Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!tut.cis.ohio-state.edu!ucbvax!agate!shelby!helens!news
From: news@helens.Stanford.EDU (news)
Newsgroups: alt.hackers
Subject: Re: A (long) story about an (old) Apple ][ virus
Message-ID: <461@helens.Stanford.EDU>
Date: 12 Apr 90 11:16:16 GMT
References: <1990Apr2.054914.11842@eng.umd.edu> <117@blekko.UUCP>
Sender: news@helens.Stanford.EDU
Distribution: alt
Organization: Stanford University, Department of Geophysics
Lines: 50
Approved: joe@hanauma.stanford.edu

In article <117@blekko.UUCP> skrenta@blekko.UUCP (Rich Skrenta) writes:
>jd> check the version, the simplest way is to do a "CATALOG" of the disk you're
>jd> checking, and then look at B3BF.
>jd>
>jd> 	(If you don't find zeros at B6E8, 9CFE, and B3BF, but also don't find
>jd> the bytes I've mentioned, then I don't know any more about it than you do,
>
>The similarity is incredible.  I guess those unused spaces in the VTOC were
>popular.  Cloner used B3BF for the boot count; its version number was
>stamped at B3C2.

There were only a few natural places to stick viruses on the Apple: holes
in DOS, holes in the VTOC. I imagine almost any Apple ][ virus would probably
occupy those same places. That's why I specifically warned that people might
find OTHER strange things in those places.

I avoided using Track 2 for my viruses, since a common practice was to modify
the disk directory info to allocate that unused DOS track for data. This of
course meant I was VERY crimped for space. Did Elk Cloner make DOS any bigger?
If so, it would have trashed programs like "Congo" just as my "Virus 2" did.
The trick with Virus 3 that allowed it to be completely transparent was to
use memory without allocating it. If it got trashed, so what; a small routine
buried safely inside DOS would notice and safely disconnect the virus from DOS.

I posted my message to comp.sys.apple2, alt.folklore.computers, comp.virus,
and alt.hackers. I was expecting to get massively flamed on comp.sys.apple2,
but I was hoping that I'd also get some interesting information too.
Guess what? A few random pieces of mail "thanks for an interesting story".
_That's all_! The only interesting responses I've gotten back have been from
_alt.hackers_! There are apparently lots of people on comp.sys.apple2 who
still use DOS 3.3 disks; I see them posting. But they don't feel like
searching for a virus that has never called attention to itself! I've only
heard back from 2 people who read the comp.sys.apple2 posting and checked
their disks (neither found anything). It also doesn't help that Texas A+M,
the probable locus of Virus 3 infection, is a networking desert.

How disappointing. Since my virus almost certainly did escape into the wide
world, I suspect it should have spread about as much as Elk Cloner appears
to have. But virus 3 really was invisible, and it's hard to get people excited
at this late date about a virus that never called attention to itself.
Oh, well. It would have been very interesting to find out a generation count
or two....

If there are any other old Apple ][ virus-writers out there, I encourage you
to come forward and tell your stories. We can even all write a joint paper;
I think that would be a VERY interesting article.
\    /\    /\    /\/\/\/\/\/\/\.-.-.-.-.......___________
 \  /  \  /  \  /Dept of Geophysics, Stanford University \/\/\.-.-....___
  \/    \/    \/Joe Dellinger joe@hanauma.stanford.edu  apple!hanauma!joe\/\.-._
************** Drive Friendly, Y'all! ******************************************