Virus Information
Greg Prevost
are at least two different virus running around. One is called Cyberaids and
the other is made by some group called Festering Hate. Here is some of the
info I have picked up on it in the last few days.
50/50: Warning Apple users
Name: Practor Fime #13 @4
Date: Sat Jul 16 17:16:14 1988
CAUTION:
ZLink+, ZLink.PBH, ZLink are all viruses, if you run ZLink then you
now are the happy parent to a rodent virus. It seem Zlink has some sort of
virus that attaches to files and stuff. My friend has it on his HD and it
creates some file entry in the ROOT directory that is hidden from evey utility
EXCEPT APW or ORCA. Every time you boot the prodos with the virus it will do
and ON-LINE vol check (even if you specifiy the exact pathname) and install the
virus on systems files such as, Mr Fixit, Basic.system,Copy II+ etc....
-------------------------------------------------------------------------------
(92 of 100)
Titled : <*** W A R N I N G ***>
Author : Dr. Logic/Bill of [None]
Stamped: July 13, 1988 at 12:07 AM
There is a file going around (currently on the Hard Drive) called Z.LINK.PLUS.
It is supposed to be a terminal program somewhat like ProTERM. It is a decent
program but the main reason I posted this is when you boot it up, it GOES TO
EVERY ON-LINE DRIVE AND MODIFIES >BASIC.SYSTEM<!!!
At bootup, it looks like it's doing an On-Line call and checks every drive.
Then it goes back to some and starts doing some modifications (especially
noticeable on floppy drives). The program modified copies of BASIC.SYSTEM,
FILER, BACKUP.SYSTEM and PROSEL (don't ask me how it chooses, it usually just
attacks BASIC.SYSTEM).
After installing itself into BASIC.SYSTEM, everytime you boot a disk with that
BASIC.SYSTEM on it, it will do another on-line check and continue to add itself
to other copies of BASIC.SYSTEM.
One of the tell-tale signs of this is it will leave behind tracks such as the
modification date of the files it altered (that's how I found out). BE
CAREFUL!!! I do not know if this is a virus as my HD is still operable and
I've replaced all infected files with backups. Either way, I don't like
something that spreads itself around, especially doing an on-line call after
every bootup.
Please spread the word around. I don't know what kind of file this is but it
sounds like bad news to me. I encourage those of you who are more
knowledgeable about machine language to d/l the disk and examine the contents
of the files. I don't trust it but you have been warned.
WARNING: This is a FOR REAL virus not a trojan, if interested I will pack the
Infected Basic System and U/L it if you want to make a detoxin for it
-Jon
-------------------------------------------------------------------------------
Virus
~~~~~
The first verified virus of the ProDOS operating system is out and
around. The first identified carrier of this virus was a terminal program
called "ZLINK.PLUS", which was discovered about one week ago. Today, our board
was struck by the same virus, which was hidden inside another file,
"MR.FIXIT.3.7", and since I have found it to inhabit "SQUIRT.1.5" as well. Be
careful. The most telltale sign of this virus is the fact that when you
execute a system file which is a carrier, it will scan all of your online
prodos devices, and will then occasionally write to one of them. Check your
directories carefully, look at the modification date on your system files. If
it is recent, you may have an infected program. Files in subdirectories are
NOT safe. I have not found it to copy itself into any file other than
BASIC.SYSTEM, but I hear that other people have had it copy onto other SYS-type
files.
The Byter
(This is the Byter who runs Cabal of the Lexicon in 213.)
-------------------------------------------------------------------------------
Not much of part 2 but you have to give credit where credit is due.
Sounds pretty interesting. I d/l the Z.LINK system from here and it does not
do a vol. check or anything like that as far as I can tell. But it also
doesn't work correctly. If I call a board, then I can type to it, but whatever
the remote system sends me, it doesn't show up on the screen (I know it's
sending info cause my RD light blinks on and off...)...
[ Post ] 1848
[ Board ] Reference Desk
[ Message ] 73 of 75
[ Subject ] Virus [again]
[ From ] THE SPECTRE (#18) [ SPECTRE ]
[ Date ] 07/21/88 06:23:07 AM
This is yet another file I picked up somewhere...on the current virus(s)...
-------------------------------------------------------------------------------
..The Lexicon Exchange..
Regarding the virus, it detonated on me and a bunch of my friends, one of them
had a fingerprint card on his printer and dumped the title page to paper.
Before it ever gets to the title page it has scrolling graphics, upside down
crosses, 666's, FESTERING HATE and an Electronic Arts logo. Then it goes to
this:
[WOP] -666- FESTERING HATE -666- [FOG]
======================================
W| The Good News: You now have a copy |F
o| of one of the greatest programs |r
r| that has ever been created! |i
s| The Bad News: It's quite likely |e
h| that it's the only program you now |n
i| have in your possession. |d
p|====================================|s
p| Hey Glen! We sincerely hope our |
e| royalty checks are in the mail! |o
r| Seeing how we're making you rich |f
s| by providing a market for virus |
| detection software! |G
o|====================================|l
f|Elect LORD DIGITAL as God committee!|e
|====================================|n
P| )/> The Kool/Rad Alliance! <\( |
a| Rancid Grapefruit -- Cereal Killer |B
t|====================================|r
r| This program is made possible by a |e
i| grant from Pig's Knuckle ELITE |d
c| Research. Orderline: 313/534-1466 |o
k======[(C) 1988 ELECTRONIC ARTS]======n
This **** in't funny. I lost 20 megs and know people that have lost as much
as 80. How the **** could someone manage to hide so much graphics and text
and an entire virus in so little space?
This thing is ****in' vicious.
What I know about the title page:
WOP is some thing started by Dead Lord revolving around his hero Lord Digital.
(whose name is Patrick)
Lord Digital is this dude that's semi-legendary in the phreak/hack world. He
gets written up in NY Times and a bunch of newspapers and magazines and has
some book getting published next year. There are like 3 megs of files about
him that were written over the years by dudes like Dead Lord and all of his
other groupies.
The Koo/Rad Alliance was a group Lord Digital started as a joke after he quit
the oldest Apple crackers group that existed from 1979-1986 which was the
original Apple Mafia. The Kool/Rad Alliance was made up of his friends and
him who were supposedly mega-stud programmers and hackers and spent their
time trashing people's boards when everybody was running networks and GBBS II
and writing "killer software" Supposedly the Phantom Access that was finally
released like 2 years ago for the Cat was infected with some DOS 3.3 virus
and other weird ****.
Glen Bredon wrote some virus detector which I guess doesn't work anymore.
Rancid Grapefruit is some dude that writes for 2600 magazine, which is a phreak
mag.
Cereal Killer is one of LD's friends and wrote a 200+ block file about 1.5
years ago about the entire modem world and his views on it. Summurized he
seems like just the kind of person who'd think a virus is funny.
Pig's Knuckle ELITE is some inside joke that started appearing in Tap.Interviws
about 4 years ago and has continued forever for some reason.
I got all this from reading Lord Digital files, of which there are like 50
which some of my friends who are his groupies collected and all of that ****
in the title page is from the LD history.
if somebody wants I can upload some of it, or only the really relevent stuff
like Cereal Killer's file since it looks like he co-wrote the virus and he is
some rich kid in NYC that likes to cause trouble for everybody.
Does anyone know how the **** to fix the hard drive after it detonates? I
tried Mr. Fixit and it just gives up and since I backed up 2 days ago my
backup's are infected too and basically all my programs are just ****ed.
**** I feel sorry for the people that were the first to get Zlink, that thing
must have infected everything on people's hard drives when it got packed up,
because I haven't gotten ANY of those wares people mentioned, so it has to
be in ****ing EVERYTHING by now, the latest thing I got was Alien Mind and
Mtalk. In fact those were the ONLY two things I got in the last 2 weeks.
Where the **** did Zlink come from anyway? Could these guys have written
the entire zlink program just to hide their virus?
Why the **** would somebody that programs that well waste so much time just
to hurt people he doesn't even know. Jesus that's scary........
-------------------------------------------------------------------------------
Yeah, that is pretty scary. Some people must be REALLY bored to do something
like that...
The Spectre
ps: "You never notice until it happens to you."
here is some info compiled from Genie.
----------
Category 12, Topic 18
Message 12 Tue Jul 19, 1988
UNCLE-DOS [ Tom W ] at 22:59 EDT
Sorry to have to reopen this topic gang, but we found one. -------
OK, we've got one. We've received and disassembled a copy of a SYS file
infected with a virus that attacks ProDOS 8 system files. The virus calls
itself CyberAIDS. It's a little buggy and far from "commercial quality," but
is dangerous nonetheless. We have no idea how widely distributed it is. It
was sent to us by a user. We don't think any of the SYS files in our library
are infected, although we haven't gone back and checked them all.
When a SYS file containing the CyberAIDS virus is executed, the disk
drive will turn off and then back on again. While the drive spins the second
time, CyberAids tries to replicate itself inside all of the online SYS files
that are in root directories. It doesn't look in subdirectories, it doesn't
(can't really) mess with write-protected disks, it doesn't attack locked SYS
files, and it doesn't attack the PRODOS file. CyberAIDS also updates a
counter stored in the last byte of the first block of the disk directory.
When this counter reaches 16, CyberAIDS writes $FFs through the root
directory of all online volumes and puts a message describing what's
happening on the screen.
If this happens to you, don't panic. The program Bag of Tricks 2, by
Quality Software, can recover your directory ($40, 21610 Lassen, #7,
Chatsworth, CA 91311 818-709-1721). MR.FIXIT, which is one of the items in
Glen Bredon's ProSEL package, also can recover all the subdirectories (and
what's in them) from directories damaged by CyberAIDS. Unfortunately,
MR.FIXIT cannot recover files other than subdirectories.
The following is a simple program that can identify SYS files that have
been infected by CyberAIDS:
10 HOME : PRINT "CyberAIDS Detection Program"
20 PRINT
30 PRINT "Enter the name of the next SYS file to be checked."
40 INPUT F$ : IF LEN(F$)=0 THEN END
50 PRINT CHR$(4);"BLOAD";F$;",A$2000,L3,B3,TSYS"
60 DETECT=1
70 FOR ADR=8192 TO 8194
80 IF PEEK(ADR) <> 19 THEN DETECT=0
90 NEXT
100 IF DETECT THEN PRINT "This SYS file appears infected."
110 IF NOT DETECT THEN PRINT "This SYS file appears to be OK."
120 GOTO 20
If you find any SYS files that are infected, simply delete them and
replace them with uninfected backups. You might also like to change the last
byte of the first block of the root directory (block 2), which in normally
unused, back to zero.
----------
Category 12, Topic 18
Message 15 Wed Jul 20, 1988
OPEN-APPLE [Dennis Doms] at 09:45 EDT
I've also discovered you can BLOAD a volume directory (I didn't know that!
<grin>), so if you do a 'BLOAD /VOLUME,A$2000,TDIR' (substitute your disk
name for "/VOLUME") and if 'PRINT PEEK(8703)' does not give you '0', that
_may_ also mean the volume has been trifled with. ("8703" = $21FF, which is
the last byte of the first block of the volume.) You can correct the value
(on disk) with a block editor.
----------
Category 12, Topic 18
Message 16 Thu Jul 21, 1988
GUY.T.RICE [A2Pro Sysop] at 19:19 EDT
Just to point something out. Back a few months ago, when that person whose
name I have forgotten first uploaded that file about viruses that started
this whole thing, he also uploaded a file showing what your screen looks
like after the virus strikes. That screen is exactly the screen put up by
this virus. In other words, this IS the virus that person was talking
about, and it did really exist back then (despite everyone saying it was
just rumor), and it has been going around all this time.
The reason I mention this is because I kinda got a chuckle when this second
virus topic was started for "Bona fide" viruses, implying that the other
topic had no "real" stuff in it, even though Glen Bredon himself had stated
flat out that he had seen one. This virus is real, exists, and has existed
ever since it was first reported those months ago. This is not a rumor.
Be cautious...
GTR
----------
Category 12, Topic 18
Message 25 Fri Jul 22, 1988
UNCLE-DOS [ Tom W ] at 14:17 EDT
A couple of important points:
A.) CyberAIDS is not tied to any one particular program. A rule such as
don't use "EPBH1.5EX" isn't going to help--now that the virus is loose you
must check ALL new P8 SYS files before you introduce them to your system--
forevermore. That's certainly what we'll be doing here, right Doug and Vern?
B.) A corollary of the above is that just because JOHN.DOE uploads an
infected program, it doesn't mean that JOHN.DOE is one of the bad guys. If
JOHN.DOE's system is infected with CyberAIDS and he doesn't know it, every
P8 SYS he owns could be infected.
C.) On making programs virus resistant: if a program checked it's own
End of File marker to make sure it hadn't been lengthened, and reported
damage and a possible viral infection if it had, it would help a lot in the
fight against virus in general and would certainly defeat CyberAIDS.
D.) Regarding virus-related programs in our library, there are three
different types. No single one of them is "best"--each is "best" at what it
was designed to do:
1.) generalized virus-detection programs
3844 BLK0SAVE.BNY (GUY.T.RICE))
4165 RX.BNY (BREDON-shareware)
2.) CyberAIDS-specific detection programs
4879 CYBERAIDS.ALERT.BQY (UNCLE-DOS Tom Weishaar)
3.) information files
3715 VIRUS.BNY (P.J.PAUL)
3767 VIRUS.SCREEN.TXT (P.J.PAUL)
3800 VIRUS.INFORMATION (N61346)
E.) I encourage anyone who wants to write a virus-detection program to
do so and upload it here, however, I reserve the right to examine the
program's source code before releasing it. I'm sorry to be so sensitive
about this, but it is a major concern. One of the best places to hide a
virus is in a "detector" program.
Category 12, Topic 18
Message 27 Fri Jul 22, 1988
P.J.PAUL at 20:39 EDT
There appears to be a "new virus in town". The new virus is known as
FESTERING HATE (the other for the Apple ][ was CyberAids). IIt is not as
easily fixed when you are 'struck'. Neither MR.FIXIT nnor BAG OF TRICKS can
recover any of the lost files. Thus far it has been linked to two files.
Those are SQUIRT 1.5 and Z-LINK. Both of these files are SHAREWARE and
legitimate copies are available. It appears that the virus spreaders (not up
to human standards in my opinion) modified these programs, and then
uploaded them to various systems. The virus affects SYS files, and adds 8
blocks to the end oof them. If you perform a CATALOG and notice that either
the MODIFICATION DATE and/or the length has changed, delete the file
immediately and replace it. It is also rumored to effect SYS files so that
not only do they carry the virus, but may also spread it to other SYS files.
<< Peter J. Paul >>
----------
Category 12, Topic 18
Message 29 Fri Jul 22, 1988
D.LYONS2 [DAL Systems] at 23:18 CDT
Peter, a "virus" by definition spreads itself through multiple generations,
doesn't it? (What do you call a program that does damage but doesn't cause
other programs to keep spreading the original nasty code? There's something
conceptually between a "destructive" program and a "virus": a 1-generation
virus? You'd just end up with a lot of infected files, one of which would
eventually decide to erase your disks, I guess.)
How do we identify Festering Hate?
--Dave Lyons
----------
Category 12, Topic 18
Message 30 Sat Jul 23, 1988
OPEN-APPLE [Dennis Doms] at 13:06 EDT
Dave - wouldn't that be something like the old "Trojan Horse" idea?
----------
Category 12, Topic 18
Message 31 Sat Jul 23, 1988
GUY.T.RICE [A2Pro Sysop] at 16:04 EDT
Dennis is right. There are 3 kinds of destructive programs, really. The
simplist is the "disk bomb". This is a program that, after a certain number
of runs, destroys your disk. The second is the "Trojan Horse". This is a
program that claims to do something (like let you play Space Munchies) but
when it's run, it installs a disk bomb. The program that the bomb is
installed in does not infect other programs. The only program that spreads
the bomb is the Trojan program. The last and worst of the 3 is the virus.
This is a self-replicating disk bomb. When it infects a file, the infected
file becomes a carrier, and it can infect other files, and those files in
turn can infect other files, etc.
Now, can everyone tell the disk bomb from the trojans from the viruses?
Quiz tomorrow... <grin>
GTR
----------
Category 12, Topic 18
Message 32 Sat Jul 23, 1988
UNCLE-DOS [ Tom W ] at 18:25 EDT
We have an independent sighting of Festering Hate. It appears to be a
modified version of CyberAIDS. However, we don't actually have a copy of it
for complete analysis. Apparently the fourth through sixth bytes of FH will
always add up to $39 (or $39 + 256 or $39 + 256 +256). These bytes in
CyberAIDS also add up to $39, but are always $13, $13, $13.
If anyone sees a copy of this one please forward it, carefully marked as
to contents, by XMODEM EMAIL, to OPEN-APPLE. Thanks.
Tom W.
----------
Category 12, Topic 18
Message 34 Sun Jul 24, 1988
P.J.PAUL at 14:29 EDT
I used the word 'virus' in a generic form, as 'time bomb', Trojan horse',
et. al. might better fit a particular strain, but I feel that there is
already enough paranoia and general confusion about the subject without
worrying about semantics. At this point the only way I know to identify
'FESTERING HATE' is via the screen display when it is 'too late'. I hope we
can all learn an earlier identifying factor.
<< Peter J. Paul >>
----------
Category 12, Topic 18
Message 35 Sun Jul 24, 1988
L.WALTON [Lorne] at 13:14 PDT
All this talk about P8 SYS files containing viruses: I assume that the
reason we're not talking about any other filetype is just that viruses
haven't been found there yet. Am I right? Is there any reason that a virus
can't be incorporated into _any_ executable file?
A week or so ago I dl'ed a ProDOS 16 program, FOURINAROW from the A2
library. As it is booting, this program displays the message:
Formatting system disk.......Gotcha!
where most programs would display "Please wait a moment..." No disk drives
are accesses during this process, and the program disk seems OK. I examined
a disassembly of the code (using Dave Lyons' NiftyList) and it appears to do
nothing out of the ordinary, at least not in the immediate vicinity of the
startup sequences.
Is this just a sick joke? Or is it possible something is lurking there,
waiting to pounce?
---==>> Lorne <<==---
system files to make sure you are clean.
And remember, there does appear to be two separate viruses....