PGOETZ@LOYVAX.BITNET (07/30/88)
Well, I'm sorry I didn't post anything sooner. Fact is, the author
of CyberAIDS (an unsavory fellow who calls himself The Plague) gave a
complete description of it in the Summer 1988 issue of 2600. (Not, of course,
that I am in any way associated with 2600.)
First he spends two pages explaining why he writes viruses. Essentially, for
fun
for fun. First he says that inventing a virus is nothing to be proud of,
and then he goes on to say that most people don't appreciate how difficult they
are to write (they're not; I've disassembled one; he should try writing an
operating system!) and rejoices that viruses have such wide audiences.
He also claims that people who do not protect themselves deserve what they get.
Here's a quote: "I was asked whether I had any moral feelings about viruses,
or whether I thought that they were wrong, or evil, or whatever. My feelings
are the following: I don't care one way or the other. If people's data are
destroyed, then so be it. If people are stupid enough to accept pirated
software [I'm sure he would NEVER do that!], then they deserve to be
punished." (Also for downloading those evil public domain programs.)
So here's what Cyber AIDS does when it runs:
A. INITIALIZE
1. Find current location in memory.
2. Relocate to predefined area.
3. Make sure DOS is ready to accept system calls.
4. Move original application header (6 bytes) back to original memory.
(CyberAIDS installs a hook at the beginning of the application to call
itself.)
B. SEARCH
1. Choose random disk volume.
a. Make sure it's not write-protected.
b. Make sure it's on-line.
2. Increment disk counter (ambiguous about which disk) & destroy disk
if it's time.
3. Check for enough space on disk.
4. Choose candidate file: Must be system or applicatiobn file,
must not be infected, & must be small enough so both file & virus fit
in memory at the same time.
C. INFECT
I'm not going into the details; important I
is that it puts a hook in the 1st 6 bytes of the file.
D. DESTROY
1. Lock out keyboard & reset.
2. Destroy: Find all disk devices. Wipe out the directory block of each
disk. Wipe out each key block for each file in each directory block.
3. Present boneheaded message saying how KOOL you, the virus-writer, are.
4. Jump back to application start as if nothing had happened (note virus is
STILL RESIDENT after striking.)
Note that a file infected is divided like this:
Jump Code ! Application ! Original header ! Viral code
then End of File.
I've provvided this information because I think knowledge is the best
defense. If anyone uses this information to write a virus, they had damn well
better hope I don't find out about it!gwyn@brl-smoke.ARPA (Doug Gwyn ) (08/01/88)
In article <8807302311.aa12460@SMOKE.BRL.ARPA> PGOETZ@LOYVAX.BITNET writes:
[description of CyberAIDS structure and operation]
Thanks for the info. I think the greatest service this does is to show
how utterly trivial a virus is. Anyone who derives intellectual
satisfaction from creating one is a sad case, indeed.