ART100@psuvm.psu.edu (Andy Tefft) (07/12/90)
A while back there was talk about an apple // virus that was known for scanning the online devices when you ran an infected program. Recently I've noticed disk drives being checked when normally they wouldn't be - most recently when I booted up my Kermit disk (a 3.5"). Before the "menu.system" menu came up, the internal drive of my //c was scanned (it was empty) and that has NEVER happened. I've run the virus detector programs that I have downloaded before, and they turn up negative. But there are a number of little programs out there to check for a number of viruses, and I think maybe I just didn't try the right one. Anyone know which virus I'm talking about, and how to detect it? Also, pointers to all available virus programs would be useful, as I'd like to get them all gathered together (and possibly put on a public disk here at Penn State). I can find all the ones on apple2-l and plains.nodak.edu myself, but I haven't been keeping up with all the archive sites.
dlyons@Apple.COM (David A. Lyons) (07/14/90)
In article <90192.131403ART100@psuvm.psu.edu> ART100@psuvm.psu.edu (Andy Tefft) writes: >A while back there was talk about an apple // virus that was >known for scanning the online devices when you ran an infected >program. Recently I've noticed disk drives being checked when normally >they wouldn't be - most recently when I booted up my Kermit disk >(a 3.5"). Before the "menu.system" menu came up, the internal drive >of my //c was scanned (it was empty) and that has NEVER happened. >[...] I suggest you look harder for an alternative explanation. For example, if your Prefix is set to a volume that is no longer online, a program you launch could easily be looking for a file in the current directory, or even temporarily setting the prefix to its *own* directory, and then trying to set the prefix *back* where it was (to an offline volume). This would scan all your drives. -- David A. Lyons, Apple Computer, Inc. | DAL Systems Apple II Developer Technical Support | P.O. Box 875 America Online: Dave Lyons | Cupertino, CA 95015-0875 GEnie: D.LYONS2 or DAVE.LYONS CompuServe: 72177,3233 Internet/BITNET: dlyons@apple.com UUCP: ...!ames!apple!dlyons My opinions are my own, not Apple's.
ART100@psuvm.psu.edu (Andy Tefft) (07/14/90)
In article <42933@apple.Apple.COM>, dlyons@Apple.COM (David A. Lyons) says: > >I suggest you look harder for an alternative explanation. For example, >if your Prefix is set to a volume that is no longer online, a program >you launch could easily be looking for a file in the current directory, That's a possible explanation at times but not in the cases I'm worried about. The one I mentioned was the .system file run directly off a boot. In the other case it's not impossible that was what was going on, just highly unlikely - the prefix is almost always set "properly" before I run any sys file.
tg.exc@pro-harvest.cts.com (Terry Guelfo) (07/14/90)
In-Reply-To: message from ART100@psuvm.psu.edu You could be dealing with any number of viruses. You say you have a //c, so, according to what I know right now, that rules out Lode Runner and Blackout. The prominant //e etc viruses are CyberAids and Festering Hate, although I did not know that those were still going around. As far as virus detecting programs, there are numerous ones out there... it just takes a matter of looking. You might try America Online... I hear they have them on hand usually. Speaking of viruses, I have a GS and just ran into one recently. I'm glad it wasn't Lode Runner.. but not glad since it was Blackout (GS specific viruses can get NASTY I hear..heh). I found it by running one of my disks through Photonix v1.46 with the anti-virus option OFF (yes, very strange.) Nonetheless, I copied all the files to ram, and then cataloged the 3.5" floppy and the ram disk. Sure enough, on the floppy there were more used blocks ... and they were unaccounted for as far as the file counts went. I got rid of it by just copying the files back to a fresh disk. I was hoping to find a program that would detect the Blackout virus itself... and remove it itself without having to go through that file copy mess. Does such a program exist? _______________________ _______________________ | ProLine: tg.exc@pro-harvest | | Internet: tg.exc@pro-harvest.cts.com | | UUCP: crash!pro-harvest!tg.exc | | ARPA: crash!pro-harvest!tg.exc@nosc.mil | |______________ BITNET: tg.exc%pro-harvest.cts.com@nosc.mil ________________|
rond@pro-grouch.cts.com (Ron Dippold) (07/15/90)
In-Reply-To: message from tg.exc@pro-harvest.cts.com > I was hoping to find a program that would detect the Blackout virus > itself... and remove it itself without having to go through that > file copy mess. Does such a program exist? That's strange, as far as I'm aware, blackout lives on block 0 exclusively. When i got it I just copied a good block 0 to all my infected disks and that cleared it up nicely. If you want to detect it, compare an infected disk against a normal boot block. Or just use Photonix to look at it. Here's a little tidbit... Take a look at any disk copied by photonix and look at the sync gaps... You will find the FTA id hidden in there. UUCP: crash!pro-grouch!rond ARPA: crash!pro-grouch!rond@nosc.mil INET: rond@pro-grouch.cts.com
dlyons@Apple.COM (David A. Lyons) (07/16/90)
In article <90195.000140ART100@psuvm.psu.edu> ART100@psuvm.psu.edu (Andy Tefft) writes: >In article <42933@apple.Apple.COM>, dlyons@Apple.COM (David A. Lyons) says: >>I suggest you look harder for an alternative explanation. For example, >>if your Prefix is set to a volume that is no longer online, a program >>you launch could easily be looking for a file in the current directory, > >That's a possible explanation at times but not in the cases I'm >worried about. The one I mentioned was the .system file run directly >off a boot. In the other case it's not impossible that was >what was going on, just highly unlikely - the prefix is almost always >set "properly" before I run any sys file. Okay, maybe you've got a real virus--get a known-clean copy of the program in question, and the version of ProDOS 8 you're using, and compare them. Here's one more possibility that could cause a drive scan on boot (this has happened to me): If your disk is "marginal" (that is, sometimes a block is readable, and sometimes it isn't), ProDOS 8 would be looking for your disk, be unable to read block 2, and go looking for a disk by that name in other drives. On 5.25 drives, sometimes you don't get the usual head-recalibrate sound you associate with I/O errors (I don't know why you don't always get that). If the SYS file you had just launched did some operation and P8 could not read block 2, the app might tolerate the I/O error it got back. Just a thought. -- David A. Lyons, Apple Computer, Inc. | DAL Systems Apple II Developer Technical Support | P.O. Box 875 America Online: Dave Lyons | Cupertino, CA 95015-0875 GEnie: D.LYONS2 or DAVE.LYONS CompuServe: 72177,3233 Internet/BITNET: dlyons@apple.com UUCP: ...!ames!apple!dlyons My opinions are my own, not Apple's.
tg.exc@pro-harvest.cts.com (Terry Guelfo) (07/23/90)
In-Reply-To: message from rond@pro-grouch.cts.com >FTA id... Yah, I used ZZCopy 2.0 and it detects the FTA id.... (I don't know how to look at the sync gaps <grin>) Anyway, have you found out if this Id is harmful or not? "Journey of many dollar begin with one dollar." -- Decker Moss _______________________ _______________________ | ProLine: tg.exc@pro-harvest | | Internet: tg.exc@pro-harvest.cts.com | | UUCP: crash!pro-harvest!tg.exc | | ARPA: crash!pro-harvest!tg.exc@nosc.mil | | BITNET: tg.exc%pro-harvest.cts.com@nosc.mil | |_____________ SnailMail: PO Box 502, Lansing, IL 60438-0502 _______________| If you're a college age, Australian Apple IIGS owner, please mail me.
rond@pro-grouch.cts.com (Ron Dippold) (07/24/90)
In-Reply-To: message from tg.exc@pro-harvest.cts.com > Yah, I used ZZCopy 2.0 and it detects the FTA id.... (I don't know > how to look at the sync gaps <grin>) Anyway, have you found out if > this Id is harmful or not? You can look at the sync gaps with a nibble editor, like Copy II+. The only way I could see the FTA ID in the sync gap being harmful is if someone decides they don't like FTA and their program trashes any disk that it finds it on... UUCP: crash!pro-grouch!rond ARPA: crash!pro-grouch!rond@nosc.mil INET: rond@pro-grouch.cts.com
PYC121@URIACC.URI.EDU (Andy Kress) (01/15/91)
I was wondering if someone could tell me the known viruses for the II and GS, what they do, and if there are programs to detect and repair. Also where these programs can be found if they do exist. Thanks! Andy Kress PYC121 at URIACC Apple II: The power to take over the world!