CyberAIDS warning--a real virus (Weishaar)
David A. Lyons
59 (of 59) DAVE LYONS Jul. 20, 1988 at 1:47 CT (2745 characters)
The following note is from Tom Weishaar, the Open-Apple guy himself.
Summary recommendation: LOCK ALL THE SYS FILES IN THE MAIN
DIRECTORY OF ALL YOUR DISKS to protect yourself against an
honest-to-goodness Apple II ProDOS virus called CyberAIDS.
-------
UNCLE-DOS [ Tom W ] at 22:59 EDT
Sorry to have to reopen this topic gang, but we found one.
OK, we've got one. We've received and disassembled a copy of a SYS
file infected with a virus that attacks ProDOS 8 system files. The
virus calls itself CyberAIDS. It's a little buggy and far from
"commercial quality," but is dangerous nonetheless. We have no idea
how widely distributed it is. It was sent to us by a user. We don't
think any of the SYS files in our library are infected, although we
haven't gone back and checked them all.
When a SYS file containing the CyberAIDS virus is executed, the
disk drive will turn off and then back on again. While the drive
spins the second time, CyberAids tries to replicate itself inside all
of the online SYS files that are in root directories. It doesn't look
in subdirectories, it doesn't (can't really) mess with
write-protected disks, it doesn't attack locked SYS files, and it
doesn't attack the PRODOS file. CyberAIDS also updates a counter
stored in the last byte of the first block of the disk directory.
When this counter reaches 16, CyberAIDS writes $FFs through the root
directory of all online volumes and puts a message describing what's
happening on the screen.
If this happens to you, don't panic. The program Bag of Tricks 2,
by Quality Software, can recover your directory ($40, 21610 Lassen,
#7, Chatsworth, CA 91311 818-709-1721). MR.FIXIT, which is one of the
items in Glen Bredon's ProSEL package, also can recover all the
subdirectories (and what's in them) from directories damaged by
CyberAIDS. Unfortunately, MR.FIXIT cannot recover files other than
subdirectories.
The following is a simple program that can identify SYS files that
have been infected by CyberAIDS:
10 HOME : PRINT "CyberAIDS Detection Program"
20 PRINT
30 PRINT "Enter the name of the next SYS file to be checked."
40 INPUT F$ : IF LEN(F$)=0 THEN END
50 PRINT CHR$(4);"BLOAD";F$;",A$2000,L3,B3,TSYS"
60 DETECT=1
70 FOR ADR=8192 TO 8194
80 IF PEEK(ADR) <> 19 THEN DETECT=0
90 NEXT
100 IF DETECT THEN PRINT "This SYS file appears infected."
110 IF NOT DETECT THEN PRINT "This SYS file appears to be OK."
120 GOTO 20
If you find any SYS files that are infected, simply delete them
and replace them with uninfected backups. You might also like to
change the last byte of the first block of the root directory (block
2), which in normally unused, back to zero.
----------
(end of Tom W's note)
Brett Genger
WARNING: There is ANOTHER ProDOS Virus going around. It is known as
"Festering Hate", and it is really Vicious! Just by testing
a few System files, I almost infected my Hard Drive, but luckily
I stopped it while it was scanning my Floppies. I already know
someone who was hit by this New Virus, and since they had a
Fingerprint Card at the Time, here is the message when it
Detonates: (Alot of Satanic Messages, and Stuff)
---Printer Dump Start
[WOP] -666- FESTERING HATE -666- [FOG]
======================================
W| The Good News: You now have a copy |F
o| of one of the greatest programs |r
r| that has ever been created! |i
s| The Bad News: It's quite likely |e
h| that it's the only program you now |n
i| have in your possession. |d
p|====================================|s
p| Hey Glen! We sincerely hope our |
e| royalty checks are in the mail! |o
r| Seeing how we're making you rich |f
s| by providing a market for virus |
| detection software! |G
o|====================================|l
f|Elect LORD DIGITAL as God committee!|e
|====================================|n
P| )/> The Kool/Rad Alliance! <\( |
a| Rancid Grapefruit -- Cereal Killer |B
t|====================================|r
r| This program is made possible by a |e
i| grant from Pig's Knuckle ELITE |d
c| Research. Orderline: 313/534-1466 |o
k======[(C) 1988 ELECTRONIC ARTS]======n
---Printer Dump End
When Tom Weishaar of Open-Apple and GEnie was Asked:
---Message Start
We have an independent sighting of Festering Hate. It appears to be a
modified version of CyberAIDS. However, we don't actually have a copy of it
for complete analysis. Apparently the fourth through sixth bytes of FH will
always add up to $39 (or $39 + 256 or $39 + 256 +256). These bytes in
CyberAIDS also add up to $39, but are always $13, $13, $13.
If anyone sees a copy of this one please forward it, carefully marked as to
contents, by XMODEM EMAIL, to OPEN-APPLE. Thanks.
Tom W.
---Message End
Anyway, just be careful, since not much is known at this time, try
not to run any ProDOS "SYS" files from your Hard Drive. Test it out a few
times with your Hard Drive Turned OFF, and if you don't see Disk Scanning,
then it is probably Safe, But Dont get mad if it isn't, since I don't know
that much about it.
-Brett (brett@dasys1)
David Whitney
>
>WARNING: There is ANOTHER ProDOS Virus going around. It is known as
> "Festering Hate", and it is really Vicious! Just by testing
>o|====================================|l
>f|Elect LORD DIGITAL as God committee!|e
> |====================================|n
>P| )/> The Kool/Rad Alliance! <\( |
>a| Rancid Grapefruit -- Cereal Killer |B
>t|====================================|r
>r| This program is made possible by a |e
>i| grant from Pig's Knuckle ELITE |d
>c| Research. Orderline: 313/534-1466 |o
>k======[(C) 1988 ELECTRONIC ARTS]======n
See that phone number? Why doesn't somebody forward that number along
with "Kool/Rad Alliance" and "Rancid Grapefruit" as well as "Pig's
Knuckle ELITE Research" off to the FBI? I want these assholes stopped.
Excuse my French. We shouldn't have to deal with shit like this. If it
keeps up, the entire Shareware/PD market will vanish as nobody will be
accepting anything out of fear.
On second thought, I think *I'LL* call the FBI. Then we'll see what
happens!
David Whitney, MIT '90 Still learning about my Apple //GS
{out there}!harvard!think!whitney and all of its secrets. Any and all
whi...@think.com technical info appreciated.
DISCLAIMER: You think they even know I'm doing this?
Lazlo Nibble
> [reproduces the screen from the CyberAIDS II: Festering Hate virus]
>
> See that phone number? Why doesn't somebody forward that number along
> with "Kool/Rad Alliance" and "Rancid Grapefruit" as well as "Pig's
> Knuckle ELITE Research" off to the FBI? I want these assholes stopped.
>
> happens!
I guess making it to MIT doesn't preclude an amazing level of naivete. What
happens will be *nothing*. Apparently you've never seen a rag page, David.
The phone number is the answering machine of one of the country's best-known
private investigators of hackers. I get it, HE released the thing in a effort
to "discredit" the hacking community! Yeeeeah! And of course the FBI has the
home addresses of ALL the members of the (mythical) "PK(E)R" and "K/RA",
including "Rancid Grapefruit." Give me a freaking break.
Personally I'm starting to find this whole thing extremely amusing (I guess I
can, because I know *I'm* safe). David, like the computer-naive journalists we
often see spreading garbage about computer issues in the mass media, completely
misunderstands the problem. While he's spinning in circles trying to find the
designers of the virus, it travels merrily on, probably mutating itself as it
goes (word in the underground has CyberAIDS II pegged as a retrovirus, and if
anyone can pack a retrovirus AND a rag page into eight blocks of code, Lord
Digital's fanboys can) while he gets *nowhere*. It's like the *real* AIDS,
folks . . . the virus is OUT, and the priority has to be in stopping it. All
the fingerpointing and namecalling isn't going to save anyone's files. You
*can't* catch the people responsible. Direct your energies towards something
that'll *help* people. THEN, when you've solved the problem, go on your snipe
hunt.
Looking forward to seeing Lord Digital's comments on CyberAIDS in his upcoming
book.
--
Lazlo Nibble (cscb...@charon.unm.edu)