PGOETZ@LOYVAX.BITNET (04/20/88)
For those of you who don't believe in viruses, here's two I've seen myself:
===============
The Elk Cloner V2.0
I found the Elk Cloner V2.0 #005 on a disk of mine in 1981 or 82. I'm fairly
certain it could not have been written before the publication of Beneath Apple
DOS, so I would date it around mid-1981, depending on when Reagan was shot.
It works exclusively with DOS 3.3.
THE VIRUS
1. It is installed by booting an infected disk. I'm not sure how it initially
gains control; apparently it is loaded in with some trash from T0 SA which DOS
loads for no apparent reason. (BTW, since HackerDOS rearranges DOS on the
disk, the Cloner would trash it. It might trash master disks, I don't know.)
If you use a modified DOS which marks T2 S3-8 as free for use (as HackerDOS
does), it would overwrite any file stored there.
A JMP $9B00 which was installed when the disk was infected jumps to this code
(I think) and loads the virus from T2 S3-S8 into $9000-95FF.
2. Next, it inserts its claws into DOS:
A. Hooks into the Do Command code at $A180 and makes every command
reset the DOS parse state to 0. I have no idea why it does this. It has
no obvious effects.
B. Hooks into the RUN, LOAD, BLOAD, and CATALOG commands to make them check
the disk accessed & infect it if necessary.
C. Create a USR vector for the Cloner diagnostics:
B=USR(10) Prints a cute poem:
ELK CLONER:
THE PROGRAM WITH A PERSONALITY
IT WILL GET ON ALL YOUR DISKS
IT WILL INFILTRATE YOUR CHIPS
YES IT'S CLONER!
IT WILL STICK TO YOU LIKE GLUE
IT WILL MODIFY RAM TOO
SEND IN THE CLONER!
B=USR(11) Prints ELK CLONER V2.0 #005 (version check)
B=USR(12) Read the disk & prints BOOT COUNT: (#)
B=USR(13) Infects a disk
3. Increments the boot count
4. Checks for any special event for this boot:
Boot # (hex) Effect
A Point reset vector to $FF69 (monitor)
F INVERSE
14 Click the speaker
19 FLASH
1E Switch letters at $B3A7-B3AA so filetypes T I A B will appear as I T B A
23 Change DOS signal character from ctrl-D to ctrl-E
28 Lockout the computer on reset (dangerous one!)
2D Run the current program on any keypress (locks out the machine, also
dangerous. BTW, this is done by setting the hibit of $00D6.)
32 Print above poem on reset
37, 3C, 46 Screw with the INIT code. I think it will give you an I/O
ERROR, but I haven't tried. 3C and 46 might be dangerous in that
it might not init a whole disk. I don't know.
41 'Crash' to monitor on every DOS command
4B Reboot
4C Reboot
4D Reboot
4E Reboot
4F Write 0 to the boot count & start all over again!
5. Sits back & infects disks.
This is how the program is structured:
9000 Version number
9001-9073 Setup
9074-908F [Check a disk for infection] code
9090-90D9 Replacement code for LOAD, BLOAD, & CATALOG
90DA-9178 [Infect] code
9179 Read VTOC
9181 Write VTOC
91A8 Print routine
91E4 Serial #
91E5 Marked with a 0/1 if a disk is infected/uninfected
91EC-9243 Diagnostics
9244-9328 Poem
9343-9435 Special events by boot count
9500-9532 Code which loads Cloner on boot
95E1-95FF ASCII: MATT BE<ctrl-D>JOHN HINKLYJOHN HINKLE<ctrl-D>
(The author's hero?)
These are within the VTOC:
B3BE Zeroed, I don't know why
B3BF Boot count
B3C0 Zeroed, don't know why
B3C2 Infection mark: Version number (=(9000))
There may be several versions out. The version number would be used so later
versions would write over older versions, for a new improved infection.
THE TEST
Any of these methods will work:
1. Check T$11 S0 B7. If it is non-zero, the disk might be infected.
2. Check T1 S0 B$80-82. If they are 4C 00 9B, you have the Cloner.
3. Check T2 S3 - T2 S8 for the Cloner.
4. From Applesoft, immediately after boot, enter B=USR(11).
THE VACCINE
If you write a 2 to T$11 S0 B7, Cloner version 2 will not infect that disk.
I have verified this.
THE CURE
Write something (like 00:1 AD 88 C0 4C 59 FF) to sector 0 so you can't boot
that disk.
PRECAUTIONS
The Cloner will not work unless you boot an infected disk. It cannot infect
a write-protected disk. I have infected disks I use all the time. Just mark
them as infected & don't boot them.
===============
Disease DOS
This isn't a DOS at all, nor a virus, but a nasty program which is added
to the front of a program. The author posted it to a bulletin board with an
explanatory file. I don't know if they threw him off the BBS or promoted him.
(Promotion: higher disk quota, file access, more downloads permitted, etc.)
When the program is run, it decrements a boot count & erases the current
track after a number of runs. It might be used by a pirate who doesn't like
the fellow he is giving a program to, or who doesn't like people in general.
You can detect it by scanning your disks for the sequence BD 8C C0 B0 F6,
an unusual sequence which shouldn't be on any normal disk. It won't be
divided between sectors because it is in the first few bytes of the file.
Or you can read T$11 S0 B4, which is the number of boots remaining before
wipeout. Any commercial (read: non-standard) disk, such as the 5 Inmate disks
I sent out, might be non-zero there.
===============
I have a program which can be used to detect the Elk Cloner or Disease DOS,
by checking T$11 S0 B4. That location is used as a boot count in both programs.
I will post it sometime soon.
Note that a write-protect tab will deter either program: The Cloner can't
spread, & neither can increment/decrement the boot count.
And, no, I won't send you either program. So don't ask.
Phil Goetz
PGOETZ@LOYVAX.bitnetschoppel@BKNLVMS.BITNET (04/25/88)
A comment about the Disease DOS. I use it when I want people to preview soft- ware that I have written, but do not want released yet (I'm only looking for opinions). The ones I use erase the entire disk though. Disclaimer: My opinions are mine, but you are welcome to them! Alex Lynn schoppelr@bknlvms.bitnet