Starfighter II(c) Virus
By Richard Bennett
Copyright (c) 1992 Apple Users' Group, Sydney
Republished from Applecations, a publication of the Apple Users' Group, Sydney, Australia.


AUG Virus Watch #1

HISTORY
It was about a year ago that the "Load Runner" virus appeared on the scene in Australia, and disappeared about as quickly as it arrived. It seemed the most publicity was not given to the virus itself, as the number of infected users never left single digits, but the fact that finally the Apple II had a virus of its very own. While we kept hearing about the dangers of Macintosh viruses from the Steve Jobs half of the group, and the many thousands putting death to just deserving IBM and compatible machines, the Apple II community couldn't help but feel proud, with their "dying 10 year old architecture".
Then "Load Runner" appeared, and the joy turned not to fear, but interest! Who else but Apple II users would actually "want" to get a virus. They said it couldn't be done, so how do you infect the most open personal computer in history? The craze died down, with infected users bearing the envy of the rest of the community, and even then only if you were lucky enough to find someone who was actually infected with the damn thing!
So finally the Apple II grew up, matured into a machine that was capable of getting a virus. We all felt part of the real world again, and went back to complaining about Apple's corporate tunnel vision and why we don't have a portable IIgs with built in hard disk and 20Mhz 65832 processor. Such is life....
Well it's happened again, in the form of a "boot block" virus, commonly known as "Starfighter II" for reasons I will get to later. For those not with us during the hectic days of "Load Runner", or like most, never even knew the event took place, a "boot block" virus is a piece of machine code that sits on block 0 and 1 of a disk, and gets activated when you boot the disk. Obviously by implication, "Load Runner" was also a "boot block" virus. But that was then, this is now....

THE INFECTION
"Starfighter" lives on block 1 of a 3.5" disk, and keeps the new style ProDOS/SOS boot block mainly intact. The code tags onto the end of Apple's code at $A6A during the boot, and is called by the normal ProDOS startup JMP instruction. Instead of going straight to ProDOS at $2000, it dives into $A00, which in turn JMPs up to $A6A. This is a copy routine which moves the entire $200 block from $00/0A00 to $E1/0A00. It then patches into one of the disk vectors in bank $E1, and JMPs back down to ProDOS at $00/2000.
Now whenever the IIgs calls this vector (excuse me for being vague, as I haven't discovered what this undocumented vector actually does yet, suffice to say it obviously gets called at boot time), "Starfighter" intercepts it and re-copies itself down to $00/0A00. This is where all the work is done. Block 0 is read from the currently inserted disk, and checked to see if "Starfighter" is installed. If not, the block is modified in memory, and written back to disk. The "Starfighter" code at $0A00 is then written straight over block 1. The disk is now infected.

THE TRIGGER
Every eight infections, an extra check is made. If the time is 7pm or over, or 1900hrs for those who simply "feel good" being able to talk in 24 hour time, the virus is triggered. The time, by the way, is extracted from your current system time, by using the _ReadTimeHex call in the Miscellaneous tool set.
Firstly, your battery RAM text screen colour, border colour, background colour, and system volume, are all set to zero. For the uninitiated, colour zero is black. This effectively blanks out your screen as if it was turned off, and because there is no sound, you are fooled into thinking that Control-Reset isn't working! Which reminds me, this virus is also known as the "Screen Blanker" virus. I know of at least one virus checker, Apple RX GS by Glen Bredon, that even prefers to call it "Screen Blanker".
Now if you turn the IIgs off, and then back on again, leaving 30 seconds or so between of course, the screen will still remain blank, because the battery RAM has remembered! Likewise, because there is no sound, it seems like the IIgs hasn't even powered up! Although the drive light coming on would be a definite giveaway, it would that is if "Starfighter" hadn't already changed your startup slot to 8. Of course the IIgs doesn't have an 8th slot, so it simply hangs "Check startup device".....
And if you start thinking about changing the battery RAM yourself, as it is kept in memory at $E1/02C0, and writing it back with the _WriteBRam call from the monitor, apart from trying not to make typos because the screen is blank, then you're in for another surprise, because "Starfighter" has patched the vector out so it has no effect.
One thing this virus doesn't do however, is destroy your data. It is completely safe in that respect.
One interesting thing to note, is that if your date format in the Control Panel is set to YY/MM/DD, and your time is set to 24hr, ok so I take back the comment regarding 24hr time, then "Starfighter" will not infect. Why? Because the code checks it! I assume the author needed some sort of protection.....

VACCINATION
I've always wondered who the bright spark was that thought up the virus analogy, and typical of the computer industry, most neat new terms end up being followed by huge lists of associated words. And as usual the computer illiterate are even more confused about technology, and the gap widens.
Of the interesting ones, "virus" is a real beauty. Not only does the term have nothing to do with computers, or the "machine language routines written by programmers to do exactly what they want", but it also instills fear into the hearts and minds of not only the general public, but even more so the computer user community. The logical progression from "computer program" to "a real infectious disease" is still pretty astounding, and still amazes me each time I hear the analogy used.
But enough of this rambling, you'd probably rather be using your IIgs right? But you can't can you, because "Starfighter" got there first....
As mentioned previously, a program called "Apple RX GS", by Glen Bredon, will recognise and deactivate the virus. The program can be
found on the June 1991 issue of A2-Central. Although a special password is required to use all of the features of this Shareware program, the option that checks for "boot block" viruses is already enabled. However considering the program has saved you alot of time and trouble, I'd recommend sending in the Shareware fee.
My ILTS program will also remove the "Starfighter" virus, but instead of delicately patching the thing to deactivate it, ILTS uses brute force and simply writes straight over the top of the thing. I've discussed ILTS before in articles and at meetings, so I won't go into it too much, suffice to say it is freeware, and available from me for anyone who wants it.
I assume there are other programs out there that also check for "Starfighter", but at this stage I don't have any of them, so the above two will suffice for now.
So your screen is blank, and you have your "virus busting" program on a disk somewhere. First we have to remove the thing from the machine. So turn the IIgs off, and leave it off for at least 30 seconds, giving the RAM enough time to completely discharge. If this sounds rather ludicrous, you may like to know that I can turn my IIgs off for at least 10-15 seconds, and when I turn it back on have the original text still on the screen from when I turned it off! Now does 30 seconds sound alright?
Now turn the IIgs back on, holding down the option key. You will be presented with four options, numbered 1 to 4. If your screen is running at 50 Hertz (Australian), then hit "3" on the keyboard. If you're running 60 Hertz (U.S.), the press "2". Running at 60 Hertz is a neat trick with the monitor if you're sick of a border which is really thin at the top, and really thick down the bottom. By setting to 60 Hertz and adjusting the screen at the back, you can have the actual display area smack bang in the middle.
Anyway, by hitting either "2" or "3", the virus, and the changes to the battery RAM, have been fixed. You will now have to change all the Control Panel settings to how you like them, and of course your startup slot, depending on where your virus busting program is stored. Now run the program.
A number of things to note, first, don't insert any of the disks you were using from the time before the virus struck, up until when the machine locked up. Only insert these disks when the virus buster tells you to. Secondly, try to remember when the problems started, and what disks you were using around that time. The fastest way to stop a virus spreading is by tracking the disk down to the user who gave it to you. This way the message will get passed back to everyone who came into contact with the disk.

CONCLUDING
The "Starfighter" virus gets its name from an eyecatcher stored at the end of the virus code. The complete string is "Starfighter II(c)", and is stored backwards, that is ")c(II rethgifratS". It is also known as the "Screen Blanker" virus, by those who either haven't found the eyecatcher, or want to be more descriptive for users unfamiliar with the virus.
I'd like to thank Jim Fraser, the PD librarian for the Tasmanian Apple Users' Group (TAUG), for bringing this virus to my attention and for
kindly sending me a sample of its handywork. It was either that, or wait until the virus managed to jump Bass Straight all by itself!
Although I've described quite a bit about how the virus works, I feel this not enough for the average user to suddenly go out and write one. Those who have the ability to write a "boot block" virus would have done so already, and anyone who can convert my description into a working virus would've already been able to do it without my help.

THIS CONTENT COPYRIGHT © 2007, APPLE MACINTOSH USERS' GROUP, SYDNEY
Permission has been obtained to make this material available on the Internet.

Permission is hereby granted for non-profit user groups to republish this content.
PLEASE CREDIT THE AUTHOR AND THE SOURCE: Applecations, publication of the Apple Users' Group, Sydney, Australia

THIS PAGE COPYRIGHT © 2007, ANDREW ROUGHAN