CP/M virus
Paul Martin
hen...@aix00.csd.unsw.OZ.AU writes:
> Can I have more information on that "virus" - if it is not much of trouble?
> Some time ago I made enquiry on the Net about viruses on CPM systems. I got
> only a few replies, saying that it is almost impossible (when compared to
> MS-DOS) because you have to TYPE the filename of that virus - it will not be
> "activated" by any other way.
All virus-infected programs have to be executed before they can infect
your system, whether they are for MSDOS or CP/M.
The virus was very simple. It could only infect CP/M Plus systems
(because they have the ability to turn off BDOS error messages) which
were using Z80s (because I needed the Jump Relative instruction to keep
the code as position independant as possible). It also checked for there
being sufficient memory free for its DMA sector buffer.
It copied the first eight bytes from the start of a COM file, placed
it within the virus code at the end of the COM file, and replaced these
with a jump to the virus code and an ID of 'GOON'. The virus would
infect the first COM file it found in the same drive/user area and set
something so that file wouldn't be touched again.
Every 10 usages of an infected program, it would print "I've been
sponned" and drop back to the CCP prompt.
A .COM file would grow by three sectors (3x128 bytes) after infection.
Before you ask, I'm not willing to release the full source to anyone. I
am not going to be held responsible by people for allowing other idiots
to write programs to crash their computers or wipe their disks.
Cc: comp.os.cpm
--
Paul Martin
p...@nowster.demon.co.uk
Dr Henry Brancik
I have experienced while working on MS-DOS (v. 3.3) machine a virus
called [form]. I discovered the virus when I tried to copy some data files
from hard disk to floppy disk. The error message was saying something
about the diskette not being formatted when the diskette was taken from
a new packet of 10 and all of them were factory formatted. The diskettes
were O.K. on other MS-DOS machines but not O.K. here. After re-formatting
I was able to copy files to that diskette. Similar thing happened when
I tried to copy files to a diskette which I have used a day before on this
machine. The diskette was "readable and writeable" on other machine but
not on this one. Running a virus scan discovered a virus called [form].
The virus was removed, the system files recovered from backups. No virus
after this was found. The virus was found on the re-formatted diskette -
- as expected. Filling this diskette with data files by copying from the
hard drive and then creating a temporary directory and copying all the
files back there, the virus was transferred to the hard drive. The virus
scan found it there. By re-booting the computer the virus was (apparently)
activated and I was not able to copy files to diskettes without re-format-
ting them first. The "infected" file was a binary data file, not .COM or
.EXE. Nobody used that file at all.
My argument is: you CANNOT have this to happen on CP/M system. You will
have to run the virus program - it will not be "activated" on system
re-boot. I have no explanation what happened on that MS-DOS system, but
it appears to me that that system is definitely not bug free and that
somebody is exploiting that fact. If the virus is just a piece of extra
code attached to the end of a file (as all those articles about viruses
claim) than how does the COPY program knows what to do with that extra
code and where to put it to be activated on re-boot? If that piece of
code can be "simulated" somewhere in a data file (as just a plain data)
then why this extra code is not picked up by the virus scan?
On CP/M system you have to type the name of file you want to run, there
is no other way to run a program without the user's knowledge. So any
program written by somebody to destroy your directory while displaying
funny messages on the screen can be regarded as "virus". If you do not
know what a particular program does, or if you are suspicious, you will
create a scratch diskette and try program there. No harm will be done.
No program on CP/M machine will be activated on its own without the user's
knowledge or without somebody's interference with the system. That's all.
Is there anyone on the Net to support my claim (no "virus" possible on
CP/M) or, is there somebody who experienced "virus" on CP/M?
- Henry Brancik
E-mail: hen...@aix00.csd.unsw.oz.au
hen...@cumulus.csd.unsw.edu
Peter Herweijer
was impossible" --- well let me assure you --- it is eminently
possible.
The argument that "a CP/M virus is impossible because you have
to run a virus on CP/M explicitly and not on MSDOS" is invalid.
In short: MSDOS CP/M
mbr, boot sector boot sector
config.sys, autoexec.bat profile.sub
fat directory
com, exe files com files
hdd, fdd fdd (sometimes hdd)
*all* the popular virus infection methods under MSDOS are
available for CP/M. The main differences are: [1] there is
more variation in boot sectors, so it's impossible to write a
*generic* boot sector virus; [2] the software setup (device
drivers etc) is often simpler, offering less opportunity for
viruses to load; [3] many CP/M systems lack a HDD, and viruses
must be more careful and spread slower on floppies. Also, a
virus must be smaller so as not to attract attention. This
makes writing a CP/M virus more difficult, but not impossible.
Picture, for example, a virus embedded in a strategic program
like PIP or NSWEEP. It would try to infect one .COM program
every time a file was opened for writing (i.e. at a moment
when some additional disk activity wouldn't be obvious), but
ONLY if the filesize in Kb would not increase... 'Nuff said...
Peter Herweijer
pie...@sci.kun.nl
Paul Martin
>The argument that "a CP/M virus is impossible because you have
>to run a virus on CP/M explicitly and not on MSDOS" is invalid.
>
>In short: MSDOS CP/M
> mbr, boot sector boot sector
I'm immune to this: I boot CP/M Plus (the lot) from ROM.
> config.sys, autoexec.bat profile.sub
Only available under CP/M Plus.
>Picture, for example, a virus embedded in a strategic program
>like PIP or NSWEEP. It would try to infect one .COM program
You forgot to mention the CP/M equivalent of a MSDOS TSR program, the
RSX. RSXes can be attached to any .COM file, too. The hard bit is that
they have to be inserted at the beginning. There are other ways, too...
Enough said? This is merely an academic exercise -- the first person to
release such a beast will get a baying group of CP/Mers converging on
him/her ready to inflict something horrible and lingering upon them.
--
Paul Martin
David Goodenough
> I have experienced while working on MS-DOS (v. 3.3) machine a virus
> Running a virus scan discovered a virus called [form].
> The virus was removed, the system files recovered from backups. No virus
> after this was found. The virus was found on the re-formatted diskette -
> - as expected. Filling this diskette with data files by copying from the
> hard drive and then creating a temporary directory and copying all the
> files back there, the virus was transferred to the hard drive. The virus
> scan found it there. By re-booting the computer the virus was (apparently)
> activated and I was not able to copy files to diskettes without re-format-
> ting them first. The "infected" file was a binary data file, not .COM or
> .EXE. Nobody used that file at all.
This sounds very close to a boot sector virus. The first sector of any
DOS disk is the bootstrap loader, even in the case of a non-bootable
diskette. In that instance, the loader tries to load the operating
system, but when it doesn't find it, it prints the message about
"non-system disk". However, the code has still had a chance to run.
When you format a disk, the boot sector from your hard disk is
copied to the floppy, this is how they transfer, and they can also
"jump" back from an infected floppy when you boot from it.
> Is there anyone on the Net to support my claim (no "virus"
> possible on CP/M) or, is there somebody who experienced "virus" on
> CP/M?
Well, in a vain attempt to keep this on topic, I'll make the
comment that boot sector viruses are probably not possible under
CP/M. The reason for this is that due to different hardware, the
boot sector from (for instance) a Kaypro 4 won't work on a
Televideo 803. Because of this boot, sector viruses under CP/M
would find it very hard to spread: one written for Kaypros would
only run on Kaypros, you'd have to write a different version for
Televideos, and so on.
*HOWEVER* there are other types of viruses: ones that infect .EXE
and/or .COM files, and are activated when the program is run.
*THIS* sort of virus is possible under CP/M, although with the
exception of Mr. Martin's "not-released" one, [*] I've never heard
of such a thing.
[*] Thanks Paul for keeping it safe - it is refreshing to know
there's a little bit of integrity left in the world.
dg
---
+ SLMR 2.1a #1246 + Windows isn't a virus ..... viruses *DO* something
Ernie Kent
|>
|> Enough said? This is merely an academic exercise -- the first person to
|> release such a beast will get a baying group of CP/Mers converging on
|> him/her ready to inflict something horrible and lingering upon them.
|>
I think it's more than enough said! If we don't drop this thread it's
going to inspire some idiot kid!