PGOETZ@LOYVAX.BITNET (04/20/88)
For those of you who don't believe in viruses, here's two I've seen myself: =============== The Elk Cloner V2.0 I found the Elk Cloner V2.0 #005 on a disk of mine in 1981 or 82. I'm fairly certain it could not have been written before the publication of Beneath Apple DOS, so I would date it around mid-1981, depending on when Reagan was shot. It works exclusively with DOS 3.3. THE VIRUS 1. It is installed by booting an infected disk. I'm not sure how it initially gains control; apparently it is loaded in with some trash from T0 SA which DOS loads for no apparent reason. (BTW, since HackerDOS rearranges DOS on the disk, the Cloner would trash it. It might trash master disks, I don't know.) If you use a modified DOS which marks T2 S3-8 as free for use (as HackerDOS does), it would overwrite any file stored there. A JMP $9B00 which was installed when the disk was infected jumps to this code (I think) and loads the virus from T2 S3-S8 into $9000-95FF. 2. Next, it inserts its claws into DOS: A. Hooks into the Do Command code at $A180 and makes every command reset the DOS parse state to 0. I have no idea why it does this. It has no obvious effects. B. Hooks into the RUN, LOAD, BLOAD, and CATALOG commands to make them check the disk accessed & infect it if necessary. C. Create a USR vector for the Cloner diagnostics: B=USR(10) Prints a cute poem: ELK CLONER: THE PROGRAM WITH A PERSONALITY IT WILL GET ON ALL YOUR DISKS IT WILL INFILTRATE YOUR CHIPS YES IT'S CLONER! IT WILL STICK TO YOU LIKE GLUE IT WILL MODIFY RAM TOO SEND IN THE CLONER! B=USR(11) Prints ELK CLONER V2.0 #005 (version check) B=USR(12) Read the disk & prints BOOT COUNT: (#) B=USR(13) Infects a disk 3. Increments the boot count 4. Checks for any special event for this boot: Boot # (hex) Effect A Point reset vector to $FF69 (monitor) F INVERSE 14 Click the speaker 19 FLASH 1E Switch letters at $B3A7-B3AA so filetypes T I A B will appear as I T B A 23 Change DOS signal character from ctrl-D to ctrl-E 28 Lockout the computer on reset (dangerous one!) 2D Run the current program on any keypress (locks out the machine, also dangerous. BTW, this is done by setting the hibit of $00D6.) 32 Print above poem on reset 37, 3C, 46 Screw with the INIT code. I think it will give you an I/O ERROR, but I haven't tried. 3C and 46 might be dangerous in that it might not init a whole disk. I don't know. 41 'Crash' to monitor on every DOS command 4B Reboot 4C Reboot 4D Reboot 4E Reboot 4F Write 0 to the boot count & start all over again! 5. Sits back & infects disks. This is how the program is structured: 9000 Version number 9001-9073 Setup 9074-908F [Check a disk for infection] code 9090-90D9 Replacement code for LOAD, BLOAD, & CATALOG 90DA-9178 [Infect] code 9179 Read VTOC 9181 Write VTOC 91A8 Print routine 91E4 Serial # 91E5 Marked with a 0/1 if a disk is infected/uninfected 91EC-9243 Diagnostics 9244-9328 Poem 9343-9435 Special events by boot count 9500-9532 Code which loads Cloner on boot 95E1-95FF ASCII: MATT BE<ctrl-D>JOHN HINKLYJOHN HINKLE<ctrl-D> (The author's hero?) These are within the VTOC: B3BE Zeroed, I don't know why B3BF Boot count B3C0 Zeroed, don't know why B3C2 Infection mark: Version number (=(9000)) There may be several versions out. The version number would be used so later versions would write over older versions, for a new improved infection. THE TEST Any of these methods will work: 1. Check T$11 S0 B7. If it is non-zero, the disk might be infected. 2. Check T1 S0 B$80-82. If they are 4C 00 9B, you have the Cloner. 3. Check T2 S3 - T2 S8 for the Cloner. 4. From Applesoft, immediately after boot, enter B=USR(11). THE VACCINE If you write a 2 to T$11 S0 B7, Cloner version 2 will not infect that disk. I have verified this. THE CURE Write something (like 00:1 AD 88 C0 4C 59 FF) to sector 0 so you can't boot that disk. PRECAUTIONS The Cloner will not work unless you boot an infected disk. It cannot infect a write-protected disk. I have infected disks I use all the time. Just mark them as infected & don't boot them. =============== Disease DOS This isn't a DOS at all, nor a virus, but a nasty program which is added to the front of a program. The author posted it to a bulletin board with an explanatory file. I don't know if they threw him off the BBS or promoted him. (Promotion: higher disk quota, file access, more downloads permitted, etc.) When the program is run, it decrements a boot count & erases the current track after a number of runs. It might be used by a pirate who doesn't like the fellow he is giving a program to, or who doesn't like people in general. You can detect it by scanning your disks for the sequence BD 8C C0 B0 F6, an unusual sequence which shouldn't be on any normal disk. It won't be divided between sectors because it is in the first few bytes of the file. Or you can read T$11 S0 B4, which is the number of boots remaining before wipeout. Any commercial (read: non-standard) disk, such as the 5 Inmate disks I sent out, might be non-zero there. =============== I have a program which can be used to detect the Elk Cloner or Disease DOS, by checking T$11 S0 B4. That location is used as a boot count in both programs. I will post it sometime soon. Note that a write-protect tab will deter either program: The Cloner can't spread, & neither can increment/decrement the boot count. And, no, I won't send you either program. So don't ask. Phil Goetz PGOETZ@LOYVAX.bitnet
schoppel@BKNLVMS.BITNET (04/25/88)
A comment about the Disease DOS. I use it when I want people to preview soft- ware that I have written, but do not want released yet (I'm only looking for opinions). The ones I use erase the entire disk though. Disclaimer: My opinions are mine, but you are welcome to them! Alex Lynn schoppelr@bknlvms.bitnet