FESTERING HATE Typed and Compiled by the BOWEN ARROW........ Reformatted to AWP by Doctor Dog Converted OUT of AWP by Jason Scott (textfiles.com) OK, here's what I've been able to dig up so far on the Apple II virus: It IS real. It appears to insert/attach itself to the file called BASIC.SYSTEM and increases its length by 7-8 Prodos blocks. I found it on one of my disks as a file called BLAST.START (filetype .SYS). This file was part of a download of a packed file called NUKE.BLAST. Unpacked you get the BLAST.START (29 Prodos blocks long) + BLAST (an 11-block Applesoft Basic file). If you copy Prodos 8, Basic.System, BLAST, and BLAST.START to any disk and then boot the disk, you'll be left at the Basic Prompt (]). If you type RUN BLAST or "-BLAST" then the program runs fine and asks a few questions about distance from the nuclear blast, height of the explosion, etc and tells you the resulting effect on human life. BLAST DOES NOT NEED BLAST.START TO RUN! If you type "-BLAST.START" then different things happen: It searches EVERY PRODOS volume that you have on-line including 3.5's, 5.25's, hard drives, and RAM drives. If it finds a file on any ONE of those volumes called BASIC.SYSTEM then it attaches itself to it. If you run it a second time then it will attach itself to another BASIC.SYSTEM if there is one. If there isn't one then it will attach to the BASIC.SYSTEM on its own disk (which, up to this point has remained unchanged). If it doesn't find a BASIC.SYSTEM then it will quite happily boot BLAST leaving you none the wiser. *** CRITERIA / METHOD of INFESTATION **** Before the VIRUS will do anything to your files the following files MUST be on the target volume: Prodos, and Basic.System. NOTE: This is for the initial infestation from running BLAST.START only. If, instead, the virus is to be spread from a volume with an infected BASIC.SYSTEM then the files required on the target volume are: Prodos, Basic.System, AND any Applesoft Basic program. If the above conditions are NOT present then the virus will access the volumes but change nothing. HOWEVER, if a file other than BASIC.SYSTEM has been infected (see below for how) then there is no apparent minimum requirement for the target volume. There doesn't seem to be any set rule here as the virus can infect more than one file on the same disk. One thing is for certain though...the virus only infects one file per boot access, although sometimes it may decide not to infect any files. I have never yet had it infect a file called PRODOS, even though PRODOS is a .SYS filetype. BUT, I have renamed PRODOS to something else and subsequently had it infected. Basically the virus checks the volume for the file called BASIC.SYSTEM...it can be any file that you've renamed BASIC.SYSTEM, it doesn't actually have to be THE Basic.System file...and then it attaches itself to THE FIRST .SYS ON THE VOLUME. This is an interesting 'feature' of the virus...if BASIC.SYSTEM is present on the disk BUT it is not the first .SYS in the directory then the virus will NOT infect BASIC.SYSTEM but will infect the first SYS filetype (excluding Prodos) in the directory regardless of what its called and how long it is. Thus the virus now increases its media for spreading. Apparently the virus does not alter the infected file as far as functionality goes...it just takes control for a few seconds after the program is loaded...does its dastardly deed, and then hands control back to the program...pretty sneaky. ***** HOW DO YOU KNOW IF YOUR FILES ARE INFECTED? ***** Unfortunately, there's no sure way of telling how many of your files have been infected. If you do a lot of downloading from BBS' OR if you get a lot of files from friends who do a lot of downloading then you're more susceptible. There are some tell-tale signs though: Check all volumes (disks, hard drives & RAM) for BASIC.SYSTEM. It should be 21 Prodos blocks in length and have a Modified Date of around JUNE 14, 1984. If so, its likely safe. If, however, it has a length of 29 Prodos blocks then its most likely been infected...delete that file! If your system has a clock in it (all IIgs' come with one) then an infected file will have a Modified Date of sometime in 1988, most likely within the last two weeks. CAUTION: Just because you don't have any BASIC.SYSTEM that's infected doesn't mean that you're free and clear because other .SYS files can be infected too. These are much harder to detect because most of the time you don't know how long an uninfected file is so you won't whether its infected or not. Those of you who have the clock can still check the Modified Date but those of you without one are without the means to determine for sure. **** SUGGESTIONS FOR WHAT TO DO **** If you know that a file is infected then delete it and re-copy it from a 'good' disk. If there are no other .SYS files on the disk then you are safe. If there are other .SYS files on a disk that may have been infected then you should format a blank disk, copy Prodos, a good Basic.System, and one of these SYS files onto the disk. Remove ALL other disks from drives, turn off hard drives and backup RAM drives...boot the new disk, wait for the Basic prompt (]), and run the .SYS file ("-"). The first clue that the .SYS file is infected is if it accesses all drives. The clincher is if, after booting (wkether it ran or not) and cataloging, you find that your good BASIC.SYSTEM has been modified to 29 blocks. *- CAUTION - when running all these 'tests' be careful to mark ALL temporary disks with a big "V" and then re-format them after your tests are over. Obviously if your BASIC.SYSTEM has been modified then you'll have to DELETE the suspect file and get another copy from a friend. If your hard drive has been infected then there's no telling how many files have been infected. My suggestion is, based on the fact that the virus only hits .SYS files, copy all DATA or .TXT or .DOC or .AWP or .ASP or .ADB files from your hard drive to backup disks. Try to keep these files on separate disks from program files. Next copy all BAS files to backups, then copy all BIN files to backups, etc, etc until your entire hard drive is backed up. Then you can re-format your hard drive and re-copy the uninfected files back to the drive. Meanwhile examine the .SYS files that you backed up and determine which ones you can replace from a new source (a friend, etc)...and DO it. The .SYS files that remain can be tested the same way as described above or you can elect to delete them...your choice. *** SAFETY *** It is advisable that, while this virus threat is still around, you pre-test any new downloads that yuo get. Turn off your hard drive(s) and printout a catalog of the program files first. Then boot the program and see if anything changes on the disk. It'd also be a good idea to have a 'dummy' diskette in another drive with just Prodos, a clean Basic.System and one Basic program on it. If this gets infected then you'll know the new program you downloaded is also infected. Please NOTE: I said that I discovered this virus in "NUKE.BLAST"...that doesn't mean that this is the only file OR that this is where the virus originated. OK, that's basically all I have discovered so far. I was lucky that I located my infected file early AND that I had saved it on a file disk that ad no .SYS files on it. I hope everyone else who reads this is as lucky!! One final note - I, as yet, have not found out exactly what happens to trigger the virus to trash the contents of a volume - I only know that several people have had their hard drives comletely trashed. It appears that the virus remains dormant and is triggered either by a count of boots or by a date or ??? It appears that when it does its thing then it gives you a message about it and who's responsible. I will not lower myself to comment on the quality of individual who would dream up a stunt like this. As soon as I get more info I will be passing it on. Meanwhile if anyone has anything to add OR if you discover other infected files then please share the info. To date, the files that I have heard of that are nfected are as follows: NUKE.BLAST, ZLINK, SQUIRT v1.5, and Mr. FIXIT v 3.7 LATEST UPDATE---- The VIRUS is called FESTERING HATE and when it goes of there is a Mpicture of a diskette being pricked by a needle. It says that it is written by the K/RAD ALLIANCE and, apparently it has been known, on very rare occassions, to infect a file more than once. This last part has not been substantiated. Oh, some guy who had his HD trashed managed to use his FINGERPRINT card to capture the title page of the virus: [WOP] -666- FESTERING HATE -666- [FOG] ======================================== W| The Good News: You now have a copy |F o| of one of the greatest programs |r r| that has ever been created! |i s| The Bad News: Its quite likely |e h| that its the only program you now |n i| have in your possession. |d p|====================================|s p| Hey Glen! We sincerely hope our | e| royalty checks are in the mail! |o r| Seeing how we're making you rich |f s| by providing a market for virus | | detection software! |G o|====================================|l f|Elect LORD DIGITAL as GOD committee!|e |====================================|n P| )/> The Kool/Rad Alliance! <\( | a| Rancid Grapefruit -- Cereal Killer |B t|====================================|r r| This program is made possible by a |e i| grant from Pig's Knuckle ELITE |d c| Research. Orderline: 313/534-1466 |o k======[(C) 1988 ELECTRONIC ARTS]======N ...more later.... Courtesy of Bowen Arrow >>>---Arrow--->