Path: utzoo!utgpu!water!watmath!clyde!ima!think!whitney From: whitney@think.COM (David Whitney) Newsgroups: comp.sys.apple Subject: Virus troubles... Message-ID: <24362@think.UUCP> Date: 22 Jul 88 20:34:08 GMT Sender: usenet@think.UUCP Reply-To: whitney@think.UUCP (David Whitney) Organization: Thinking Machines Corporation, Cambridge, MA Lines: 512 Well, I have become a victim of a virus - but not directly. Some a$$hole has infected my Z-Link and began posting to various places (including, possibly Genie). If you know of anyone who has a copy of Z-Link Plus, tell them to get rid of it right away. It contains the CyberAIDS virus, which can cause bad (but not irrecoverable) damage. Every other time an infected SYS file is run, the virus checks the volume directories of all online disks and infects all SYS files it finds. Once the virus has executed 15 times, it trashes the volume directory of online disks. See news below: Date: Fri, 22 Jul 88 02:37:50 GMT From: jordan%lvva.span@sds.sdsc.edu (RICH) Message-Id: <880722023750.25400094@Sds.Sdsc.Edu> Subject: Z-Link info To: whitney@Think.COM X-St-Vmsmail-To: SDSC::"whitney@think.com.arpa",JORDAN Dave, for your information here is the current thread on the Z-Link virus. The news seems to be good for Z-Link but bad in general. The thread on the virus mentioned within will be sent following this msg. Since my system has been checked and is not infected, it is highly unlikely that any in- fected versions of Z-Link were uploaded. Hope this info helps. I do think it is very unlikely that the sysops will release a copy of the virus for any reason, so I won't be able to get a copy of the infected file. Good reading! Rich +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Item 9505713 88/07/20 18:18 From: A2.DOUG Doug Acker, Apple II Library Mgr. To: T.MADDEN Timothy J. Madden cc: AA$ All Apple II RoundTables Staff D.LYONS2 David A. Lyons BARRACUDA Richard J. Jordan Sub: virus programs Reply: Item #9890843 from T.MADDEN on 88/07/19 at 21:48 The only reason why I would doubt it would be Z.link since D.Lyons has been working with it alot and he is a reputable programmer. =END= forwarded by A2.DOUG to BARRACUDA D.LYONS2 Item forwarded by A2.DOUG to OA$ Item 9890843 88/07/19 21:48 From: T.MADDEN Timothy J. Madden To: A2.DOUG Doug Acker, Apple II Library Mgr. Sub: virus programs Hello. A friend of mine has lost several files that he downloaded recently, apparently to a virus program. One of the programs said to spread it is ZLink. I am not convinced there is a virus yet, but since tohe program is up on the A2 board I thought you might like to know that there is a possiblity. I made copies of the disks he claimed were infected and am looking them over (very carefully, I admit). oh, yeah, we discovered this though a BBS that told us what to look for. When the disks are cataloged with such programs as Copy II+, AppleWorks, or even BASIC, the catalogs are normal. When cataloged with APW, the 'infected' disks have files with no names, creation and modification dates are bad (i.e. appears), and the catalog format is screwed up. What fun, eh? Tim =END= Item forwarded by A2.DOUG to AA$ Item 8619651 88/07/20 20:10 From: BARRACUDA Richard J. Jordan To: A2.DOUG Doug Acker, Apple II Library Mgr. cc: BARRACUDA Richard J. Jordan Sub: z-link virus? Doug, I've been using every version of Z-Link that I uploaded without problems, and all of those have come direct from the author. If you like I can contact the author about this. I have a feeling that another program is to blame, or maybe there are deliberately contaminated versions floating around (_not_ by the author). Let me know what you find out on this, though. Rich =END= Item: 7844441 88/07/20 23:17 From: A2.DOUG Doug Acker, Apple II Library Mgr. To: BARRACUDA Richard J. Jordan cc: AA$ All Apple II RoundTables Staff Sub: z-link virus? Reply: Item #8619651 from BARRACUDA on 88/07/20 at 20:10 I dont think its a virus either...as you and Dave are quite trustworthy... It was more for your info though.... =END= Item 5690480 88/07/21 01:29 From: D.LYONS2 David A. Lyons To: A2.DOUG Doug Acker, Apple II Library Mgr. cc: AA$ All Apple II RoundTables Staff BARRACUDA Richard J. Jordan Sub: virus in Z-Link I have independent evidence that there *is* a virus in *some* copies of Z-Link floating around. I will tell the author, Dave Whitney, about it; I'm 100% sure they are not his doing (his network address is Whitney@Think.COM). An acquaintance of mine has a copy of a Z-Link that came from a pirate bulletin board; it's infected. He's getting me a copy of it--apparently it infects a SYS file every second time it's run, adding NINE BLOCKS to the file (there's a packed hires picture in there for the virus to display at its convenience, apparently). -- Once I get a copy, I'll tell you guys how to detect it. By the way, I am about 98% sure that the messed-up catalog in APW is because the last byte of a directory block is bein fiddled with--APW assumes that the last byte in each block will always be $00, as it normally is (it's unused since the current directory entry size doesn't divide into 512 evenly). --Dave Lyons =END= Item 8811050 88/07/21 03:25 From: GUY.T.RICE Guy Rice, A2Pro Leader To: D.LYONS2 David A. Lyons cc: A2.DOUG Doug Acker, Apple II Library Mgr. BARRACUDA Richard J. Jordan AA$ All Apple II RoundTables Staff Sub: virus in Z-Link Reply: Item #5690480 from D.LYONS2 on 88/07/21 at 01:29 Dave - it won't be necessary to isolate the virus yourself, that's already been done. I have a copy of an infected BASIC.SYSTEM containing the very virus you are talking about. It's 27 blocks long, infects a system file every second time it's run or so, and has a packed hires picture in it. Therefore, I assume we're talking about the same virus. It's actually rather easy to detect. Any SYS file infected with it is marked by some ID bytes. The 4th-6th bytes of the file will be $13. So just dump the file and check those 3 bytes to see if the file is infected or not. (By the way, the VIRUS ITSELF isn't 27 blocks... the infected copy of BASIC.SYSTEM is 27 blocks. Just wanted to make that clear...) GTR =END= Item 1545389 88/07/21 12:56 From: UNCLE-DOS Tom Weishaar, Apple II Manager To: T.MADDEN Timothy J. Madden D.LYONS2 David A. Lyons BARRACUDA Richard J. Jordan GUY.T.RICE Guy Rice, A2Pro Leader cc: AA$ All Apple II RoundTables Staff Sub: virus The virus that has the $13 ID in bytes 4 to 6 is CyberAIDS. I think you're all talking it. It infects ProDOS 8 SYS files--Z-Link is an innocent SYS file here. CyberAIDS can be destructive, but the disk can be recovered and it's very easy to identify. PS it messes with that 512th byte of the directory, too. For more, see Cat 12, Top 18, Message 12 and following in the A2 BB. VERN--for my peace of mind, would you download and check our copy of ZLINK? Tom =END= Item 8941243 88/07/21 16:01 From: A2.VERN.R Vernon R. Pollard, Apple II Asst. To: UNCLE-DOS Tom Weishaar, Apple II Manager T.MADDEN Timothy J. Madden D.LYONS2 David A. Lyons BARRACUDA Richard J. Jordan GUY.T.RICE Guy Rice, A2Pro Leader cc: AA$ All Apple II RoundTables Staff Sub: virus Tom, Will get Zlink and check it out... >>--[ A2 Alive!! ]--> Vern R. =END= Command? Item 1483417 88/07/21 18:17 From: A2.DOUG Doug Acker, Apple II Library Mgr. To: D.LYONS2 David A. Lyons A2.CHET Chet Day, A2 Bulletin Board Editor A2.DOUG Doug Acker, Apple II Library Mgr. A2.HAYWARD Lee Hayward, AppleWorks Librarian A2.TYLER Tyler D. Weisman, A2 RTC Leader A2.VERN.R Vernon R. Pollard, Apple II Asst. BARRACUDA Richard J. Jordan GUY.T.RICE Guy Rice, A2Pro Leader OA.VAN Tom Vanderpool, Open-Apple OPEN-APPLE Dennis Doms, Open-Apple TIM.SWIHART Tim Swihart, A2Pro Leader UNCLE-DOS Tom Weishaar, Apple II Manager Sub: virus in Z-Link Reply: Item #5690480 from D.LYONS2 on 88/07/21 at 01:29 Zlink Plus...there is no such animal except in pirate boards probably... So far we belive we are still sterile.... =END= and more... Received: from Think.COM by fafnir.think.com; Fri, 22 Jul 88 03:26:15 EDT Return-Path: <@cunyvm.cuny.edu:AWCTTYPA@UIAMVS.BITNET> Received: from CUNYVM.CUNY.EDU by Think.COM; Fri, 22 Jul 88 03:29:46 EDT Message-Id: <8807220729.AA02777@Think.COM> Received: from UIAMVS.BITNET by CUNYVM.CUNY.EDU (IBM VM SMTP R1.1) with BSMTP id 8781; Fri, 22 Jul 88 03:25:38 EDT Date: Friday 22 Jul 88 2:26 AM CT From: David A. Lyons To: Subject: Mail from Participate at the University of Iowa Dave! There are apparently copies of Z-Link making the rounds on some not-so-legitimate bulletin boards, and some of them are INFECTED with CyberAIDS. The virus can be identified by $13 in the 4th thru 6th bytes of a SYS file. See msg concatted to the end of this for more info. Some of the bogus copies are going by the name Z-Link Plus. I strongly suspect that there is no legitimate version of Z-Link called Z-Link Plus; can you verify this for me? (I'll pass it on to the GEnie admins.) ---------- The following note is from Tom Weishaar, the Open-Apple guy himself. Summary recommendation: LOCK ALL THE SYS FILES IN THE MAIN DIRECTORY OF ALL YOUR DISKS to protect yourself against an honest-to-goodness Apple II ProDOS virus called CyberAIDS. ------- UNCLE-DOS [ Tom W ] at 22:59 EDT Sorry to have to reopen this topic gang, but we found one. OK, we've got one. We've received and disassembled a copy of a SYS file infected with a virus that attacks ProDOS 8 system files. The virus calls itself CyberAIDS. It's a little buggy and far from "commercial quality," but is dangerous nonetheless. We have no idea how widely distributed it is. It was sent to us by a user. We don't think any of the SYS files in our library are infected, although we haven't gone back and checked them all. When a SYS file containing the CyberAIDS virus is executed, the disk drive will turn off and then back on again. While the drive spins the second time, CyberAids tries to replicate itself inside all of the online SYS files that are in root directories. It doesn't look in subdirectories, it doesn't (can't really) mess with write-protected disks, it doesn't attack locked SYS files, and it doesn't attack the PRODOS file. CyberAIDS also updates a counter stored in the last byte of the first block of the disk directory. When this counter reaches 16, CyberAIDS writes $FFs through the root directory of all online volumes and puts a message describing what's happening on the screen. If this happens to you, don't panic. The program Bag of Tricks 2, by Quality Software, can recover your directory ($40, 21610 Lassen, #7, Chatsworth, CA 91311 818-709-1721). MR.FIXIT, which is one of the items in Glen Bredon's ProSEL package, also can recover all the subdirectories (and what's in them) from directories damaged by CyberAIDS. Unfortunately, MR.FIXIT cannot recover files other than subdirectories. The following is a simple program that can identify SYS files that have been infected by CyberAIDS: 10 HOME : PRINT "CyberAIDS Detection Program" 20 PRINT 30 PRINT "Enter the name of the next SYS file to be checked." 40 INPUT F$ : IF LEN(F$)=0 THEN END 50 PRINT CHR$(4);"BLOAD";F$;",A$2000,L3,B3,TSYS" 60 DETECT=1 70 FOR ADR=8192 TO 8194 80 IF PEEK(ADR) <> 19 THEN DETECT=0 90 NEXT 100 IF DETECT THEN PRINT "This SYS file appears infected." 110 IF NOT DETECT THEN PRINT "This SYS file appears to be OK." 120 GOTO 20 If you find any SYS files that are infected, simply delete them and replace them with uninfected backups. You might also like to change the last byte of the first block of the root directory (block 2), which in normally unused, back to zero. ---------- (end of Tom W's note) --David A. Lyons a.k.a. DAL Systems PO Box 287 | North Liberty, IA 52317 BITNET: AWCTTYPA@UIAMVS CompuServe: 72177,3233 GEnie mail: D.LYONS2 and finally... Date: Fri, 22 Jul 88 03:02:18 GMT From: jordan%lvva.span@sds.sdsc.edu (RICH) Message-Id: <880722030218.25400094@Sds.Sdsc.Edu> Subject: P8 Virus To: whitney@Think.COM X-St-Vmsmail-To: SDSC::"whitney@think.com.arpa",JORDAN Dave, Here's the thread on the virus as of tonight. If any other good info comes in I'll send it to you ASAP. Dave Lyons may also be in touch with you if he hasn't already. Rich ---------- Category 12, Topic 18 Message 15 Wed Jul 20, 1988 OPEN-APPLE [Dennis Doms] at 09:45 EDT I've also discovered you can BLOAD a volume directory (I didn't know that! ), so if you do a 'BLOAD /VOLUME,A$2000,TDIR' (substitute your disk name for "/VOLUME") and if 'PRINT PEEK(8703)' does not give you '0', that _may_ also mean the volume has been trifled with. ("8703" = $21FF, which is the last byte of the first block of the volume.) You can correct the value (on disk) with a block editor. ---------- Category 12, Topic 18 Message 16 Thu Jul 21, 1988 GUY.T.RICE [A2Pro Sysop] at 19:19 EDT Just to point something out. Back a few months ago, when that person whose name I have forgotten first uploaded that file about viruses that started this whole thing, he also uploaded a file showing what your screen looks like after the virus strikes. That screen is exactly the screen put up by this virus. In other words, this IS the virus that person was talking about, and it did really exist back then (despite everyone saying it was just rumor), and it has been going around all this time. The reason I mention this is because I kinda got a chuckle when this second virus topic was started for "Bona fide" viruses, implying that the other topic had no "real" stuff in it, even though Glen Bredon himself had stated flat out that he had seen one. This virus is real, exists, and has existed ever since it was first reported those months ago. This is not a rumor. Be cautious... GTR ---------- Category 12, Topic 18 Message 17 Thu Jul 21, 1988 P.J.PAUL at 21:33 EDT I regret that I caused such havoc when I began speaking of the virus. My intensions then (as well as now) were to inform, rather than alarm. I personally lost all the data on my 20 meg. SIDER, my /ROM disk and a 3.5" floppy. It was indeed CYBERAIDS that caused the problem, and I have a copy of the program (it was EPBH1.5EX) that carried the virus. I have just uploaded a program (VACCINE II) that will detect the presewnce of that (and hopefully all other stains). "An ounce of prevention........................." << Peter J. Paul >> ---------- Category 12, Topic 18 Message 18 Thu Jul 21, 1988 W.MOULAS [Bill] at 20:53 CDT Wow, there are so many Virus.RX programs on the library, Peter Just Uploaded one, Guy, has one in the library, does anyone know which virus detecting program work the best. I was just nominated the Asst. Sysop in the Aviation RT and one of my duties is too screen Uploads that run on my system. I'm now trying to figure out which program will give me the most protection. It's better to be safe than to be sorry. Thanks Bill Moulas ---------- Category 12, Topic 18 Message 19 Thu Jul 21, 1988 OPEN-APPLE [Dennis Doms] at 21:56 EDT I noticed that most of the virus detection programs seem to want to run on a IIgs, though Glen Bredon's shareware version only requires a 65802 (so it could be used on an Apple II if that chip was installed in place of the 6502/65C02) or 65816. One reason that I think CyberAIDS was overlooked was that we need the hard evidence of the infected program to make sure that it is code and not some vagary of the system (especially on the IIgs) that is the cause. Bugs like the ProDOS 1.1.1 track 0 trashing problem need to be distinguished from intential problem programs. ---------- REPly #[-#], STArt, QUIt, EXIt, RETURN ? Well, that's all I have right now. Sorry this is so long, but I figure it's generally useful and you all ought to watch your disks... David Whitney, MIT '90 Still learning about my Apple //GS {out there}!harvard!think!whitney and all of its secrets. Any and all whitney@think.com technical info appreciated. DISCLAIMER: You think they even know I'm doing this?