[comp.binaries.apple2] Lode runner virus info and eliminator

KMILES@CC.USU.EDU ("Kurt Miles, VAX Consultant") (11/30/89)

I was hit a few days agoe with the lode-runner virus.  This is some info I
received.  I hope it helps prevent any further loss to anyone.

Kurt
kmiles@usu


Fortunately, LOAD RUNNER won't attack hard drives, unless you have one installed
in slot 5.  Also, it only destroys the boot blocks of a disk, leaving all files
intact--if you have something that destroys files or directories, then it
probably isn't LOAD RUNNER.

It could have been hiding on just about any normal (non-copy-protected) ProDOS
or GS/OS disk.  It infects blocks 0 and 1 of a ProDOS or GS/OS disk,
installing itself in your computer when the infected disk is booted.  When it
"goes off," it wipes out the blocks 0 and 1 of the disk that was just booted,
wiping itself off the infected disk in the process.  Once it gets inside your
computer, it lives from $E1/BC00 through $E1/BFFF, where it waits in ambush
for CONTROL-APPLE-RESET, at which point it copies itself onto the disk in slot
5, drive 1.

You can tell if a disk is infected by using a sector editor to examine block
0 of the suspect disk--if the first 5 bytes are 01 A9 50 85 43, then the disk
is infected.  If an infected disk is found it may be cured by copying blocks 0
and 1 from a good disk onto the infected disk.

You can tell if your computer's memory is infected by using the monitor (CALL
-151 from BASIC) to examine the memory starting at $E1/BC00.  If you see the
five bytes above (01 A9 50 85 43), then your computer is infected.  It may be
cured by turning the computer off, or by running the self-test with CONTROL-
APPLE-OPTION-RESET.

LOAD RUNNER's target date is anytime between Oct. 1 and Dec. 31 inclusive.  Is
your system clock set correctly?  If so, and you're only just now seeing the
virus, then you probably have something other than LOAD RUNNER--perhaps a
mutant version?


Attached is a BINSCII'd copy of VIRUS.KILLER, which will identify and destroy
LOAD RUNNER in memory and on disk.  Simply BRUN VIRUS.KILLER and follow the
prompts on screen.  When the program asks for a disk to be tested, insert the
suspect disk in slot 5, drive 1.

NOTE:  VIRUS.KILLER is designed specifically for the LOAD RUNNER virus, and
cannot find or remove any other virus.


--- cut here ---

FiLeStArTfIlEsTaRt
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789()
LVIRUS.KILLER   AoAAAAAAAYw4GIADzKBAWcRF)DwsAoAAAgEG
MICT8UIa9UIamDAoCANPx2j5GAPP93OIMsATI1TpIxTpggDYQ6)HDASIyDNDyf(7
g2e4xXu8yne9gOf5wDfwgWO7HncyA040QIKY8Cwv30d4TAtD0Dhy)OgohbBiOMT3
KXA0wQPEDASHpbNDzXv8v7OopDK9tDq7v3e5umv8A0YjM8NTCvPGN9KMPGuvhbBi
((0rK(Y4IFuFhTPSAQPACIKvAIiGiGOAiAhAhDAAD8voAAQq8CwnQoc47jT(MMAI
tXez5L)7vPOogmP8ga(7ynu9gOf9sn(6kXO7N2YoDACAunMDyX(8kDK9rPf6vTPo
lLOopTOoun(8jXu5kXO9w3IrzXu8iC68gK60g(O9hP(8vDq7iCq8gKa0g(O9pXf8
gqL9MACAgnc)pIAkTn83JrA8vDd093OI97IT93OI97II97II)CAIOECgINCkMMAI
vLP0z)O5yXOoy)u8AQKoaDCadDS)OCy(OCS)fzU)QIKDWAQvOcT3KXA0wUPEDAiH
pTMDgu(8gOf60)u7unOojXu5kXO9N2orfzEADACDpbNDzXv8lTOojXO9kXO9gCqr
znOxm7e60Pe5ZjKop68rAA6v9zAIQCeyfniAwndyOnMEg8O0g0f7g0vjM1vjgww3
g0f7g0vjg0vjB(LAQ6wJMx0AAASDtE4vDApDNwETMMAIznOxjD665D)7m)OopbPo
zXv8pvOolzO7NGK5MBQjDww3WAAUDAAASAAUDAAAUAAUcBQAh3riQlaAtOUhNW8)
klgMMRmSk5EZAAwRAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ynu1gOf9sn(yyXO75LOol7Mogye6yHO0yX(6qqKoEDqqpPf5l7(50DK5lD67tnO7
h7e6gWO9ljO9PzMogScwOXt0SXszpbPozXv8AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAoCAAhj(1hDK9gWu81)e(vTOo
n7e6lLPopTe4geu7pjO9g(78oTNolLf5gO)p0)u7unO6oD65lLf51LOolDK90Df7
tDa(v3e5hmv8AAQqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
wiTAyw0ADZYoIMQywliiKpkSAngSgmUhIR4)xiMK6ANSp6AsA04A9YOCIlUpItVq
AVIYgiUhIF7YJQZmrDMyiaP0dwrBk0bCynZCr0bC)1ZCQosCJkq7pmUhAAqhwmfy
IV4LECGhMRoSE6EhEi8REisQMkqRFGWhSAySoBbCmHm5GZeYJbUpvDpBMAQrMEQD
p2G0CANBYoUpMMSbNAJqluk5wq0SKksBgWF8KRIBJIQro(QKZrUsQngAQg42wni9
QDSyQA6OJrUszA9)KFLyIbUhFqUsAk6RgqUhLRoHIHGhg0EhwmgEhZ(FkGm5OZuT
FqUsMFrRRcUhnDtSgAATJ8DTSBlJPR0TgAyUgACIgACIgVKIlSUhFVYYAgEbk4BC
HV0PXTvdLZb0myKtghxKJwLTI9ZqI9fqiGQq5xEAYBC9cAK)JAVuF4am3DBiJ0ET
qqqqOXNoMLcwUDaxMD6zEH8zSDNoPT8zqC60lqqqDkyUrUgKA2rqskKwKHhop3P0
3DdAgtippYUpEk8BIMQKqgiCl2Thlq0RKpmRBVoSRVoCFWUprY6JAnYvJwLImfi5
9YePgMAs8mAvgBMiKAUppOVhUVIAFOVpljDUUAfUmTAsCA5U4MlxJ0GIYAVpJ8GI
gOO0SR4f4gCCwLlxIghz1DPiAzYvAsPEAAAAAAAAMBAATBqbgM1TP9kQgACVx4SM
TpAIuM1TSV0SMVkTgACITBCIgM1TOJ1SvkETFByTPJlUAggUMlkRnASRT90UFtkL
F5kUgcCTU9kTPZEIE5UVJBQJBZlTElETFtEIF5kUGBCTFxUSAAgOeAADE4hDYjHp
NeXqi()3so5(pCMEK3IQHk6)))ejODgoO()7tCCAQDCABka9pCehhXIAFCQqimah
gYYhmHqvAkK4mbehGauhgYu5gGqvFGrAIDehFWYsqDd4QDeps1q5iXIog2WrYMeh
pNeplXoAiXKOkOS7lSehAke5gWehiHLAN)QKQDaExiaIRkt4ZANo2DNixCAowni4
wDSywnsPuiA8gCKZUz0EliRoj0m4iXIppNepjXIAFTeplXq4wOe5liBvj0G5iXIp
pVepjXIAQbuxP5albAKohSNTxGBogXo4iHLytGehFCqZn1ahGWIoh6LIgiWrtWYh
FCaaA0qhgXIDNAQrgEehiGqvA07Bh0tHIAPogSmrMNBoKHK1p2OEnXIAmfu5Gauh
9eupFyAAA0L4hXYDQDephXKBgYA8MFqvYEqigqWregQbtiehtB6aF6RCozW6BkKA
leYhhbK40nHIgFAsgKjrMlAoEGK1piz5nXOKlhhS9i65ZCaKKXwpnbMitSP0MBMQ
AE67AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Acx9

--- cut here ---
Neil Parker   nparker@cie.uoregon.edu (preferred), or parker@astro.uoregon.edu
DISCLAIMER:  Though the above program has been tested and is believed to work,
I make no guarantee of any kind about it.

My thanks to Neil for sending me this, and for letting me post it to the net.

Kurt