Path: utzoo!attcan!uunet!husc6!rutgers!ucsd!ucbvax!UIAMVS.BITNET!AWCTTYPA From: AWCTTYPA@UIAMVS.BITNET ("David A. Lyons") Newsgroups: comp.sys.apple Subject: CyberAIDS warning--a real virus (Weishaar) Message-ID: <8807201303.ab04563@SMOKE.BRL.ARPA> Date: 24 Jul 88 18:12:40 GMT Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 64 X-Unparsable-Date: Wednesday 20 Jul 88 1:50 AM CT 59 (of 59) DAVE LYONS Jul. 20, 1988 at 1:47 CT (2745 characters) The following note is from Tom Weishaar, the Open-Apple guy himself. Summary recommendation: LOCK ALL THE SYS FILES IN THE MAIN DIRECTORY OF ALL YOUR DISKS to protect yourself against an honest-to-goodness Apple II ProDOS virus called CyberAIDS. ------- UNCLE-DOS [ Tom W ] at 22:59 EDT Sorry to have to reopen this topic gang, but we found one. OK, we've got one. We've received and disassembled a copy of a SYS file infected with a virus that attacks ProDOS 8 system files. The virus calls itself CyberAIDS. It's a little buggy and far from "commercial quality," but is dangerous nonetheless. We have no idea how widely distributed it is. It was sent to us by a user. We don't think any of the SYS files in our library are infected, although we haven't gone back and checked them all. When a SYS file containing the CyberAIDS virus is executed, the disk drive will turn off and then back on again. While the drive spins the second time, CyberAids tries to replicate itself inside all of the online SYS files that are in root directories. It doesn't look in subdirectories, it doesn't (can't really) mess with write-protected disks, it doesn't attack locked SYS files, and it doesn't attack the PRODOS file. CyberAIDS also updates a counter stored in the last byte of the first block of the disk directory. When this counter reaches 16, CyberAIDS writes $FFs through the root directory of all online volumes and puts a message describing what's happening on the screen. If this happens to you, don't panic. The program Bag of Tricks 2, by Quality Software, can recover your directory ($40, 21610 Lassen, #7, Chatsworth, CA 91311 818-709-1721). MR.FIXIT, which is one of the items in Glen Bredon's ProSEL package, also can recover all the subdirectories (and what's in them) from directories damaged by CyberAIDS. Unfortunately, MR.FIXIT cannot recover files other than subdirectories. The following is a simple program that can identify SYS files that have been infected by CyberAIDS: 10 HOME : PRINT "CyberAIDS Detection Program" 20 PRINT 30 PRINT "Enter the name of the next SYS file to be checked." 40 INPUT F$ : IF LEN(F$)=0 THEN END 50 PRINT CHR$(4);"BLOAD";F$;",A$2000,L3,B3,TSYS" 60 DETECT=1 70 FOR ADR=8192 TO 8194 80 IF PEEK(ADR) <> 19 THEN DETECT=0 90 NEXT 100 IF DETECT THEN PRINT "This SYS file appears infected." 110 IF NOT DETECT THEN PRINT "This SYS file appears to be OK." 120 GOTO 20 If you find any SYS files that are infected, simply delete them and replace them with uninfected backups. You might also like to change the last byte of the first block of the root directory (block 2), which in normally unused, back to zero. ---------- (end of Tom W's note)