whitney@think.COM (David Whitney) (07/30/88)
alright, read this:
]
]CAUTION:
]
] ZLink+, ZLink.PBH, ZLink are all viruses, if you run ZLink then you
^^^^^ this may not be true. see below
]now are the happy parent to a rodent virus. It seem Zlink has some sort of
]virus that attaches to files and stuff.
]
]------------------------------------------------------------------------------
]
]There is a file going around (currently on the Hard Drive) called Z.LINK.PLUS.
]It is supposed to be a terminal program somewhat like ProTERM. It is a decent
]program but the main reason I posted this is when you boot it up, it GOES TO
]EVERY ON-LINE DRIVE AND MODIFIES ]BASIC.SYSTEM<!!!
In reality, Z-link *is* a terminal program. I wrote it. I did NOT write the
virus. Somebody infected it, and now it's spreading.
As for what it infects, it goes after SYS files in the volume directory of
all online disks. *All* SYS files - not just BASIC.SYSTEM.
] The first verified virus of the ProDOS operating system is out and
]around. The first identified carrier of this virus was a terminal program
]called "ZLINK.PLUS", which was discovered about one week ago. Today, our board
^^^^^^^^^^^ that is the name of the infected program. Z.LINK.SYSTEM,
if gotten from me directly is safe to use.
]
]Sounds pretty interesting. I d/l the Z.LINK system from here and it does not
]do a vol. check or anything like that as far as I can tell. But it also
]doesn't work correctly. If I call a board, then I can type to it, but
]whatever
]the remote system sends me, it doesn't show up on the screen (I know it's
]sending info cause my RD light blinks on and off...)...
Have that guy contact me directly. I can probably figure out his troubles.
]
]This **** in't funny. I lost 20 megs and know people that have lost as much
No, it's not. And to think, just days ago, somebody griped me out for
suggesting that we bother the authorities on this. Sheesh! People are gonna
start blaming ME for this! see below...
]as 80. How the **** could someone manage to hide so much graphics and text
]and an entire virus in so little space?
]
]Glen Bredon wrote some virus detector which I guess doesn't work anymore.
It actually just detects when files have been changed, effectively telling
you, "yes indeed, your system is infected."
]Does anyone know how the **** to fix the hard drive after it detonates? I
]tried Mr. Fixit and it just gives up and since I backed up 2 days ago my
]backup's are infected too and basically all my programs are just ****ed.
As I understand, it just takes a bit of patience. Only the volume directory
gets messed up. That's a max of 54 files you have to create in the vol
directory. Use Bag of Tricks or other stuff like that which can locate index
blocks on your disk and also read Beneath Apple ProDOS to learn how to
reconstruct your disk.
]**** I feel sorry for the people that were the first to get Zlink, tha...
]Where the **** did Zlink come from anyway? Could these guys have written
]the entire zlink program just to hide their virus?
I wrote Z-Link in the hopes of making some money. That pretty much seems to
be impossible now that it's been slandered by this virus. Somebody else wrote
the rather compact virus and imbedded it in Z-Link, changed its name to
Z-Link PLUS and uploaded it with the intention to do damage. I see that as
vandalism or destruction of private property, and somebody had better do
something!
] If this happens to you, don't panic. The program Bag of Tricks 2, by
]Quality Software, can recover your directory ($40, 21610 Lassen, #7,
]Chatsworth, CA 91311 818-709-1721). MR.FIXIT, which is one of the items in
]Glen Bredon's ProSEL package, also can recover all the subdirectories (and
]what's in them) from directories damaged by CyberAIDS. Unfortunately,
]MR.FIXIT cannot recover files other than subdirectories.
]----------
]
] A couple of important points:
]
] A.) CyberAIDS is not tied to any one particular program. A rule such as
]don't use "EPBH1.5EX" isn't going to help--now that the virus is loose you
]must check ALL new P8 SYS files before you introduce them to your system--
]forevermore. That's certainly what we'll be doing here, right Doug and Vern?
------------
] There appears to be a "new virus in town". The new virus is known as
]FESTERING HATE (the other for the Apple ][ was CyberAids). IIt is not as
]easily fixed when you are 'struck'. Neither MR.FIXIT nnor BAG OF TRICKS can
]recover any of the lost files. Thus far it has been linked to two files.
]Those are SQUIRT 1.5 and Z-LINK. Both of these files are SHAREWARE and
]legitimate copies are available. It appears that the virus spreaders (not up
]to human standards in my opinion) modified these programs, and then
]uploaded them to various systems. The virus affects SYS files, and adds 8
]blocks to the end oof them. If you perform a CATALOG and notice that either
]the MODIFICATION DATE and/or the length has changed, delete the file
]immediately and replace it. It is also rumored to effect SYS files so that
]not only do they carry the virus, but may also spread it to other SYS files.
] << Peter J. Paul ]]
]----------
*Please* remember that Z-Link, as well as other quality shareware products
are available in "Safe" form. I don't want to be taken down for something
I had nothing to do with. Since neither virus seems to affect programs in
sub-directories, those file not in the volume directory should be OK. Your
best bet is to replace the SYS files in your volume directory and then
carefully check through your other SYS files to see if they've been modified.
I'm more pissed off about this than you can imagine. Even though I haven't been
hit, something worse has happened - I've been slandered, and Bag of Tricks
won't fix that.
David Whitney, MIT '90 DISCLAIMER: Nobody knows what I'm up
{out there}!harvard!think!whitney to. Don't blame them for my actions
whitney@think.com nor me for theirs.
^^^^^ will be changing before 1989 is here. Don't depend on it after 1/1/89.