ZDDDDDDDDDDDDDDDDDD? IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ZDDDDDDDDDDDDDDDDDD? 3 Founded By: 3 : Network Information Access : 3 Founded By: 3 3 Guardian Of Time CD: 07APR90 :D4 Guardian Of Time 3 3 Judge Dredd 3 : Judge Dredd : 3 Judge Dredd 3 @DDDDDDDDBDDDDDDDDDY : File 14 : @DDDDDDDDDBDDDDDDDDY 3 HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< 3 3 IMMMMMMMMMMMMMMMMMMMMMMM; 3 @DDDDDDDDDDDDDDD:SPREADING THE DISEASE IGDDDDDDDDDDDDDDDY HMMMMMMMMMMMMMMMMMMMMMMM< This was an article in USENET posted by the man who created the first virus documentable. I will reprint it here for your general knowlegde and benefit. It deals with the virus, the author/creator, and his personal frame of mind. The article that follows is in first person told by the virus Author. You can contact me at Mother Earth (5p-7a 24hrs weekends) and all questions will be entertained. I am sorry about this inconvenience as I will have my NET Id soon. $_Article Sorry this article is rather long, but if you still have any old DOS 3.3 Apple ][ disks lying around please read it! (Feel free to read it for general entertainment value too, of course, even if you don't possess any such historical disks.) I have been asked by Gene Spafford to write an article detailing the life story of a Virus I wrote for Dos 3.3 on the Apple ][ in December, 1981 for one of his journals. Spafford wants me to write the story up because it's the earliest _documentable_ personal computer virus he's heard of. I'm trying to get more information that I plan to use to make that article more complete. 1) Why did I write a virus? Am I an evil scum? At the time (remember, this was 1981) I was an undergraduate at Texas A+M. There was an active community of Apple ][ users in my dorm (Shuhmacher), with an _incredible_ amount of copying of pirated game programs going on. I noted that most games were damaged in various sorts of ways, but they were almost always still playable despite the damage. (For example, there was one popular Star Trek game in BASIC that had occasional garbage control characters in non-critical REM and PRINT statements; space war games often had random junk replacing some pictures of ships, etc.) I decided that I could explain this by invoking a sort of "evolution". For evolution to occur, you need mutation and natural selection. Well, there was "mutation" caused by people hacking with the games; more importantly, many copies of games were also accidentally mangled by sick disks and computers. . (People would keep using game disks until they literally disintegrated. My early model Apple ][ was notoriously unreliable, and would crash about every 30 minutes in all sorts of interesting ways. A few well-placed bangs would usually get it working again.) "Natural Selection" entered the picture with the actions of users to either "reproduce" or "kill" copies of games. (For example, if your copy of a game was not playable, you would go get a fresh copy of it from your neighbor, reproducing his copy and killing yours. As there was only a finite amount of disk space for games, there was also competition between species of programs, too.) This idea of programs inhabiting a sort of computer biosphere led naturally to the idea of a "Computer Virus" as a likely accidental outcome of such evolution. My experiments started when I tried to find out what the minimum change to DOS was to make it viral. (I was thinking of something like a prion, a sort of proto-virus that can be created by repeated damage to plants. A prion can't jump from plant to plant by itself, but it will happily hitch a ride on your machete if you let it. Supposedly prions are actually becoming a serious agricultural problem with palm trees in some parts of the world.) As I remember the answer for DOS 3.3 was about 16 bytes, which was within the bounds of what could happen naturally if Apple computers with people randomly copying games between them were to exist for a few million years! The next logical step was trying to guess what an evolutionarily OPTIMAL program might look like. Certainly the program would be more successful if it didn't rely on the good will of humans to reproduce, but likewise it is a bad idea to damage your host (or give humans a reason to expend effort trying to kill you). So the ideal virus would spread by itself, but not cause harm or even any "symptoms" of any kind, if it could help it. I discussed these ideas with friends, many of whom also had Apple ]['s. None of them had ever heard of such a thing as a "computer virus" at the time. (Many Apple ][ users I knew scoffed at the idea that such a thing could possibly exist.) Well, by this time creating a virus sounded like a really interesting project, and it was a good excuse to learn 6502 machine language, so a group of us started working on my "evolutionarily optimal program" off and on in our (infrequent) spare time. Our first attempt, "Virus version 1" was finished in early 1982. Virus 1 was infectious, but still caused some symptoms on my computer despite our best efforts, so we kept it strictly quarantined and kept hacking. A couple months later Virus 2 was finished. It seemed to cause no ill effects at all, so I proceeded with the next step in my experiments and turned it loose in my own disks. The goal of this experiment was to see how quickly such a program would spread through my own disks if I continued using my computer normally. (So I had another good reason to want to make sure the virus was completely innocuous. In fact, in the end almost all of Virus 2's code was to check for various sorts of dangerous situations: non standard DOS, non standard disks, programs altering DOS, etc. In these cases the virus would either not attempt infection or immediately disconnect itself from DOS, committing suicide.) Interest in my "research" was high among the Apple community at A+M, so I also gave copies of Virus 2 to several friends who wanted to play with it. The idea of computer viruses spread rapidly; several other people started working on their own "less boring" (read damaging) ones. Fortunately (as far as I ever knew) they spent all of their time trying to dream up interesting pranks for the virus to pull, instead of determinedly trying to produce a working "evil" virus. 2) Did my virus ever escape? At first we carefully kept Virus 2 quarantined, but after a few months with no damaging symptoms we got a little lax, and the inevitable happened. I first found out Virus 2 had escaped when one of my A+M friends who had graduated and moved on to grad school at UIUC reported that everybody's copy of a (pirated) game called "Congo" had mysteriously stopped working there. Whenever people tried to get a fresh working copy, they would find that previously working copies would then also stop working. My friend realized what had happened and wrote me about it. We quickly wrote an "immunizer" program and distributed it at UIUC; the standard Apple utility "master create" sufficed as a disinfectant. We were never quite sure whether _all_ escaped copies of Virus 2 at UIUC were killed off, though. I was disappointed that Virus 2 was a failure, and started work on Virus 3. It turned out that Virus 2 caused problems because it made DOS 1 sector (256 bytes! a significant chunk of memory!) larger, to accomodate the extra code. A very few programs would blow up in strange ways because of this. (The solution was simply to boot from a noninfected disk, and THEN run the programs.) So the goal for Virus 3 was that it should take up no room in memory, and no room on disk. After some thought, we came up with a solution: Most of Virus 3's guts resided in unprotected memory where they could be freely written over. A small routine buried safely inside holes in DOS's Read-Write Translate Table triple-checked the unprotected code before jumping to it. (This code was a real nightmare; some bytes in the table served double duty as critical data values for DOS and executable op codes for the virus.) Virus 3 was a success; we never encountered any program whose behaviour was affected by the virus's presence. The worst part about writing a DOS virus was that whenever I made a mistake DOS would stop working, and I'd have to re-poke the bytes in by hand, which I kept written down on pieces of junk mail! Using an assembler was out of the question, as the whole thing was only about 300 bytes and scattered in tiny bits and pieces in several places in DOS. It had lots of JMPs all over the place, self-modifying code and other such nightmares, all to make it as small as possible. (The larger it was and the more exposed in memory, the more work it was to replicate itself and the more chance there was of something unexpected going wrong.) 3) What finally happened? Well, I don't really know. Since Virus 3 was effectively completely invisible, after a while we lost interest and pretty much forgot about the whole thing. We again intended to keep the virus quarantined, but a spot check in the fall of 1983 shortly after I graduated and moved to Stanford turned it up in several of my friends' collections on disks they thought were uninfected. By that point they didn't think it was worth the bother of removing it, though, so it spread unchecked. Interest in viruses at A+M had died down by this time, too. I only heard about my virus once more: around 1984 my friend at UIUC reported that an "evil" virus was attacking Apples there, and causing a lot of damage by randomly initializing disks. Some disks had a form of immunity to the evil virus, however: when infected by the evil virus, they would crash at boot time (which was better than appearing to boot normally and then causing damage later). It turned out the "immune" disks were ones that had previously been infected by Virus 3! >>>>>>>> Here's where I need your help: <<<<<<<<<< 4) Does it still exist? That's what I'd like to find out. The Virus wasn't particularly infectious; it only spread on "CATALOG" commands. It attached itself only to DOS, not programs, and was very careful only to attach itself to absolutely vanilla 48K slave DOS 3.3. Still, there are some old DOS 3.3 disks out there yet, aren't there? If you would like to look for it, here's where in memory to look: beginning at B6E8 regular DOS 3.3 has a bunch of 00's. Boot the disk you want to check to load that disk's copy of DOS into memory. Infected disks or non-infectious descendants of infected disks will have text of the form "(GEN 0000000 TAMU)" (in Hex this is "A8 C7 C5 CE A0 B0 B0 B0 B0 B0 B0 B0 A0 D4 C1 CD D5 A9") at B6E8. You can also see this text go by near the end of track 0, sector 0 if you use some utility to dump your disk as text. The number is a generation count, and so will be different in your copy. (13 generations saturated my own and my friends' collections, if you're interested.) If you should find the generation count, you might try also looking at 9CFE and 9CFF. If the virus is alive, this should contain the initials of the friend of mine who let your copy of the virus escape. (If it's JD, then I'm the guilty party.) Hopefully Virus 2 was wiped out, but perhaps it wasn't. If you want to check the version, the simplest way is to do a "CATALOG" of the disk you're checking, and then look at B3BF. Vanilla DOS 3.3 has a "00" at this location. Virus 2 instead has 02, and Virus 3 similarly has 03. (This "immunity" byte can spread when a new disk is initialized, thus providing a way for immunity to be created and passed on. For example, if a master disk is attacked it will be left marked immune but will be free of infection. Slave disks initialized off the master disk would then also be immune, even though they would otherwise be susceptible.) (If you don't find zeros at B6E8, 9CFE, and B3BF, but also don't find the bytes I've mentioned, then I don't know any more about it than you do, and there's not much point in getting excited and flaming me via e-mail.) If you DO find my virus on one of your old Apple ][ disks, please let me know! It will make the paper much more interesting! I'll acknowledge you at the end! (And please accept my apologies!) 5) Did the idea of Viruses I started spread or die out? Certainly everybody knows about viruses today. Did you hear rumors of some strange person at A+M working on one around 1982-1983? (And no, I was NOT the person who was expelled from A+M about that time for breaking into the mainframe and stealing Chemistry exams. I never kept my activities secret, nor did anything I thought I had to keep secret. For example, my virus is mentioned in a "Computer Recreations" column in 1986, but the author of that article mangled the information I sent him rather badly.) Do you know anything about the people who were breaking and distributing the copy-protected software turning up at A+M? The rumors at the time at A+M were that the software was coming "from Chicago". Many programs were "signed" by the breakers with such psuedonyms as "The Jerk", "The Beaver", and "Apple Pirated Program Library Exchange". Do you know anything about what happened at A+M after spring, 1983, after I graduated? I was told by one A+M graduate I met in 1989 that Virus 3 made it into the A+M Computer User's Group's disks after I left, but I don't really know that. 6) Any other early virus-writers have any interesting stories to confess? I'd be curious to hear if anybody else tried to write a virus before they became commonplace and criminal. Surely the idea must have occurred to many other people about that time! $_End Article $_EOF [OTHER WORLD BBS]