whitney@think.COM (David Whitney) (07/23/88)
Well, I have become a victim of a virus - but not directly. Some
a$$hole has infected my Z-Link and began posting to various places
(including, possibly Genie). If you know of anyone who has a copy of
Z-Link Plus, tell them to get rid of it right away. It contains the
CyberAIDS virus, which can cause bad (but not irrecoverable) damage.
Every other time an infected SYS file is run, the virus checks the
volume directories of all online disks and infects all SYS files it
finds. Once the virus has executed 15 times, it trashes the volume
directory of online disks. See news below:
Date: Fri, 22 Jul 88 02:37:50 GMT
From: jordan%lvva.span@sds.sdsc.edu (RICH)
Message-Id: <880722023750.25400094@Sds.Sdsc.Edu>
Subject: Z-Link info
To: whitney@Think.COM
X-St-Vmsmail-To: SDSC::"whitney@think.com.arpa",JORDAN
Dave,
for your information here is the current thread on the Z-Link virus.
The news seems to be good for Z-Link but bad in general. The thread on the
virus mentioned within will be sent following this msg. Since my system
has been checked and is not infected, it is highly unlikely that any in-
fected versions of Z-Link were uploaded. Hope this info helps. I do think
it is very unlikely that the sysops will release a copy of the virus for any
reason, so I won't be able to get a copy of the infected file. Good reading!
Rich
<jordan%lvva.span@sds.sdsc.edu>
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Item 9505713 88/07/20 18:18
From: A2.DOUG Doug Acker, Apple II Library Mgr.
To: T.MADDEN Timothy J. Madden
cc: AA$ All Apple II RoundTables Staff
D.LYONS2 David A. Lyons
BARRACUDA Richard J. Jordan
Sub: virus programs
Reply: Item #9890843 from T.MADDEN on 88/07/19 at 21:48
The only reason why I would doubt it would be Z.link since D.Lyons has been
working with it alot and he is a reputable programmer.
=END=
forwarded by A2.DOUG to BARRACUDA D.LYONS2
Item forwarded by A2.DOUG to OA$
Item 9890843 88/07/19 21:48
From: T.MADDEN Timothy J. Madden
To: A2.DOUG Doug Acker, Apple II Library Mgr.
Sub: virus programs
Hello. A friend of mine has lost several files that he downloaded recently,
apparently to a virus program. One of the programs said to spread it is
ZLink. I am not convinced there is a virus yet, but since tohe program is
up on the A2 board I thought you might like to know that there is a
possiblity.
I made copies of the disks he claimed were infected and am looking them
over (very carefully, I admit).
oh, yeah, we discovered this though a BBS that told us what to look for.
When the disks are cataloged with such programs as Copy II+, AppleWorks,
or even BASIC, the catalogs are normal. When cataloged with APW, the
'infected' disks have files with no names, creation and modification dates
are bad (i.e. <BAD DATE> appears), and the catalog format is screwed up.
What fun, eh?
Tim
=END=
Item forwarded by A2.DOUG to AA$
Item 8619651 88/07/20 20:10
From: BARRACUDA Richard J. Jordan
To: A2.DOUG Doug Acker, Apple II Library Mgr.
cc: BARRACUDA Richard J. Jordan
Sub: z-link virus?
Doug,
I've been using every version of Z-Link that I uploaded without problems,
and all of those have come direct from the author. If you like I can contact
the author about this. I have a feeling that another program is to blame, or
maybe there are deliberately contaminated versions floating around (_not_ by
the author). Let me know what you find out on this, though.
Rich
=END=
Item: 7844441 88/07/20 23:17
From: A2.DOUG Doug Acker, Apple II Library Mgr.
To: BARRACUDA Richard J. Jordan
cc: AA$ All Apple II RoundTables Staff
Sub: z-link virus?
Reply: Item #8619651 from BARRACUDA on 88/07/20 at 20:10
I dont think its a virus either...as you and Dave are quite trustworthy...
It was more for your info though....
=END=
Item 5690480 88/07/21 01:29
From: D.LYONS2 David A. Lyons
To: A2.DOUG Doug Acker, Apple II Library Mgr.
cc: AA$ All Apple II RoundTables Staff
BARRACUDA Richard J. Jordan
Sub: virus in Z-Link
I have independent evidence that there *is* a virus in *some* copies of
Z-Link floating around. I will tell the author, Dave Whitney, about it;
I'm 100% sure they are not his doing (his network address is
Whitney@Think.COM).
An acquaintance of mine has a copy of a Z-Link that came from a pirate
bulletin board; it's infected. He's getting me a copy of it--apparently
it infects a SYS file every second time it's run, adding NINE BLOCKS to
the file (there's a packed hires picture in there for the virus to display
at its convenience, apparently). -- Once I get a copy, I'll tell you
guys how to detect it.
By the way, I am about 98% sure that the messed-up catalog in APW is
because the last byte of a directory block is bein fiddled with--APW
assumes that the last byte in each block will always be $00, as it normally
is (it's unused since the current directory entry size doesn't divide
into 512 evenly).
--Dave Lyons
=END=
Item 8811050 88/07/21 03:25
From: GUY.T.RICE Guy Rice, A2Pro Leader
To: D.LYONS2 David A. Lyons
cc: A2.DOUG Doug Acker, Apple II Library Mgr.
BARRACUDA Richard J. Jordan
AA$ All Apple II RoundTables Staff
Sub: virus in Z-Link
Reply: Item #5690480 from D.LYONS2 on 88/07/21 at 01:29
Dave - it won't be necessary to isolate the virus yourself, that's already
been done. I have a copy of an infected BASIC.SYSTEM containing the very
virus you are talking about. It's 27 blocks long, infects a system file
every second time it's run or so, and has a packed hires picture in it.
Therefore, I assume we're talking about the same virus. It's actually
rather easy to detect. Any SYS file infected with it is marked by some
ID bytes. The 4th-6th bytes of the file will be $13. So just dump the
file and check those 3 bytes to see if the file is infected or not.
(By the way, the VIRUS ITSELF isn't 27 blocks... the infected copy of
BASIC.SYSTEM is 27 blocks. Just wanted to make that clear...)
GTR
=END=
Item 1545389 88/07/21 12:56
From: UNCLE-DOS Tom Weishaar, Apple II Manager
To: T.MADDEN Timothy J. Madden
D.LYONS2 David A. Lyons
BARRACUDA Richard J. Jordan
GUY.T.RICE Guy Rice, A2Pro Leader
cc: AA$ All Apple II RoundTables Staff
Sub: virus
The virus that has the $13 ID in bytes 4 to 6 is
CyberAIDS. I think you're all talking it. It infects ProDOS
8 SYS files--Z-Link is an innocent SYS file here. CyberAIDS
can be destructive, but the disk can be recovered and it's
very easy to identify.
PS it messes with that 512th byte of the directory,
too. For more, see Cat 12, Top 18, Message 12 and following
in the A2 BB.
VERN--for my peace of mind, would you download and
check our copy of ZLINK?
Tom
=END=
Item 8941243 88/07/21 16:01
From: A2.VERN.R Vernon R. Pollard, Apple II Asst.
To: UNCLE-DOS Tom Weishaar, Apple II Manager
T.MADDEN Timothy J. Madden
D.LYONS2 David A. Lyons
BARRACUDA Richard J. Jordan
GUY.T.RICE Guy Rice, A2Pro Leader
cc: AA$ All Apple II RoundTables Staff
Sub: virus
Tom,
Will get Zlink and check it out...
>>--[ A2 Alive!! ]--> Vern R.
=END=
Command?
Item 1483417 88/07/21 18:17
From: A2.DOUG Doug Acker, Apple II Library Mgr.
To: D.LYONS2 David A. Lyons
A2.CHET Chet Day, A2 Bulletin Board Editor
A2.DOUG Doug Acker, Apple II Library Mgr.
A2.HAYWARD Lee Hayward, AppleWorks Librarian
A2.TYLER Tyler D. Weisman, A2 RTC Leader
A2.VERN.R Vernon R. Pollard, Apple II Asst.
BARRACUDA Richard J. Jordan
GUY.T.RICE Guy Rice, A2Pro Leader
OA.VAN Tom Vanderpool, Open-Apple
OPEN-APPLE Dennis Doms, Open-Apple
TIM.SWIHART Tim Swihart, A2Pro Leader
UNCLE-DOS Tom Weishaar, Apple II Manager
Sub: virus in Z-Link
Reply: Item #5690480 from D.LYONS2 on 88/07/21 at 01:29
Zlink Plus...there is no such animal except in pirate boards probably...
So far we belive we are still sterile....
=END=
and more...
Received: from Think.COM by fafnir.think.com; Fri, 22 Jul 88 03:26:15 EDT
Return-Path: <@cunyvm.cuny.edu:AWCTTYPA@UIAMVS.BITNET>
Received: from CUNYVM.CUNY.EDU by Think.COM; Fri, 22 Jul 88 03:29:46 EDT
Message-Id: <8807220729.AA02777@Think.COM>
Received: from UIAMVS.BITNET by CUNYVM.CUNY.EDU (IBM VM SMTP R1.1) with BSMTP id 8781; Fri, 22 Jul 88 03:25:38 EDT
Date: Friday 22 Jul 88 2:26 AM CT
From: David A. Lyons <AWCTTYPA%UIAMVS.BITNET@cunyvm.cuny.edu>
To: <WHITNEY@Think.COM>
Subject: Mail from Participate at the University of Iowa
Dave! There are apparently copies of Z-Link making the rounds on some
not-so-legitimate bulletin boards, and some of them are INFECTED with
CyberAIDS. The virus can be identified by $13 in the 4th thru 6th bytes
of a SYS file. See msg concatted to the end of this for more info.
Some of the bogus copies are going by the name Z-Link Plus. I strongly
suspect that there is no legitimate version of Z-Link called Z-Link Plus;
can you verify this for me? (I'll pass it on to the GEnie admins.)
----------
The following note is from Tom Weishaar, the Open-Apple guy himself.
Summary recommendation: LOCK ALL THE SYS FILES IN THE MAIN
DIRECTORY OF ALL YOUR DISKS to protect yourself against an
honest-to-goodness Apple II ProDOS virus called CyberAIDS.
-------
UNCLE-DOS [ Tom W ] at 22:59 EDT
Sorry to have to reopen this topic gang, but we found one.
OK, we've got one. We've received and disassembled a copy of a SYS
file infected with a virus that attacks ProDOS 8 system files. The
virus calls itself CyberAIDS. It's a little buggy and far from
"commercial quality," but is dangerous nonetheless. We have no idea
how widely distributed it is. It was sent to us by a user. We don't
think any of the SYS files in our library are infected, although we
haven't gone back and checked them all.
When a SYS file containing the CyberAIDS virus is executed, the
disk drive will turn off and then back on again. While the drive
spins the second time, CyberAids tries to replicate itself inside all
of the online SYS files that are in root directories. It doesn't look
in subdirectories, it doesn't (can't really) mess with
write-protected disks, it doesn't attack locked SYS files, and it
doesn't attack the PRODOS file. CyberAIDS also updates a counter
stored in the last byte of the first block of the disk directory.
When this counter reaches 16, CyberAIDS writes $FFs through the root
directory of all online volumes and puts a message describing what's
happening on the screen.
If this happens to you, don't panic. The program Bag of Tricks 2,
by Quality Software, can recover your directory ($40, 21610 Lassen,
#7, Chatsworth, CA 91311 818-709-1721). MR.FIXIT, which is one of the
items in Glen Bredon's ProSEL package, also can recover all the
subdirectories (and what's in them) from directories damaged by
CyberAIDS. Unfortunately, MR.FIXIT cannot recover files other than
subdirectories.
The following is a simple program that can identify SYS files that
have been infected by CyberAIDS:
10 HOME : PRINT "CyberAIDS Detection Program"
20 PRINT
30 PRINT "Enter the name of the next SYS file to be checked."
40 INPUT F$ : IF LEN(F$)=0 THEN END
50 PRINT CHR$(4);"BLOAD";F$;",A$2000,L3,B3,TSYS"
60 DETECT=1
70 FOR ADR=8192 TO 8194
80 IF PEEK(ADR) <> 19 THEN DETECT=0
90 NEXT
100 IF DETECT THEN PRINT "This SYS file appears infected."
110 IF NOT DETECT THEN PRINT "This SYS file appears to be OK."
120 GOTO 20
If you find any SYS files that are infected, simply delete them
and replace them with uninfected backups. You might also like to
change the last byte of the first block of the root directory (block
2), which in normally unused, back to zero.
----------
(end of Tom W's note)
--David A. Lyons a.k.a. DAL Systems
PO Box 287 | North Liberty, IA 52317
BITNET: AWCTTYPA@UIAMVS
CompuServe: 72177,3233
GEnie mail: D.LYONS2
and finally...
Date: Fri, 22 Jul 88 03:02:18 GMT
From: jordan%lvva.span@sds.sdsc.edu (RICH)
Message-Id: <880722030218.25400094@Sds.Sdsc.Edu>
Subject: P8 Virus
To: whitney@Think.COM
X-St-Vmsmail-To: SDSC::"whitney@think.com.arpa",JORDAN
Dave,
Here's the thread on the virus as of tonight. If any other good info comes
in I'll send it to you ASAP. Dave Lyons may also be in touch with you if he
hasn't already.
Rich
<jordan%lvva.span@sds.sdsc.edu>
----------
Category 12, Topic 18
Message 15 Wed Jul 20, 1988
OPEN-APPLE [Dennis Doms] at 09:45 EDT
I've also discovered you can BLOAD a volume directory (I didn't know that!
<grin>), so if you do a 'BLOAD /VOLUME,A$2000,TDIR' (substitute your disk name
for "/VOLUME") and if 'PRINT PEEK(8703)' does not give you '0', that _may_
also mean the volume has been trifled with. ("8703" = $21FF, which is the last
byte of the first block of the volume.) You can correct the value (on disk)
with a block editor.
----------
Category 12, Topic 18
Message 16 Thu Jul 21, 1988
GUY.T.RICE [A2Pro Sysop] at 19:19 EDT
Just to point something out. Back a few months ago, when that person whose
name I have forgotten first uploaded that file about viruses that started this
whole thing, he also uploaded a file showing what your screen looks like after
the virus strikes. That screen is exactly the screen put up by this virus.
In other words, this IS the virus that person was talking about, and it did
really exist back then (despite everyone saying it was just rumor), and it has
been going around all this time.
The reason I mention this is because I kinda got a chuckle when this second
virus topic was started for "Bona fide" viruses, implying that the other topic
had no "real" stuff in it, even though Glen Bredon himself had stated flat out
that he had seen one. This virus is real, exists, and has existed ever since
it was first reported those months ago. This is not a rumor.
Be cautious...
GTR
----------
Category 12, Topic 18
Message 17 Thu Jul 21, 1988
P.J.PAUL at 21:33 EDT
I regret that I caused such havoc when I began speaking of the virus. My
intensions then (as well as now) were to inform, rather than alarm. I
personally lost all the data on my 20 meg. SIDER, my /ROM disk and a 3.5"
floppy. It was indeed CYBERAIDS that caused the problem, and I have a copy of
the program (it was EPBH1.5EX) that carried the virus. I have just uploaded a
program (VACCINE II) that will detect the presewnce of that (and hopefully all
other stains). "An ounce of prevention........................."
<< Peter J. Paul >>
----------
Category 12, Topic 18
Message 18 Thu Jul 21, 1988
W.MOULAS [Bill] at 20:53 CDT
Wow, there are so many Virus.RX programs on the library, Peter Just Uploaded
one, Guy, has one in the library, does anyone know which virus detecting
program work the best. I was just nominated the Asst. Sysop in the Aviation
RT and one of my duties is too screen Uploads that run on my system. I'm now
trying to figure out which program will give me the most protection. It's
better to be safe than to be sorry. Thanks
Bill Moulas
----------
Category 12, Topic 18
Message 19 Thu Jul 21, 1988
OPEN-APPLE [Dennis Doms] at 21:56 EDT
I noticed that most of the virus detection programs seem to want to run on a
IIgs, though Glen Bredon's shareware version only requires a 65802 (so it
could be used on an Apple II if that chip was installed in place of the
6502/65C02) or 65816. One reason that I think CyberAIDS was overlooked was
that we need the hard evidence of the infected program to make sure that it is
code and not some vagary of the system (especially on the IIgs) that is the
cause. Bugs like the ProDOS 1.1.1 track 0 trashing problem need to be
distinguished from intential problem programs.
----------
REPly #[-#], STArt, QUIt, EXIt, RETURN ?
Well, that's all I have right now. Sorry this is so long, but I figure
it's generally useful and you all ought to watch your disks...
David Whitney, MIT '90 Still learning about my Apple //GS
{out there}!harvard!think!whitney and all of its secrets. Any and all
whitney@think.com technical info appreciated.
DISCLAIMER: You think they even know I'm doing this?SEWALL@UCONNVM.BITNET (Murph Sewall) (07/28/88)
>Well, I have become a victim of a virus - but not directly. Some >a$$hole has infected my Z-Link and began posting to various places >(including, possibly Genie). If you know of anyone who has a copy of >Z-Link Plus, tell them to get rid of it right away. It contains the >CyberAIDS virus, which can cause bad (but not irrecoverable) damage. >Every other time an infected SYS file is run, the virus checks the >volume directories of all online disks and infects all SYS files it >finds. Once the virus has executed 15 times, it trashes the volume >directory of online disks. See news below: It would appear that EVERY author of shareware .SYS files can easily fall victim to this particular virus. It may not have been a deliberate attack on Z-Link. All that has to happen is for some innocent user of Dave's program to have an infected disk which would, naturally, infect Z-Link as part of the way that it works. If that by-stander decides to pass Z-Link along to others by uploading it, then everyone who downloads the program (and passes it along) would spread the virus too. That's what makes viruses a SERIOUS concern folks. There is no reason why BLU or the EXECUTIONER can't become infected the same way. To Dave and other helpful shareware authors: How much trouble would it be to encrypt somewhere in the code the length (in bytes) that an uninfected program should be and have the decyphered number print on the opening (intro, copyright) screen? Such a feature would offer some protection against the innocently infected program. Sure a virus writer could probably figure out how to alter the number, but it would be relatively simple to spread messages accross netland with the correct number (as in: if your BASIC.SYSTEM file should be 21 blocks, if it's longer than that you probably have a problem). Murph Sewall Sewall@UCONNVM.BITNET Business School sewall%uconnvm.bitnet@mitvma.mit.edu [INTERNET] U of Connecticut {rutgers psuvax1 ucbvax & in Europe - mcvax} !UCONNVM.BITNET!SEWALL [UUCP] -+- My employer isn't responsible for my mistakes AND vice-versa! (subject to change without notice; void where prohibited) "It might help if we ran the MBA's out of Washington." - Adm Grace Hopper