gregp@pro-carolina.cts.COM (Greg Prevost) (07/27/88)
Ok folks, in the past few days I have seen some major stuff going on. There are at least two different virus running around. One is called Cyberaids and the other is made by some group called Festering Hate. Here is some of the info I have picked up on it in the last few days. 50/50: Warning Apple users Name: Practor Fime #13 @4 Date: Sat Jul 16 17:16:14 1988 CAUTION: ZLink+, ZLink.PBH, ZLink are all viruses, if you run ZLink then you now are the happy parent to a rodent virus. It seem Zlink has some sort of virus that attaches to files and stuff. My friend has it on his HD and it creates some file entry in the ROOT directory that is hidden from evey utility EXCEPT APW or ORCA. Every time you boot the prodos with the virus it will do and ON-LINE vol check (even if you specifiy the exact pathname) and install the virus on systems files such as, Mr Fixit, Basic.system,Copy II+ etc.... ------------------------------------------------------------------------------- (92 of 100) Titled : <*** W A R N I N G ***> Author : Dr. Logic/Bill of [None] Stamped: July 13, 1988 at 12:07 AM There is a file going around (currently on the Hard Drive) called Z.LINK.PLUS. It is supposed to be a terminal program somewhat like ProTERM. It is a decent program but the main reason I posted this is when you boot it up, it GOES TO EVERY ON-LINE DRIVE AND MODIFIES >BASIC.SYSTEM<!!! At bootup, it looks like it's doing an On-Line call and checks every drive. Then it goes back to some and starts doing some modifications (especially noticeable on floppy drives). The program modified copies of BASIC.SYSTEM, FILER, BACKUP.SYSTEM and PROSEL (don't ask me how it chooses, it usually just attacks BASIC.SYSTEM). After installing itself into BASIC.SYSTEM, everytime you boot a disk with that BASIC.SYSTEM on it, it will do another on-line check and continue to add itself to other copies of BASIC.SYSTEM. One of the tell-tale signs of this is it will leave behind tracks such as the modification date of the files it altered (that's how I found out). BE CAREFUL!!! I do not know if this is a virus as my HD is still operable and I've replaced all infected files with backups. Either way, I don't like something that spreads itself around, especially doing an on-line call after every bootup. Please spread the word around. I don't know what kind of file this is but it sounds like bad news to me. I encourage those of you who are more knowledgeable about machine language to d/l the disk and examine the contents of the files. I don't trust it but you have been warned. WARNING: This is a FOR REAL virus not a trojan, if interested I will pack the Infected Basic System and U/L it if you want to make a detoxin for it -Jon ------------------------------------------------------------------------------- Virus ~~~~~ The first verified virus of the ProDOS operating system is out and around. The first identified carrier of this virus was a terminal program called "ZLINK.PLUS", which was discovered about one week ago. Today, our board was struck by the same virus, which was hidden inside another file, "MR.FIXIT.3.7", and since I have found it to inhabit "SQUIRT.1.5" as well. Be careful. The most telltale sign of this virus is the fact that when you execute a system file which is a carrier, it will scan all of your online prodos devices, and will then occasionally write to one of them. Check your directories carefully, look at the modification date on your system files. If it is recent, you may have an infected program. Files in subdirectories are NOT safe. I have not found it to copy itself into any file other than BASIC.SYSTEM, but I hear that other people have had it copy onto other SYS-type files. The Byter (This is the Byter who runs Cabal of the Lexicon in 213.) ------------------------------------------------------------------------------- Not much of part 2 but you have to give credit where credit is due. Sounds pretty interesting. I d/l the Z.LINK system from here and it does not do a vol. check or anything like that as far as I can tell. But it also doesn't work correctly. If I call a board, then I can type to it, but whatever the remote system sends me, it doesn't show up on the screen (I know it's sending info cause my RD light blinks on and off...)... [ Post ] 1848 [ Board ] Reference Desk [ Message ] 73 of 75 [ Subject ] Virus [again] [ From ] THE SPECTRE (#18) [ SPECTRE ] [ Date ] 07/21/88 06:23:07 AM This is yet another file I picked up somewhere...on the current virus(s)... ------------------------------------------------------------------------------- ..The Lexicon Exchange.. Regarding the virus, it detonated on me and a bunch of my friends, one of them had a fingerprint card on his printer and dumped the title page to paper. Before it ever gets to the title page it has scrolling graphics, upside down crosses, 666's, FESTERING HATE and an Electronic Arts logo. Then it goes to this: [WOP] -666- FESTERING HATE -666- [FOG] ====================================== W| The Good News: You now have a copy |F o| of one of the greatest programs |r r| that has ever been created! |i s| The Bad News: It's quite likely |e h| that it's the only program you now |n i| have in your possession. |d p|====================================|s p| Hey Glen! We sincerely hope our | e| royalty checks are in the mail! |o r| Seeing how we're making you rich |f s| by providing a market for virus | | detection software! |G o|====================================|l f|Elect LORD DIGITAL as God committee!|e |====================================|n P| )/> The Kool/Rad Alliance! <\( | a| Rancid Grapefruit -- Cereal Killer |B t|====================================|r r| This program is made possible by a |e i| grant from Pig's Knuckle ELITE |d c| Research. Orderline: 313/534-1466 |o k======[(C) 1988 ELECTRONIC ARTS]======n This **** in't funny. I lost 20 megs and know people that have lost as much as 80. How the **** could someone manage to hide so much graphics and text and an entire virus in so little space? This thing is ****in' vicious. What I know about the title page: WOP is some thing started by Dead Lord revolving around his hero Lord Digital. (whose name is Patrick) Lord Digital is this dude that's semi-legendary in the phreak/hack world. He gets written up in NY Times and a bunch of newspapers and magazines and has some book getting published next year. There are like 3 megs of files about him that were written over the years by dudes like Dead Lord and all of his other groupies. The Koo/Rad Alliance was a group Lord Digital started as a joke after he quit the oldest Apple crackers group that existed from 1979-1986 which was the original Apple Mafia. The Kool/Rad Alliance was made up of his friends and him who were supposedly mega-stud programmers and hackers and spent their time trashing people's boards when everybody was running networks and GBBS II and writing "killer software" Supposedly the Phantom Access that was finally released like 2 years ago for the Cat was infected with some DOS 3.3 virus and other weird ****. Glen Bredon wrote some virus detector which I guess doesn't work anymore. Rancid Grapefruit is some dude that writes for 2600 magazine, which is a phreak mag. Cereal Killer is one of LD's friends and wrote a 200+ block file about 1.5 years ago about the entire modem world and his views on it. Summurized he seems like just the kind of person who'd think a virus is funny. Pig's Knuckle ELITE is some inside joke that started appearing in Tap.Interviws about 4 years ago and has continued forever for some reason. I got all this from reading Lord Digital files, of which there are like 50 which some of my friends who are his groupies collected and all of that **** in the title page is from the LD history. if somebody wants I can upload some of it, or only the really relevent stuff like Cereal Killer's file since it looks like he co-wrote the virus and he is some rich kid in NYC that likes to cause trouble for everybody. Does anyone know how the **** to fix the hard drive after it detonates? I tried Mr. Fixit and it just gives up and since I backed up 2 days ago my backup's are infected too and basically all my programs are just ****ed. **** I feel sorry for the people that were the first to get Zlink, that thing must have infected everything on people's hard drives when it got packed up, because I haven't gotten ANY of those wares people mentioned, so it has to be in ****ing EVERYTHING by now, the latest thing I got was Alien Mind and Mtalk. In fact those were the ONLY two things I got in the last 2 weeks. Where the **** did Zlink come from anyway? Could these guys have written the entire zlink program just to hide their virus? Why the **** would somebody that programs that well waste so much time just to hurt people he doesn't even know. Jesus that's scary........ ------------------------------------------------------------------------------- Yeah, that is pretty scary. Some people must be REALLY bored to do something like that... The Spectre ps: "You never notice until it happens to you." here is some info compiled from Genie. ---------- Category 12, Topic 18 Message 12 Tue Jul 19, 1988 UNCLE-DOS [ Tom W ] at 22:59 EDT Sorry to have to reopen this topic gang, but we found one. ------- OK, we've got one. We've received and disassembled a copy of a SYS file infected with a virus that attacks ProDOS 8 system files. The virus calls itself CyberAIDS. It's a little buggy and far from "commercial quality," but is dangerous nonetheless. We have no idea how widely distributed it is. It was sent to us by a user. We don't think any of the SYS files in our library are infected, although we haven't gone back and checked them all. When a SYS file containing the CyberAIDS virus is executed, the disk drive will turn off and then back on again. While the drive spins the second time, CyberAids tries to replicate itself inside all of the online SYS files that are in root directories. It doesn't look in subdirectories, it doesn't (can't really) mess with write-protected disks, it doesn't attack locked SYS files, and it doesn't attack the PRODOS file. CyberAIDS also updates a counter stored in the last byte of the first block of the disk directory. When this counter reaches 16, CyberAIDS writes $FFs through the root directory of all online volumes and puts a message describing what's happening on the screen. If this happens to you, don't panic. The program Bag of Tricks 2, by Quality Software, can recover your directory ($40, 21610 Lassen, #7, Chatsworth, CA 91311 818-709-1721). MR.FIXIT, which is one of the items in Glen Bredon's ProSEL package, also can recover all the subdirectories (and what's in them) from directories damaged by CyberAIDS. Unfortunately, MR.FIXIT cannot recover files other than subdirectories. The following is a simple program that can identify SYS files that have been infected by CyberAIDS: 10 HOME : PRINT "CyberAIDS Detection Program" 20 PRINT 30 PRINT "Enter the name of the next SYS file to be checked." 40 INPUT F$ : IF LEN(F$)=0 THEN END 50 PRINT CHR$(4);"BLOAD";F$;",A$2000,L3,B3,TSYS" 60 DETECT=1 70 FOR ADR=8192 TO 8194 80 IF PEEK(ADR) <> 19 THEN DETECT=0 90 NEXT 100 IF DETECT THEN PRINT "This SYS file appears infected." 110 IF NOT DETECT THEN PRINT "This SYS file appears to be OK." 120 GOTO 20 If you find any SYS files that are infected, simply delete them and replace them with uninfected backups. You might also like to change the last byte of the first block of the root directory (block 2), which in normally unused, back to zero. ---------- Category 12, Topic 18 Message 15 Wed Jul 20, 1988 OPEN-APPLE [Dennis Doms] at 09:45 EDT I've also discovered you can BLOAD a volume directory (I didn't know that! <grin>), so if you do a 'BLOAD /VOLUME,A$2000,TDIR' (substitute your disk name for "/VOLUME") and if 'PRINT PEEK(8703)' does not give you '0', that _may_ also mean the volume has been trifled with. ("8703" = $21FF, which is the last byte of the first block of the volume.) You can correct the value (on disk) with a block editor. ---------- Category 12, Topic 18 Message 16 Thu Jul 21, 1988 GUY.T.RICE [A2Pro Sysop] at 19:19 EDT Just to point something out. Back a few months ago, when that person whose name I have forgotten first uploaded that file about viruses that started this whole thing, he also uploaded a file showing what your screen looks like after the virus strikes. That screen is exactly the screen put up by this virus. In other words, this IS the virus that person was talking about, and it did really exist back then (despite everyone saying it was just rumor), and it has been going around all this time. The reason I mention this is because I kinda got a chuckle when this second virus topic was started for "Bona fide" viruses, implying that the other topic had no "real" stuff in it, even though Glen Bredon himself had stated flat out that he had seen one. This virus is real, exists, and has existed ever since it was first reported those months ago. This is not a rumor. Be cautious... GTR ---------- Category 12, Topic 18 Message 25 Fri Jul 22, 1988 UNCLE-DOS [ Tom W ] at 14:17 EDT A couple of important points: A.) CyberAIDS is not tied to any one particular program. A rule such as don't use "EPBH1.5EX" isn't going to help--now that the virus is loose you must check ALL new P8 SYS files before you introduce them to your system-- forevermore. That's certainly what we'll be doing here, right Doug and Vern? B.) A corollary of the above is that just because JOHN.DOE uploads an infected program, it doesn't mean that JOHN.DOE is one of the bad guys. If JOHN.DOE's system is infected with CyberAIDS and he doesn't know it, every P8 SYS he owns could be infected. C.) On making programs virus resistant: if a program checked it's own End of File marker to make sure it hadn't been lengthened, and reported damage and a possible viral infection if it had, it would help a lot in the fight against virus in general and would certainly defeat CyberAIDS. D.) Regarding virus-related programs in our library, there are three different types. No single one of them is "best"--each is "best" at what it was designed to do: 1.) generalized virus-detection programs 3844 BLK0SAVE.BNY (GUY.T.RICE)) 4165 RX.BNY (BREDON-shareware) 2.) CyberAIDS-specific detection programs 4879 CYBERAIDS.ALERT.BQY (UNCLE-DOS Tom Weishaar) 3.) information files 3715 VIRUS.BNY (P.J.PAUL) 3767 VIRUS.SCREEN.TXT (P.J.PAUL) 3800 VIRUS.INFORMATION (N61346) E.) I encourage anyone who wants to write a virus-detection program to do so and upload it here, however, I reserve the right to examine the program's source code before releasing it. I'm sorry to be so sensitive about this, but it is a major concern. One of the best places to hide a virus is in a "detector" program. Category 12, Topic 18 Message 27 Fri Jul 22, 1988 P.J.PAUL at 20:39 EDT There appears to be a "new virus in town". The new virus is known as FESTERING HATE (the other for the Apple ][ was CyberAids). IIt is not as easily fixed when you are 'struck'. Neither MR.FIXIT nnor BAG OF TRICKS can recover any of the lost files. Thus far it has been linked to two files. Those are SQUIRT 1.5 and Z-LINK. Both of these files are SHAREWARE and legitimate copies are available. It appears that the virus spreaders (not up to human standards in my opinion) modified these programs, and then uploaded them to various systems. The virus affects SYS files, and adds 8 blocks to the end oof them. If you perform a CATALOG and notice that either the MODIFICATION DATE and/or the length has changed, delete the file immediately and replace it. It is also rumored to effect SYS files so that not only do they carry the virus, but may also spread it to other SYS files. << Peter J. Paul >> ---------- Category 12, Topic 18 Message 29 Fri Jul 22, 1988 D.LYONS2 [DAL Systems] at 23:18 CDT Peter, a "virus" by definition spreads itself through multiple generations, doesn't it? (What do you call a program that does damage but doesn't cause other programs to keep spreading the original nasty code? There's something conceptually between a "destructive" program and a "virus": a 1-generation virus? You'd just end up with a lot of infected files, one of which would eventually decide to erase your disks, I guess.) How do we identify Festering Hate? --Dave Lyons ---------- Category 12, Topic 18 Message 30 Sat Jul 23, 1988 OPEN-APPLE [Dennis Doms] at 13:06 EDT Dave - wouldn't that be something like the old "Trojan Horse" idea? ---------- Category 12, Topic 18 Message 31 Sat Jul 23, 1988 GUY.T.RICE [A2Pro Sysop] at 16:04 EDT Dennis is right. There are 3 kinds of destructive programs, really. The simplist is the "disk bomb". This is a program that, after a certain number of runs, destroys your disk. The second is the "Trojan Horse". This is a program that claims to do something (like let you play Space Munchies) but when it's run, it installs a disk bomb. The program that the bomb is installed in does not infect other programs. The only program that spreads the bomb is the Trojan program. The last and worst of the 3 is the virus. This is a self-replicating disk bomb. When it infects a file, the infected file becomes a carrier, and it can infect other files, and those files in turn can infect other files, etc. Now, can everyone tell the disk bomb from the trojans from the viruses? Quiz tomorrow... <grin> GTR ---------- Category 12, Topic 18 Message 32 Sat Jul 23, 1988 UNCLE-DOS [ Tom W ] at 18:25 EDT We have an independent sighting of Festering Hate. It appears to be a modified version of CyberAIDS. However, we don't actually have a copy of it for complete analysis. Apparently the fourth through sixth bytes of FH will always add up to $39 (or $39 + 256 or $39 + 256 +256). These bytes in CyberAIDS also add up to $39, but are always $13, $13, $13. If anyone sees a copy of this one please forward it, carefully marked as to contents, by XMODEM EMAIL, to OPEN-APPLE. Thanks. Tom W. ---------- Category 12, Topic 18 Message 34 Sun Jul 24, 1988 P.J.PAUL at 14:29 EDT I used the word 'virus' in a generic form, as 'time bomb', Trojan horse', et. al. might better fit a particular strain, but I feel that there is already enough paranoia and general confusion about the subject without worrying about semantics. At this point the only way I know to identify 'FESTERING HATE' is via the screen display when it is 'too late'. I hope we can all learn an earlier identifying factor. << Peter J. Paul >> ---------- Category 12, Topic 18 Message 35 Sun Jul 24, 1988 L.WALTON [Lorne] at 13:14 PDT All this talk about P8 SYS files containing viruses: I assume that the reason we're not talking about any other filetype is just that viruses haven't been found there yet. Am I right? Is there any reason that a virus can't be incorporated into _any_ executable file? A week or so ago I dl'ed a ProDOS 16 program, FOURINAROW from the A2 library. As it is booting, this program displays the message: Formatting system disk.......Gotcha! where most programs would display "Please wait a moment..." No disk drives are accesses during this process, and the program disk seems OK. I examined a disassembly of the code (using Dave Lyons' NiftyList) and it appears to do nothing out of the ordinary, at least not in the immediate vicinity of the startup sequences. Is this just a sick joke? Or is it possible something is lurking there, waiting to pounce? ---==>> Lorne <<==--- system files to make sure you are clean. And remember, there does appear to be two separate viruses....