VIRUSES ON THE APPLE //
By Richard Bennett
Copyright (c) 1990 Apple Users' Group, Sydney
Republished from Applecations, a publication of the Apple Users' Group, Sydney, Australia.


Although it's better late than never, I'm going to discuss viruses on the Apple II. And since most viruses were set to go off in 1989, it's probably bad timing to now come out with an article on the subject. The various points I'm going to raise are collectively from personal experience, a virus warning note from Big Red Computer Club, and a talk/discussion I gave at a recent IIgs SIG meeting.
My main emphasis will be on a virus called 'Lode Runner', which went off in October 1989. Apart from the fact that it's already gone off, it's probably the best example of how a virus would infect an Apple II. Lode Runner sits (or sat) on the boot blocks of a ProDOS disk. When the disk is booted, it installs itself into memory and infects every other disk that is booted. [It does this by hooking into the _BootInit code in the ROM, through the Memory Manager Tool Pointer Table. Hence it is a IIgs only virus.] The beauty of this, is that it's undetectable while it's going about it's business, and an open-apple-reset won't disturb it in the slightest. It takes about a quarter of a second to infect each disk, and it is done whilst the disk is actually booting. Before you know it, you could have infected disks all over the place. The only way to stop it, is by turning the computer off, or by doing a self-test (option-open-apple-reset).

Another well known virus, which came out well before Lode Runner, was called 'Festering Hate', and spread by attatching itself to .SYSTEM files while they were being run. This virus worked on all Apple IIs, but was easier to find, since the virus would copy itself to every disk it could find when it was activated. [Any program that boots up and accesses all your disk drives one at a time, and spends a couple of seconds on each, is surely suspect!] At this stage, I am yet to see this virus, and actually doubt that it made it into Australia. [These Americans!]

The final one I'm going to mention is one called FONT.BUILD. It sits in the SYSTEM.SETUP directory of a ProDOS disk, and hooks itself into the IIgs system loader. Whenever a program is loaded, the virus writes itself out to any disk it can find with another SYSTEM.SETUP directory. Once again, it's detectable because of all the drives being accessed, but considering GS/OS has a general practice of doing this (especially on the new CMS hard disk ROMS!), most people don't suspect a thing. After all, it could be Finder simply saving off those annoying Finder droppings!

When a virus "goes off", you'll know about it! The usual method is to erase your catalog for you, or some other destructive technique. But by being careful in the first place, you'll be lucky enough never to see one "go off". And one more thing, don't be dazzled by the pretty screens and neat displays that viruses generate, as these are all tricks to take your attention away from what they're really doing, and that's destroying your programs and data!

The Lode Runner virus was written in France. Most probably by friends of the guys who wrote Nucleus and the various other French graphic demos (which I think are in the AUG library). It was originally distributed hidden inside a program called 'SpeedySmith'. SpeedySmith is a public domain FAST! disk copier that formats and writes on the fly. It seems a logical step to then hide a virus inside it. So what do you get when you give a copy of a super FAST! disk copier to a group of Apple enthusiasts? You get the Lode Runner virus spreading like wild fire!

So how do you know if you've been infected by a virus?

1 - It goes off! Not very helpful at all.
2 - You notice strange goings on with your disk drives. Like longer boot times, and various disk drives being accessed when completely unnecessary.
3 - You actually look for one, and find it!

The first is a sure fire method of finding a virus. Unfortunately, it's not very helpful apart from letting you know that you're about to spend your weekend reconstructing all your disks again. The third method is the preferred one, and I'll talk about that a bit later.

The second method is the most important. Most people ignore the early warning signs of a virus, even when they're completely obvious. You should take note of (roughly) how long it takes to boot a program. This means that if you are infected, you'll know because of the extra time it takes to boot. Also take note of which disk drives are accessed and for how long, as the only way a virus can spread, is by writing itself out to another disk. When a disk is read, depending on the size, ProDOS only has to read the beginning of the disk once or twice before the program is read in. When writing to a disk (such as a virus at work!), the drive arm will move to the beginning and middle/end of the disk quite a number of times whilst it updates the catalog.

A handy hint is to watch the GS/OS startup thermometer. When you add a new startup routine, or a desk accessory, the thermometer will usually not reach the end of the scale before loading finder. Subsequent boots however will be ok, as the correct timing for the startup has by then been calculated. If a virus writes itself out to GS/OS in some way, the thermometer will obviously change it's length the first time after the virus has infected the disk.

Actually looking for, and finding, a virus can be quite involved. If you know you've been infected, then you'll obviously know roughly where to look. If you don't know where, then you'll basically have to check your entire system. It seems logical that if a particular method of implementing a virus has been worked out, then there would either be a virus detector or an actual virus to take on the method. It therefore seems unlikely that virus detectors can predict how to detect and/or remove a particular virus until that virus actually exists. This is the main plus in the favour of the virus. The best we can really do, is detect known viruses and attempt to detect very obvious viruses that are yet to be written. i.e. Someone has to be the first to be infected by a virus. It might as well be you!

With the Lode Runner virus, there are several ways of detecting it. The first, is by getting a block editor (Bag of Tricks II, ProSel Block Warden, Copy II Plus) and checking block 0 of your disk. If the block starts with the bytes 01 A9 50, then you have been infected by the virus. As you can see by the third byte, Lode Runner will only infect disks in slot 5. This rules out 5.25" drives and hard drives. Another way of checking for the virus is as follows. Thanks to the Big Red Computer Club for this method: Get your original Space Quest I disk (that has probably ruled most people out), and write protect it. Now boot each disk you suspect as being infected, and boot Space Quest after each of them. If Space Quest bombs with an error #206 instead of getting to the joystick centering routine, then the last disk you booted was infected. The other simple way of detecting Lode Runner (the method I use), is by using ILTS. From ILTS v1.12 upward, you can set it up to automatically install your control panel settings on bootup. Considering ILTS lives at the same place as Lode Runner, simply installing ILTS wil destroy the virus completely. Now whenever the disk boots, ILTS displays a short message to say that it has installed your control panel settings correctly. If the disk ever gets infected again, the ILTS message won't appear anymore, and hey Presto! ILTS is available from AUGABBS in the filing cabinet.

Thanks to the way the Apple II was designed, we aren't seeing as many viruses as on the Mac and IBM machines. Last week, a so called "virus expert" even flew in from the UK to give some lectures on viruses. We can probaly therefore think ourselves lucky that we own Apples and not IBMs!

Although there are no laws yet governing computer viruses, there are several cases ready to stand trial in 1990. Most notably, the case of a Swinburne Institute student who tried to infect their PC network. Ignoring the legal and moral arguments involved, the facts remain the same; If you are sensible about using public domain and/or (dare I say it) pirated software, then chances are you won't have any problems. If you only use software that you've bought from a computer store (i.e. not public domain, shareware, freeware, or pirated), then you have no need to worry at all. Of course if you are infected, let someone in the club know about it. By simply being aware that it exists, a detector can then be written to destroy the virus. If you want to contact me, I am user #19 on AUGABBS.

Various virus detectors are available from AUGABBS as well as ILTS, and I think they're also in the AUG disk library. The SpeedySmith that I have (version 2.1) is clean, and I think this is the one that the club has in the library also, so that is ok to use. But be careful... Isn't a virus detector or copy program the best way to distribute a virus?!

Sub-Editor's note: Any virus can NOT be transmitted to a disk that is write-protected!

THIS CONTENT COPYRIGHT © 2007, APPLE MACINTOSH USERS' GROUP, SYDNEY
Permission has been obtained to make this material available on the Internet.

Permission is hereby granted for non-profit user groups to republish this content.
PLEASE CREDIT THE AUTHOR AND THE SOURCE: Applecations, publication of the Apple Users' Group, Sydney, Australia

THIS PAGE COPYRIGHT © 2007, ANDREW ROUGHAN