AWCTTYPA@UIAMVS.BITNET ("David A. Lyons") (07/25/88)
59 (of 59) DAVE LYONS Jul. 20, 1988 at 1:47 CT (2745 characters) The following note is from Tom Weishaar, the Open-Apple guy himself. Summary recommendation: LOCK ALL THE SYS FILES IN THE MAIN DIRECTORY OF ALL YOUR DISKS to protect yourself against an honest-to-goodness Apple II ProDOS virus called CyberAIDS. ------- UNCLE-DOS [ Tom W ] at 22:59 EDT Sorry to have to reopen this topic gang, but we found one. OK, we've got one. We've received and disassembled a copy of a SYS file infected with a virus that attacks ProDOS 8 system files. The virus calls itself CyberAIDS. It's a little buggy and far from "commercial quality," but is dangerous nonetheless. We have no idea how widely distributed it is. It was sent to us by a user. We don't think any of the SYS files in our library are infected, although we haven't gone back and checked them all. When a SYS file containing the CyberAIDS virus is executed, the disk drive will turn off and then back on again. While the drive spins the second time, CyberAids tries to replicate itself inside all of the online SYS files that are in root directories. It doesn't look in subdirectories, it doesn't (can't really) mess with write-protected disks, it doesn't attack locked SYS files, and it doesn't attack the PRODOS file. CyberAIDS also updates a counter stored in the last byte of the first block of the disk directory. When this counter reaches 16, CyberAIDS writes $FFs through the root directory of all online volumes and puts a message describing what's happening on the screen. If this happens to you, don't panic. The program Bag of Tricks 2, by Quality Software, can recover your directory ($40, 21610 Lassen, #7, Chatsworth, CA 91311 818-709-1721). MR.FIXIT, which is one of the items in Glen Bredon's ProSEL package, also can recover all the subdirectories (and what's in them) from directories damaged by CyberAIDS. Unfortunately, MR.FIXIT cannot recover files other than subdirectories. The following is a simple program that can identify SYS files that have been infected by CyberAIDS: 10 HOME : PRINT "CyberAIDS Detection Program" 20 PRINT 30 PRINT "Enter the name of the next SYS file to be checked." 40 INPUT F$ : IF LEN(F$)=0 THEN END 50 PRINT CHR$(4);"BLOAD";F$;",A$2000,L3,B3,TSYS" 60 DETECT=1 70 FOR ADR=8192 TO 8194 80 IF PEEK(ADR) <> 19 THEN DETECT=0 90 NEXT 100 IF DETECT THEN PRINT "This SYS file appears infected." 110 IF NOT DETECT THEN PRINT "This SYS file appears to be OK." 120 GOTO 20 If you find any SYS files that are infected, simply delete them and replace them with uninfected backups. You might also like to change the last byte of the first block of the root directory (block 2), which in normally unused, back to zero. ---------- (end of Tom W's note)
brett@dasys1.UUCP (Brett Genger) (07/25/88)
WARNING: There is ANOTHER ProDOS Virus going around. It is known as "Festering Hate", and it is really Vicious! Just by testing a few System files, I almost infected my Hard Drive, but luckily I stopped it while it was scanning my Floppies. I already know someone who was hit by this New Virus, and since they had a Fingerprint Card at the Time, here is the message when it Detonates: (Alot of Satanic Messages, and Stuff) ---Printer Dump Start [WOP] -666- FESTERING HATE -666- [FOG] ====================================== W| The Good News: You now have a copy |F o| of one of the greatest programs |r r| that has ever been created! |i s| The Bad News: It's quite likely |e h| that it's the only program you now |n i| have in your possession. |d p|====================================|s p| Hey Glen! We sincerely hope our | e| royalty checks are in the mail! |o r| Seeing how we're making you rich |f s| by providing a market for virus | | detection software! |G o|====================================|l f|Elect LORD DIGITAL as God committee!|e |====================================|n P| )/> The Kool/Rad Alliance! <\( | a| Rancid Grapefruit -- Cereal Killer |B t|====================================|r r| This program is made possible by a |e i| grant from Pig's Knuckle ELITE |d c| Research. Orderline: 313/534-1466 |o k======[(C) 1988 ELECTRONIC ARTS]======n ---Printer Dump End When Tom Weishaar of Open-Apple and GEnie was Asked: ---Message Start We have an independent sighting of Festering Hate. It appears to be a modified version of CyberAIDS. However, we don't actually have a copy of it for complete analysis. Apparently the fourth through sixth bytes of FH will always add up to $39 (or $39 + 256 or $39 + 256 +256). These bytes in CyberAIDS also add up to $39, but are always $13, $13, $13. If anyone sees a copy of this one please forward it, carefully marked as to contents, by XMODEM EMAIL, to OPEN-APPLE. Thanks. Tom W. ---Message End Anyway, just be careful, since not much is known at this time, try not to run any ProDOS "SYS" files from your Hard Drive. Test it out a few times with your Hard Drive Turned OFF, and if you don't see Disk Scanning, then it is probably Safe, But Dont get mad if it isn't, since I don't know that much about it. -Brett (brett@dasys1)
whitney@think.COM (David Whitney) (07/26/88)
In article <5729@dasys1.UUCP> brett@dasys1.UUCP (Brett Genger) writes: > >WARNING: There is ANOTHER ProDOS Virus going around. It is known as > "Festering Hate", and it is really Vicious! Just by testing >o|====================================|l >f|Elect LORD DIGITAL as God committee!|e > |====================================|n >P| )/> The Kool/Rad Alliance! <\( | >a| Rancid Grapefruit -- Cereal Killer |B >t|====================================|r >r| This program is made possible by a |e >i| grant from Pig's Knuckle ELITE |d >c| Research. Orderline: 313/534-1466 |o >k======[(C) 1988 ELECTRONIC ARTS]======n See that phone number? Why doesn't somebody forward that number along with "Kool/Rad Alliance" and "Rancid Grapefruit" as well as "Pig's Knuckle ELITE Research" off to the FBI? I want these assholes stopped. Excuse my French. We shouldn't have to deal with shit like this. If it keeps up, the entire Shareware/PD market will vanish as nobody will be accepting anything out of fear. On second thought, I think *I'LL* call the FBI. Then we'll see what happens! David Whitney, MIT '90 Still learning about my Apple //GS {out there}!harvard!think!whitney and all of its secrets. Any and all whitney@think.com technical info appreciated. DISCLAIMER: You think they even know I'm doing this?
cscbrkac@charon.unm.edu (Lazlo Nibble) (07/26/88)
David Whitney, MIT '90 writes: > [reproduces the screen from the CyberAIDS II: Festering Hate virus] > > See that phone number? Why doesn't somebody forward that number along > with "Kool/Rad Alliance" and "Rancid Grapefruit" as well as "Pig's > Knuckle ELITE Research" off to the FBI? I want these assholes stopped. > > On second thought, I think *I'LL* call the FBI. Then we'll see what > happens! I guess making it to MIT doesn't preclude an amazing level of naivete. What happens will be *nothing*. Apparently you've never seen a rag page, David. The phone number is the answering machine of one of the country's best-known private investigators of hackers. I get it, HE released the thing in a effort to "discredit" the hacking community! Yeeeeah! And of course the FBI has the home addresses of ALL the members of the (mythical) "PK(E)R" and "K/RA", including "Rancid Grapefruit." Give me a freaking break. Personally I'm starting to find this whole thing extremely amusing (I guess I can, because I know *I'm* safe). David, like the computer-naive journalists we often see spreading garbage about computer issues in the mass media, completely misunderstands the problem. While he's spinning in circles trying to find the designers of the virus, it travels merrily on, probably mutating itself as it goes (word in the underground has CyberAIDS II pegged as a retrovirus, and if anyone can pack a retrovirus AND a rag page into eight blocks of code, Lord Digital's fanboys can) while he gets *nowhere*. It's like the *real* AIDS, folks . . . the virus is OUT, and the priority has to be in stopping it. All the fingerpointing and namecalling isn't going to save anyone's files. You *can't* catch the people responsible. Direct your energies towards something that'll *help* people. THEN, when you've solved the problem, go on your snipe hunt. Looking forward to seeing Lord Digital's comments on CyberAIDS in his upcoming book. -- Lazlo Nibble (cscbrkac@charon.unm.edu)
carlb@pro-avalon.cts.COM (Carl Boernecke) (07/28/88)
whitney@think.com (David Whitney) writes: >See that phone number? Why doesn't somebody forward that number along >with "Kool/Rad Allaiance" and "Rancid Grapefruit" as well as "Pig's >Knuckle ELITE Research" off to the FBI? [...] Do you think they would honestly use their own phone number? They probably left the number of someone that they hate, hopeing that someone will do what you suggested. If you do call that number, then you will probably be doing EXACTILY what they wanted in the first place. |--------------------------( Carl Boernecke )-------------------------| Send | UUCP: crash!pro-avalon!carlb InterNet: carlb@pro-avalon.cts.com | E-Mail | ARPA: crash!pro-avalon!carlb@nosc.mil ProLine: carlb@pro-avalon | to --> | ProLine [pro-avalon] - (619) 271-0131 - 300-2400 bps - 24 hours | |---------------------------------------------------------------------|