skrenta@blekko.UUCP (Rich Skrenta) (04/11/90)
In article <1990Apr2.054914.11842@eng.umd.edu> russotto@eng.umd.edu (Matthew T. Russotto) writes: > So are you ELK CLONER???? That is the virus I thought was the first > microcomputer virus, and '81 or '82 is the right time frame. As I recall, > it would put up a message: No, he's not the Elk. Here's the message: "Elk Cloner: The program with a personality It will get on all your disks It will infiltrate your chips Yes it's Cloner! It will stick to you like glue It will modify ram too Send in the Cloner!" This message would appear when you hit reset after your 50th boot of an infected disk. Cloner counted boots; it played other subtle tricks about every five boots. It never tried to harm data, but it could cause problems if it tried to infect a non DOS 3.3 disk. I heard it trashed Diversi-Dos disks if it tried to infect them. Cloner was also mentioned in Computer Recreations (Scientific American, March, 1985 I think), and also made it into Time (November 4, 1985). The most complete description of its creation appeared in The Daily Northwestern, a college paper. Ask me for a copy if you're interested. Joe Dellinger's viruses sound similar to Cloner. Cloner occupied an unused hole in Dos (somewhere on track 2 around sector 8). It also stamped a version ID in the VTOC; manually putting Cloner's ID there yourself provided a way of immunizing your disk. In article <449@helens.Stanford.EDU> joe@hanauma (Joe Dellinger) writes: > The Virus wasn't particularly infectious; it only spread on > "CATALOG" commands. Cloner also spread through the "CATALOG" command. I found it quite infectious, though. Quarantined copies were a must; even so, it would break out from time to time and I'd have to start up The Inspector (a disk sector-editor) to get rid of it. jd> check the version, the simplest way is to do a "CATALOG" of the disk you're jd> checking, and then look at B3BF. jd> jd> (If you don't find zeros at B6E8, 9CFE, and B3BF, but also don't find jd> the bytes I've mentioned, then I don't know any more about it than you do, The similarity is incredible. I guess those unused spaces in the VTOC were popular. Cloner used B3BF for the boot count; its version number was stamped at B3C2. If I can read this old code right, however, there's an easier way to check for Cloner. Pop into the ROM monitor (CALL -151) and ... Hurm, I forget... there was something called the "user" command (was it '&' ?) and it must have taken an argument. $0B shows the Cloner version number, $0C shows the current boot count, $0D forces a clone, and $0A dumps the poem. mr> Lots of them-- I'll check mine, and spread the message to the person I got mr> Elk Cloner from (I have a copy of that, quarantined) Amazing. Really amazing. I don't even have my Apple II anymore, I gave it away. I wrote a lot of stuff for the Apple II--obscure adventure games, a small compiler, a toy multi-user operating system. The stupidest hack I ever coded generated the most interest, and lives on to this day. -- skrenta@blekko.commodore.com
news@helens.Stanford.EDU (news) (04/12/90)
In article <117@blekko.UUCP> skrenta@blekko.UUCP (Rich Skrenta) writes: >jd> check the version, the simplest way is to do a "CATALOG" of the disk you're >jd> checking, and then look at B3BF. >jd> >jd> (If you don't find zeros at B6E8, 9CFE, and B3BF, but also don't find >jd> the bytes I've mentioned, then I don't know any more about it than you do, > >The similarity is incredible. I guess those unused spaces in the VTOC were >popular. Cloner used B3BF for the boot count; its version number was >stamped at B3C2. There were only a few natural places to stick viruses on the Apple: holes in DOS, holes in the VTOC. I imagine almost any Apple ][ virus would probably occupy those same places. That's why I specifically warned that people might find OTHER strange things in those places. I avoided using Track 2 for my viruses, since a common practice was to modify the disk directory info to allocate that unused DOS track for data. This of course meant I was VERY crimped for space. Did Elk Cloner make DOS any bigger? If so, it would have trashed programs like "Congo" just as my "Virus 2" did. The trick with Virus 3 that allowed it to be completely transparent was to use memory without allocating it. If it got trashed, so what; a small routine buried safely inside DOS would notice and safely disconnect the virus from DOS. I posted my message to comp.sys.apple2, alt.folklore.computers, comp.virus, and alt.hackers. I was expecting to get massively flamed on comp.sys.apple2, but I was hoping that I'd also get some interesting information too. Guess what? A few random pieces of mail "thanks for an interesting story". _That's all_! The only interesting responses I've gotten back have been from _alt.hackers_! There are apparently lots of people on comp.sys.apple2 who still use DOS 3.3 disks; I see them posting. But they don't feel like searching for a virus that has never called attention to itself! I've only heard back from 2 people who read the comp.sys.apple2 posting and checked their disks (neither found anything). It also doesn't help that Texas A+M, the probable locus of Virus 3 infection, is a networking desert. How disappointing. Since my virus almost certainly did escape into the wide world, I suspect it should have spread about as much as Elk Cloner appears to have. But virus 3 really was invisible, and it's hard to get people excited at this late date about a virus that never called attention to itself. Oh, well. It would have been very interesting to find out a generation count or two.... If there are any other old Apple ][ virus-writers out there, I encourage you to come forward and tell your stories. We can even all write a joint paper; I think that would be a VERY interesting article. \ /\ /\ /\/\/\/\/\/\/\.-.-.-.-.......___________ \ / \ / \ /Dept of Geophysics, Stanford University \/\/\.-.-....___ \/ \/ \/Joe Dellinger joe@hanauma.stanford.edu apple!hanauma!joe\/\.-._ ************** Drive Friendly, Y'all! ******************************************