nparker@cie.uoregon.edu (10/28/89)
In article <0010.8910231129.AA06880@ge.sei.cmu.edu>, davidbrierley@lynx.northeastern.edu posted an article about the Apple IIGS LOAD RUNNER virus, and asked the following questions: > [...] (1) Does any reader of VIRUS-L >know if the French expression "non-destructeur" means >"non-destructive" or "indestructible?" (2)Could anyone post a >version of VIRUS.KILLER (source code follows the report) written >in BASIC? (It could be posted here or to Info-apple@brl.mil) >(3) Because the university does not import VIRUS ALERT I >have not posted this report to it, for fear of replication. Could >someone post this message to VIRUS ALERT if it has not appeared there >already? Way back in July, I found this beasty lurking on some of my disks, and did a fairly thorough analysis of it, which culminated in the writing of the program which appeared at the end of the original article (copies of the program are available from me at the addresses below). I think I can provide some answers and information. I speak no French, but I think I can say after looking at the virus code that whatever "non-destructeur" really means, it OUGHT to mean "non-destructive." The damage done by this virus is minimal--it destroys only the boot blocks of a 3.5" disk (5.25" disks and hard disks seem to be immune), leaving all the files and directories intact (it can, however, render some copy-protected games unusable). My impression is that the author of the virus was thinking something like "I'm going to release this virus, which is a really bad thing to do, but it will be all right if it doesn't do any real damage." This impression seems to be reinforced by the fact that LOAD RUNNER has a finite life-span built in-- at the same time it starts damaging, it also stops propagating, and being a boot block virus, it destroys copies of itself when it destroys the boot blocks. Posting a BASIC version of VIRUS.KILLER isn't really practical--the steps that it takes to eliminate LOAD RUNNER are pretty much beyond the capabilities of poor old Applesoft BASIC. Any BASIC program would probably be just a short menu routine wrapped around a machine-language core which would be essentially the same as the current program. It's probably a bit late for a VIRUS ALERT message. I first saw LOAD RUNNER back in July (at which point it had probably already been around for a while), and if memory serves, the article quoted in the original posting was first posted sometime around August or September. Besides, LOAD RUNNER's trigger dates are any time between Oct. 1 and Dec. 31 inclusive, so any infected users have probably aready seen it run its course, and an alert now would be somewhat akin to locking the proverbial barn door after the horse has escaped. - ------------------------- A summary of LOAD RUNNER: Entry................: LOAD RUNNER Alias(es)............: (none) Virus detection when.: July, 1989 where.: Various places in the US and Canada Classifications......: Boot block virus Length of virus......: 1024 bytes (all of blocks 0 and 1) Operating system(s)..: ProDOS 8, ProDOS 16, GS/OS Version/release......: all Computer model(s)....: Apple IIGS Identification.......: Boot blocks are changed. System: Virus copies itself to $E1/BC00 thru $E1/BFFF. Type of infection....: Virus resides in the boot blocks of a 3.5" disk. Copies itself to $E1/BC00 when disk is booted. Copies itself to disk in slot 5, drive 1 when CONTROL-APPLE-RESET is pressed. Propagation routine gains control by patching undocumented system vector in Memory Manager. Original boot blocks are not saved--virus contains code to emulate standard boot process. Infection trigger....: Infects disks in slot 5, drive 1 only. Infection of disks occurs when CONTROL-APPLE-RESET is pressed. Infection of host machine occurs when an infected disk is booted. Interrupts hooked....: n/a Damage...............: Erases boot blocks of disk in slot 5, drive 1. No files are damaged. Damage trigger.......: Any date between Oct. 1 and Dec. 31 inclusive, of any year. Damage occurs when an infected disk is booted. If damage occurs, further infection will not occur. (Note that the damage process wipes the virus off of the infected disk.) Acknowledgment: Location.............: University of Oregon Documented by........: Neil Parker (nparker@cie.uoregon.edu) Date.................: 27-October-1989 Personal opinion: A rather wimpy virus. Damage is minimal and easily repaired. The virus code uses no special tricks, except for the method used to survive and gain control after RESET. All in all, it's not worth making much of a fuss about (except to the extent that ALL viruses are worth making a fuss about). (This is my first posting to comp.virus/VIRUS-L. Did I get the report format right?) Neil Parker nparker@cie.uoregon.edu parker@astro.uoregon.edu DISCLAIMER: Opinions are mine alone.