saponara@batcomputer.tn.cornell.edu (John Saponara) (05/02/88)
Here's an article I just saw in comp.risks I thought people might be interested
in. Hopefully everyone else won't cross-post this info - if you see multiple
copies, you know where that `n' key is...
Eric (not John Saponara) Haines
Newsgroups: comp.risks
Subject: RISKS DIGEST 6.71
Message-ID: <12394193661.12.NEUMANN@KL.SRI.COM>
Date: Tue, 26 Apr 88 15:00 EST
>From: <PGOETZ%LOYVAX.BITNET@CUNYVM.CUNY.EDU>
Subject: Two viruses
Here are descriptions of a virus and a nasty program header which run on the
Apple II family.
===============
The Elk Cloner V2.0
I found the Elk Cloner V2.0 #005 on a disk of mine in 1981 or 82. I'm
fairly certain it could not have been written before the publication of
Beneath Apple DOS, so I would date it around mid-1981... It works exclusively
with DOS 3.3.
THE VIRUS
1. It is installed by booting an infected disk. I'm not sure how it initially
gains control; apparently it is loaded in with some trash from T0 SA which DOS
loads for no apparent reason. (BTW, since HackerDOS rearranges DOS on the
disk, the Cloner would trash it. It might trash master disks, I don't know.)
If you use a modified DOS which marks T2 S3-8 as free for use (as HackerDOS
does), it would overwrite any file stored there.
A JMP $9B00 which was installed when the disk was infected jumps to this
code (I think) and loads the virus from T2 S3-S8 into $9000-95FF.
2. Next, it inserts its claws into DOS:
A. Hooks into the Do Command code at $A180 and makes every command
reset the DOS parse state to 0. I have no idea why it does this. It has
no obvious effects.
B. Hooks into the RUN, LOAD, BLOAD, and CATALOG commands to make them check
the disk accessed & infect it if necessary.
C. Create a USR vector for the Cloner diagnostics:
B=USR(10) Prints a cute poem:
ELK CLONER:
THE PROGRAM WITH A PERSONALITY
IT WILL GET ON ALL YOUR DISKS
IT WILL INFILTRATE YOUR CHIPS
YES IT'S CLONER!
IT WILL STICK TO YOU LIKE GLUE
IT WILL MODIFY RAM TOO
SEND IN THE CLONER!
B=USR(11) Prints ELK CLONER V2.0 #005 (version check)
B=USR(12) Read the disk & prints BOOT COUNT: (#)
B=USR(13) Infects a disk
3. Increments the boot count
4. Checks for any special event for this boot:
Boot # (hex) Effect
A Point reset vector to $FF69 (monitor)
F INVERSE
14 Click the speaker
19 FLASH
1E Switch letters at $B3A7-B3AA so filetypes T I A B will appear as I T B A
23 Change DOS signal character from ctrl-D to ctrl-E
28 Lockout the computer on reset (dangerous one!)
2D Run the current program on any keypress (locks out the machine, also
dangerous. BTW, this is done by setting the hibit of $00D6.)
32 Print above poem on reset
37, 3C, 46 Screw with the INIT code. I think it will give you an I/O
ERROR, but I haven't tried. 3C and 46 might be dangerous in that
it might not init a whole disk. I don't know.
41 'Crash' to monitor on every DOS command
4B Reboot
4C Reboot
4D Reboot
4E Reboot
4F Write 0 to the boot count & start all over again!
5. Sits back & infects disks.
This is how the program is structured:
9000 Version number
9001-9073 Setup
9074-908F [Check a disk for infection] code
9090-90D9 Replacement code for LOAD, BLOAD, & CATALOG
90DA-9178 [Infect] code
9179 Read VTOC
9181 Write VTOC
91A8 Print routine
91E4 Serial #
91E5 Marked with a 0/1 if a disk is infected/uninfected
91EC-9243 Diagnostics
9244-9328 Poem
9343-9435 Special events by boot count
9500-9532 Code which loads Cloner on boot
95E1-95FF ASCII: MATT BE<ctrl-D>JOHN HINKLYJOHN HINKLE<ctrl-D>
(The author's hero?)
These are within the VTOC:
B3BE Zeroed, I don't know why
B3BF Boot count
B3C0 Zeroed, don't know why
B3C2 Infection mark: Version number (=(9000))
There may be several versions out. The version number would be used so
later versions would write over older versions, for a new improved
infection.
THE TEST
Any of these methods will work:
1. Check T$11 S0 Byte 7. If it is non-zero, the disk might be infected.
2. Check T1 S0 B$80-82. If they are 4C 00 9B, you have the Cloner.
3. Check T2 S3 - T2 S8 for the Cloner.
4. From Applesoft, immediately after boot, enter B=USR(11).
THE VACCINE
If you write a 2 to T$11 S0 Byte 7, Cloner version 2 will not infect that
disk. I have verified this.
THE CURE
Write something (like 00:1 AD 88 C0 4C 59 FF) to sector 0 so you can't boot
that disk.
PRECAUTIONS
The Cloner will not work unless you boot an infected disk. It cannot infect
a write-protected disk. I have infected disks I use all the time. Just mark
them as infected & don't boot them.
===============
Disease DOS
This isn't a DOS at all, nor a virus, but a nasty program which is added
to the front of a program. The author posted it to a bulletin board with an
explanatory file. I don't know if they threw him off the BBS or promoted him.
(Promotion: higher disk quota, file access, more downloads permitted, etc.)
When the program is run, it decrements a boot count & erases the current
track after a number of runs. It might be used by a pirate who doesn't like
the fellow he is giving a program to, or who doesn't like people in general.
You can detect it by scanning your disks for the sequence BD 8C C0 B0 F6,
an unusual sequence which shouldn't be on any normal disk. (I haven't checked;
it could be on DOS 3.3, but I doubt it.) It won't be
divided between sectors because it is in the first few bytes of the file.
Or you can read T$11 S0 Byte 4, which is the number of boots remaining before
wipeout. Any commercial (read: non-standard) disk might be non-zero there.
===============
Note that a write-protect tab will deter either program: The Cloner can't
spread, & neither can increment/decrement the boot count.
And, no, I won't send you either program. So don't ask.
Phil Goetzthrash@jolnet.ORPK.IL.US (Richie Tozier) (08/24/89)
I though people might like to heard about this, Source for VIRUS.KILLER
follows...
July 10, 1989 * * LOAD RUNNER * * (virus title)
*******************************************************************************
VIRUS WARNING !! VIRUS WARNING !! VIRUS WARNING !! VIRUS WARNING !!
*******************************************************************************
Well folks, here it is...installment number 3 in the Saga of the virus
for the Apple II. First it was CyberAids, which wasn't all that great and was
quickly defused. It was followed in June of 1988 by Festering Hate, a more
sophisticated and deadly evolutionary offspring of CyberAids. F.H. spread
rapidly throughout the Apple II world and was particularly insidious as it;
infected (usually) the first .SYSTEM file in the root directory, usually
Basic.System, would infect more than one file per disk, would infect files in
sub-directories, and when it 'went off' would destroy all volumes currently
on-line at the time. This included RAM disks and Hard Drives!
By now, most of you are aware of Festering Hate and that there are
several good virus detecting/protecting programs available that have virtually
eradicated the FH virus. It is to the credit of the Apple II community in
general, and selfless people like Glen Bredon that FH was halted before it got
too out of hand. As a matter of fact it was the very vehicle that spread the
virus so rapidly that was also responsible for its quick demise. After I did
my initial research on FH last year I wrote a brief study of it and uploaded
the study to most of the active BBS's in Canada and the U.S. I also sent
copies to Glen Bredon and others who acted very quickly to develop the 'cures'.
But it was the massive telecommunications network of Apple II users that
spread the details so quickly and stopped FH.
Now, number 3 virus has just appeared. Called, rather nostalgically,
"LODE RUNNER", it is not quite as destructive as its predecessors but its a
virus nonetheless. Here's what I've been able to pull together so far:
SOURCE
- Although we're not 100% positive it appears that the program called
SPEEDY SMITH is the culprit. A recent import from France, Speedy Smith is one
of the fastest copy programs for the IIgs. A full 800K disk copy takes about
50 seconds (without verification) to 70 seconds (with) using SS. It has an
excellent SHR screen with 'thermometers' that indicate the copy's progress.
Unfortunately the reason we cannot either convict or acquit SS is that its
creators have seen fit to invent their own DOS. This DOS is not readable by
standard Apple II sector editors such as the one in Copy II Plus. There are
several reasons, however, for suspecting Speedy Smith. First SS's displays are
in French and the virus's text screens are as well. When catalogued Copy II+
indicates that there are 292 used Prodos blocks, but adding up the individual
files' blocks only totals 148. And lastly, what better vehicle for the spread
of a virus than a copy program?
HOW WAS IT DISCOVERED?
- Lode Runner was discovered almost by accident by several members of
the Apples BC Computer Society. Shortly after receiving several new disks of
IIgs software, including Speedy Smith, one member found that his Test Drive II
refused to run. This was followed by backups and originals of Space Quest I
and Police Quest. At first it was thought that the member's IIgs was having
hardware problems. But at the same time another friend from Eugene, Oregon
contacted us about having seen a French hi-res screen appear on his monitor
just before his Copy II+ disk was trashed. Not being Canadian he was only able
to pick out the word "virus". Armed with this info and the 'damaged' Space
Quest disks I spent a weekend checking things out. At the same time other
friends in Oregon & California were independently analyzing infected disks.
HOW DO YOU KNOW IF YOUR DISKS ARE 'INFECTED'
- There are 4 ways of detecting Lode Runner:
1) When the virus "goes off" and erases your disk...not exactly the most
desirable way,
2) If you have a copy of Space Quest I then you can use it to check all your
disks. Boot any suspect disk and wait until the drive stops. Replace the
disk with Space Quest and do the 3 or 4 fingered salute (OA-CTRL-RESET).
NOTE: Keep Space Quest write protected so that it dosn't get screwed up. If
Space Quest boots to the point where it asks you to press a joystick button
then you can be pretty sure that the previous disk is OK. If Space Quest
trashes with an error message (#206) then the previous disk is likely
infected.
If you DO get an infected disk then you MUST either power down your IIgs or
run the self-test before continuing with your testing to clear the RAM as
the virus seems to install itself there.
3) A better check (and much faster) is to boot Copy II+ and run the 3.5" Sector
Editor. Do a read of Block 0000 (Track 00, sector 00, side 01). If the
first 3 bytes are 01 A9 50 then the disk is infected. Those 3 bytes
aren't the only bytes that are different but they are all that is necessary
to identify the virus.
4) If you recall, last year during the Festering Hate panic it was noted that
one of the best ways to have an Apple II virus was in BLOCK (0) on any
Prodos disk. At that point, anticipating another virus, Guy T. Rice wrote a
small virus detector/fixer. If you put this program into the
SYSTEM/SYSTEM.SETUP folder on IIgs disks then it would automatically detect
and correct modifications to Block (0). Now for LODE RUNNER this will also
work.. that is, it WILL detect LODE RUNNER and it will try to correct Block
(0). BUT, it appears that due to the method of spreading of LR Guy's
program cannot correct it. Every time you boot the disk it'll give you the
virus detect error. I think the reason for this is that LR installs itself
in RAM upon bootup in preparation for infecting a new disk.. and the only
way you can be sure that its gone is to either power down or run the
self-test.. and since Guy Rice's program does an auto-reboot and corrects
the block (0) all in one step then the RAM never really clears and the virus
re-infects the disk. And since you cannot write-protect the disk it becomes
a vicious circle. I am going to try to get these observations to Guy Rice
in the hopes that he can modify his program. NOTE: Three other problems
with using Guy's program: its no good for 5.25" disks, it only works with a
IIgs and it only works with disks that are bootable. LODE RUNNER can infect
ANY Prodos disk because it resides in one of the blocks created when a disk
is formatted.
There is a 5th way.. the friends in Eugene, Ore have written a Binary
program to detect and disarm the virus and I will try to include it in this
file when I upload it. The reason theirs is successful is that the detector is
not part of the disk being checked and thus the "circle" is broken.
METHOD OF SPREADING
- As far as we can tell the virus is spread two ways: by being copied
with a copy program and by booting an uninfected disk (using OA-CTRL-RESET)
immediately after running an infected disk. NOTE: For a disk to be infected it
must not be write-protected. The virus does NOT infect actual files so none of
your files will look modified in either their file length or their modified
date. The virus also does not search all drives, as did Festering Hate, so
cannot be detected that way. Because it doesn't infect files it only infects
one spot per disk and cannot destroy any sub-directories. Therefore your
cannot get rid of the virus just by re-copying the files...the virus is
actually part of the Prodos kernel created when the disk is formatted.
WHAT HAPPENS WHEN IT "GOES OFF"?
- To get Lode Runner to "go off" you must set your Control Panel's
clock to the following: the MONTH must be October, the DAY must be an odd
numbered day and the minute must be a number divisable by 8. Next you must
boot an infected disk then boot (using OA-CTRL-RESET) any other disk. This
second disk must NOT be write-protected or the virus won't activate.
- Once the second disk is booted the virus will appear. Its a red
screen with text characters as follows:
+++ SYSTEM FAILURE in : +++
08
and proceeds to count down to zero where the screen changes to another with a
multi-colored scrolling background and the following text;
000E Copies. Distr:Artistes Associes
=== L O A D R U N N E R ===
Premier virus NON-DESTRUCTEUR sur IIGS
par SUPER HACKER & SHYRKAN
du MASTERS CRACKING SERVICE 1988 Lyon
By the time you've read the first screen the disk that you just booted
has been rendered useless. LR does not appear to erase more than the current
disk and doesn't seem to affect 5.25" disks. Not being an expert in French I
am unable to determine whether the phrase below the title means: "The first
non-destructIVE virus for the IIgs" or "The first non-destructIBLE virus for
the IIgs". This is a 'moot' point however as it DOES destroy one disk when it
goes off. In addition, and I believe that the writers of LR didn't plan this,
LR will destroy Space Quest 1 and Police Quest for the IIgs if they are booted
AT ANY TIME after an infected disk.. and if they are not write-protected. It
is not necessary for LR to "go off" for these programs to be rendered useless.
I have only found these two that behave in this fashion but I am sure there are
more.. likely most of the Sierra programs for the IIgs.
ACKNOWLEDGEMENTS
- As with the studies on Festering Hate there are many people who
collaborated on the research for this virus. Many thanks go out to:
APPLES BC members,
Ross Woodhouse - for being so insistant that something WAS wrong.
Pat Daley - for gathering data, programs and relaying info.
EUGENE, OREGON users,
Jack Stalcup - for accidentally setting the virus off because the
battery in his IIgs was dead. And for sending the programs and
keeping the communications alive.
Neil Parker and Mike Suiter (sp?) - for analyzing LR and writing the
detection/correction program.
PLEASE upload this file and Virus.killer to all bulletin boards. Please
tell everyone you know about this virus so that we can wipe it out as fast as
Festering Hate. PLEASE.. if you find out any more information that is either
not in these notes or that refutes any of these observations then let me know.
I can be reached at (604)294-4471, 8:30am to 4:30pm Pacific time, Monday thru
Friday up until September 30, 1989. I can also be either reached by answering
machine or in person at home (604)947-9722 anytime. I will also be in
attendance at Applefest in San Francisco Sept.22, 23, & 24th. Messages can
also be left on Compuserve...to 76475,642 (>>>---Brian--->).
>>>---Brian---> (Brian McCaig, Virus Busters)
*******************************************************************************
--- cut here ---
FiLeStArTfIlEsTaRt
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789()
LVIRUS.KILLER AoAAAAAAAYw4GIADzKBAWcRF)DwsAoAAAgEG
MICT8UIa9UIamDAoCANPx2j5GAPP93OIMsATI1TpIxTpggDYQ6)HDASIyDNDyf(7
g2e4xXu8yne9gOf5wDfwgWO7HncyA040QIKY8Cwv30d4TAtD0Dhy)OgohbBiOMT3
KXA0wQPEDASHpbNDzXv8v7OopDK9tDq7v3e5umv8A0YjM8NTCvPGN9KMPGuvhbBi
((0rK(Y4IFuFhTPSAQPACIKvAIiGiGOAiAhAhDAAD8voAAQq8CwnQoc47jT(MMAI
tXez5L)7vPOogmP8ga(7ynu9gOf9sn(6kXO7N2YoDACAunMDyX(8kDK9rPf6vTPo
lLOopTOoun(8jXu5kXO9w3IrzXu8iC68gK60g(O9hP(8vDq7iCq8gKa0g(O9pXf8
gqL9MACAgnc)pIAkTn83JrA8vDd093OI97IT93OI97II97II)CAIOECgINCkMMAI
vLP0z)O5yXOoy)u8AQKoaDCadDS)OCy(OCS)fzU)QIKDWAQvOcT3KXA0wUPEDAiH
pTMDgu(8gOf60)u7unOojXu5kXO9N2orfzEADACDpbNDzXv8lTOojXO9kXO9gCqr
znOxm7e60Pe5ZjKop68rAA6v9zAIQCeyfniAwndyOnMEg8O0g0f7g0vjM1vjgww3
g0f7g0vjg0vjB(LAQ6wJMx0AAASDtE4vDApDNwETMMAIznOxjD665D)7m)OopbPo
zXv8pvOolzO7NGK5MBQjDww3WAAUDAAASAAUDAAAUAAUcBQAh3riQlaAtOUhNW8)
klgMMRmSk5EZAAwRAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ynu1gOf9sn(yyXO75LOol7Mogye6yHO0yX(6qqKoEDqqpPf5l7(50DK5lD67tnO7
h7e6gWO9ljO9PzMogScwOXt0SXszpbPozXv8AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoCAAhj(1hDK9gWu81)e(vTOo
n7e6lLPopTe4geu7pjO9g(78oTNolLf5gO)p0)u7unO6oD65lLf51LOolDK90Df7
tDa(v3e5hmv8AAQqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
wiTAyw0ADZYoIMQywliiKpkSAngSgmUhIR4)xiMK6ANSp6AsA04A9YOCIlUpItVq
AVIYgiUhIF7YJQZmrDMyiaP0dwrBk0bCynZCr0bC)1ZCQosCJkq7pmUhAAqhwmfy
IV4LECGhMRoSE6EhEi8REisQMkqRFGWhSAySoBbCmHm5GZeYJbUpvDpBMAQrMEQD
p2G0CANBYoUpMMSbNAJqluk5wq0SKksBgWF8KRIBJIQro(QKZrUsQngAQg42wni9
QDSyQA6OJrUszA9)KFLyIbUhFqUsAk6RgqUhLRoHIHGhg0EhwmgEhZ(FkGm5OZuT
FqUsMFrRRcUhnDtSgAATJ8DTSBlJPR0TgAyUgACIgACIgVKIlSUhFVYYAgEbk4BC
HV0PXTvdLZb0myKtghxKJwLTI9ZqI9fqiGQq5xEAYBC9cAK)JAVuF4am3DBiJ0ET
qqqqOXNoMLcwUDaxMD6zEH8zSDNoPT8zqC60lqqqDkyUrUgKA2rqskKwKHhop3P0
3DdAgtippYUpEk8BIMQKqgiCl2Thlq0RKpmRBVoSRVoCFWUprY6JAnYvJwLImfi5
9YePgMAs8mAvgBMiKAUppOVhUVIAFOVpljDUUAfUmTAsCA5U4MlxJ0GIYAVpJ8GI
gOO0SR4f4gCCwLlxIghz1DPiAzYvAsPEAAAAAAAAMBAATBqbgM1TP9kQgACVx4SM
TpAIuM1TSV0SMVkTgACITBCIgM1TOJ1SvkETFByTPJlUAggUMlkRnASRT90UFtkL
F5kUgcCTU9kTPZEIE5UVJBQJBZlTElETFtEIF5kUGBCTFxUSAAgOeAADE4hDYjHp
NeXqi()3so5(pCMEK3IQHk6)))ejODgoO()7tCCAQDCABka9pCehhXIAFCQqimah
gYYhmHqvAkK4mbehGauhgYu5gGqvFGrAIDehFWYsqDd4QDeps1q5iXIog2WrYMeh
pNeplXoAiXKOkOS7lSehAke5gWehiHLAN)QKQDaExiaIRkt4ZANo2DNixCAowni4
wDSywnsPuiA8gCKZUz0EliRoj0m4iXIppNepjXIAFTeplXq4wOe5liBvj0G5iXIp
pVepjXIAQbuxP5albAKohSNTxGBogXo4iHLytGehFCqZn1ahGWIoh6LIgiWrtWYh
FCaaA0qhgXIDNAQrgEehiGqvA07Bh0tHIAPogSmrMNBoKHK1p2OEnXIAmfu5Gauh
9eupFyAAA0L4hXYDQDephXKBgYA8MFqvYEqigqWregQbtiehtB6aF6RCozW6BkKA
leYhhbK40nHIgFAsgKjrMlAoEGK1piz5nXOKlhhS9i65ZCaKKXwpnbMitSP0MBMQ
AE67AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Acx9
--- cut here ---
Thrashing Rage / TVH | Some have eyes and still can't see
| Their plastic noise is anything but music to me
UUCP: jolnet!thrash | Mechanized and computerized
ARPA: bellcore@csustan | Switch off your brain & make sounds that dehumanize.