delton@pro-carolina.cts.COM (Don Elton) (07/24/88)
A user on pro-carolina, tommyr, uploaded a file called NUKE.BLAST.BNY. This BNY contains two files, one called BLAST, a short Applesoft program that tells about nuclear blast damage etc and another called BLAST.START which is a 29 block version of BASIC.SYSTEM (normal BASIC.SYSTEM is 21 blocks) that has "BLAST" in the startup position (where "STARTUP" would normally be stored). A second user on my system, dpease (Douglass Pease) tells me that this altered version of BASIC is a virus that patches into BASIC already on any online device and will cause a disk format or something like that after X number of runs of the program. I disassembled the BLAST.START version of BASIC.SYSTEM and believe it or not there is indeed a virus in this program (the first I've actually seen and disassembled). There's even a graphics screen produced with a colorful border, the words "Festering Hate" with what look to be flames around the text. There's a box below the text with a syringe injecting a floppy disk along with a few symbols of the devil with "666" written over the little devil heads surrounding a logo I can't read and the words "Electronic Arts". Interesting. The code is hidden inside the pseudo basic.system via some funny relocation involving stack manipulation but it's there. My efforts were helped by the fact that the virus seems to crash when run on the IIgs... must depend on an opcode that was previously undefined. Of course I did all my testing on a ram disk with everything else turned off. You should probably be careful with SYS files you download that accompanie a BAS file as this particular viral technique can easily be generalized since all that has to be done to package another virus is to include the dummy BASIC.SYSTEM with the program in question and patch in the name of the main program into the startup area and then rename the BASIC.SYSTEM file to something else so it isn't obvious that BASIC.SYSTEM is being included. UUCP: [ ihnp4 sdcsvax nosc ] !crash!pro-carolina!delton ARPA: crash!pro-carolina!delton@nosc.mil INET: delton@pro-carolina.cts.com Pro-Carolina: 803-776-3936 (300-2400 baud, login as 'register') US Mail: 3207 Berkeley Forest Drive, Columbia, SC 29209-4111