems to
install itself there.
3) A better check (and much faster) is to boot Copy II+ and
run the 3.5" Sector Editor. Do a read of Block 0000 (Track
00, sector 00, side 01). If the first 3 bytes are 01 A9
50 then the disk is infected. Those 3 bytes aren't the
only bytes that are different but they are all that is
necessary to identify the virus.
4) If you recall, last year during the Festering Hate panic
it was noted that one of the best ways to have an Apple II
virus was in BLOCK (0) on any Prodos disk. At that point,
anticipating another virus, Guy T. Rice wrote a small virus
detector/fixer. If you put this program into the
SYSTEM/SYSTEM.SETUP folder on IIgs disks then it would
automatically detect and correct modifications to Block (0).
Now for LODE RUNNER this will also work.. that is, it WILL
detect LODE RUNNER and it will try to correct Block (0).
BUT, it appears that due to the method of spreading of LR
Guy's program cannot correct it. Every time you boot the
disk it'll give you the virus detect error. I think the
reason for this is that LR installs itself in RAM upon
bootup in preparation for infecting a new disk.. and the
only way you can be sure that its gone is to either power
down or run the self-test.. and since Guy Rice's program
does an auto-reboot and corrects the block (0) all in one
step then the RAM never really clears and the virus
re-infects the disk. And since you cannot write-protect the
disk it becomes a vicious circle. I am going to try to get
these observations to Guy Rice in the hopes that he can
modify his program. NOTE: Three other problems with using
Guy's program: its no good for 5.25" disks, it only works
with a IIgs and it only works with disks that are bootable.
LODE RUNNER can infect ANY Prodos disk because it resides in
one of the blocks created when a disk is formatted.
There is a 5th way.. the friends in Eugene, Ore.
have written a Binary program to detect and disarm the virus
and I will try to include it in this file when I upload it.
{Was not included} The reason theirs is successful is that
the detector is not part of the disk being checked and thus
the "circle" is broken.
METHOD OF SPREADING - As far as we can tell the virus is
spread two ways: by being copied with a copy program and by
booting an uninfected disk (using OA-CTRL-RESET) immediately
after running an infected disk. NOTE: For a disk to be
infected it must not be write-protected. The virus does NOT
infect actual files so none of your files will look modified
in either their file length or their modified date. The
virus also does not search all drives, as did Festering
Hate, so cannot be detected that way. Because it doesn't
infect files it only infects one spot per disk and cannot
destroy any sub-directories. Therefore you cannot get rid
of the virus just by re-copying the files...the virus is
actually part of the Prodos kernel created when the disk is
formatted.
WHAT HAPPENS WHEN IT "GOES OFF" - To get Lode Runner to "go
off" you must set your Control Panel's clock to the
following: the MONTH must be October, the DAY must be an
odd-numbered day and the minute must be a number divisable
by 8. Next you must boot an infected disk then boot (using
OA-CTRL-RESET) any other disk. This second disk must NOT be
write-protected or the virus won't activate. Once the
second disk is booted the virus will appear. Its a red
screen with text characters as follows:
+++ SYSTEM FAILURE in : +++
08
and proceeds to count down to zero where the screen
changesto another with a multi-colored scrolling background
and the following text:
000E Copies. Distr:Artistes Associes
=== L O A D R U N N E R ===
Premier virus NON-DESTRUCTEUR sur IIGS
par SUPER HACKER & SHYRKAN
du MASTERS CRACKING SERVICE 1988 Lyon
By the time you've read the first screen the disk
that you just booted has been rendered useless. LR does not
appear to erase morethan the current disk and doesn't seem
to affect 5.25" disks. Not being an expert in French I am
unable to determine whether the phrase below the title
means: "The first non-destructIVE virus for the IIgs" or
"The first non-destructIBLE virus for the IIgs". This is a
'moot' point however as it DOES destroy one disk when it
goes off. In addition, and I believe that the writers of LR
didn't plan this, LR will destroy Space Quest 1 and Police
Quest for the IIgs if they are booted AT ANY TIME after an
infected disk.. and if they are not write-protected. It is
not necessary for LR to "go off" for these programs to be
rendered useless. I have only found these two that behave
in this fashion but I am sure there are more.. likely most
of the Sierra programs for the IIgs.
ACKNOWLEDGEMENTS - As with the studies on Festering Hate
there are many people who collaborated on the research for
this virus. Many thanks go out to:
APPLES BC members:
Ross Woodhouse - for being so insistant that something WAS
wrong.
Pat Daley - for gathering data, programs and relaying info.
EUGENE, OREGON users:
Jack Stalcup - for accidentally setting the virus off
because the battery in his IIgs was dead. And for sending
the programs and keeping the communications alive.
Neil Parker and Mike Suiter (sp?) - for analyzing LR and
writing the detection/correction program.
PLEASE upload this file and Virus.killer to all bulletin
boards. Please tell everyone you know about this virus so
that we can wipe it out as fast as Festering Hate. PLEASE..
if you find out any more information that is either not in
these notes or that refutes any of these observations then
let me know. I can be reached at (604)294-4471, 8:30am to
4:30pm Pacific time, Monday thru Friday up until September
30, 1989. I can also be either reached by answering machine
or in person at home (604)947-9722 anytime. I will also be
in attendance at Applefest in San Francisco Sept.22, 23, &
24th. Messages can also be left on Compuserve...to
76475,642 (>>>---Brian--->).
>>>---Brian---> (Brian McCaig, Virus Busters)
--Virus.Alert wasn't posted here, but give Omega BBS in Wichita, KS a call at
(316) 669-9415, and you can dload it there. Thought the message was more
important than the debugger.
_______________________________________________________________________________
| Jack S. Lai | "Some people never learn anything because they understand | | jlai@pro-sol | everything too soon" - Alexander Pope |
|_________________|___________________________________________________________|