💾 Archived View for spam.works › mirrors › textfiles › virus › fester.vir captured on 2023-06-16 at 21:02:22.
View Raw
More Information
-=-=-=-=-=-=-
FESTERING HATE
Typed and Compiled by the BOWEN ARROW........
Reformatted to AWP by Doctor Dog
Converted OUT of AWP by Jason Scott (textfiles.com)
OK, here's what I've been able to dig up so far on the Apple II virus:
It IS real. It appears to insert/attach itself to the file called
BASIC.SYSTEM and increases its length by 7-8 Prodos blocks.
I found it on one of my disks as a file called BLAST.START (filetype .SYS).
This file was part of a download of a packed file called NUKE.BLAST.
Unpacked you get the BLAST.START (29 Prodos blocks long) + BLAST (an
11-block Applesoft Basic file).
If you copy Prodos 8, Basic.System, BLAST, and BLAST.START to any disk and
then boot the disk, you'll be left at the Basic Prompt (]). If you type RUN
BLAST or "-BLAST" then the program runs fine and asks a few questions about
distance from the nuclear blast, height of the explosion, etc and tells you
the resulting effect on human life. BLAST DOES NOT NEED BLAST.START TO RUN!
If you type "-BLAST.START" then different things happen: It searches EVERY
PRODOS volume that you have on-line including 3.5's, 5.25's, hard drives, and
RAM drives. If it finds a file on any ONE of those volumes called
BASIC.SYSTEM then it attaches itself to it. If you run it a second time then
it will attach itself to another BASIC.SYSTEM if there is one. If there
isn't one then it will attach to the BASIC.SYSTEM on its own disk (which, up
to this point has remained unchanged). If it doesn't find a BASIC.SYSTEM
then it will quite happily boot BLAST leaving you none the wiser.
- ** CRITERIA / METHOD of INFESTATION ****
Before the VIRUS will do anything to your files the following files MUST
be on the target volume: Prodos, and Basic.System. NOTE: This is for the
initial infestation from running BLAST.START only. If, instead, the virus is
to be spread from a volume with an infected BASIC.SYSTEM then the files
required on the target volume are: Prodos, Basic.System, AND any Applesoft
Basic program. If the above conditions are NOT present then the virus will
access the volumes but change nothing. HOWEVER, if a file other than
BASIC.SYSTEM has been infected (see below for how) then there is no apparent
minimum requirement for the target volume. There doesn't seem to be any set
rule here as the virus can infect more than one file on the same disk. One
thing is for certain though...the virus only infects one file per boot
access, although sometimes it may decide not to infect any files. I have
never yet had it infect a file called PRODOS, even though PRODOS is a .SYS
filetype. BUT, I have renamed PRODOS to something else and subsequently had
it infected.
Basically the virus checks the volume for the file called BASIC.SYSTEM...it
can be any file that you've renamed BASIC.SYSTEM, it doesn't actually have
to be THE Basic.System file...and then it attaches itself to THE FIRST
.SYS ON THE VOLUME. This is an interesting 'feature' of the virus...if
BASIC.SYSTEM is present on the disk BUT it is not the first .SYS in the
directory then the virus will NOT infect BASIC.SYSTEM but will infect
the first SYS filetype (excluding Prodos) in the directory regardless of
what its called and how long it is. Thus the virus now increases its
media for spreading. Apparently the virus does not alter the infected file
as far as functionality goes...it just takes control for a few seconds after
the program is loaded...does its dastardly deed, and then hands control back
to the program...pretty sneaky.
- **** HOW DO YOU KNOW IF YOUR FILES ARE INFECTED? *****
Unfortunately, there's no sure way of telling how many of your files
have been infected. If you do a lot of downloading from BBS' OR if you get a
lot of files from friends who do a lot of downloading then you're more
susceptible. There are some tell-tale signs though:
Check all volumes (disks, hard drives & RAM) for BASIC.SYSTEM. It should
be 21 Prodos blocks in length and have a Modified Date of around JUNE 14,
1984. If so, its likely safe. If, however, it has a length of 29 Prodos
blocks then its most likely been infected...delete that file! If your system
has a clock in it (all IIgs' come with one) then an infected file will have a
Modified Date of sometime in 1988, most likely within the last two weeks.
CAUTION: Just because you don't have any BASIC.SYSTEM that's infected doesn't
mean that you're free and clear because other .SYS files can be infected too.
These are much harder to detect because most of the time you don't know how
long an uninfected file is so you won't whether its infected or not. Those
of you who have the clock can still check the Modified Date but those of you
without one are without the means to determine for sure.
- *** SUGGESTIONS FOR WHAT TO DO ****
If you know that a file is infected then delete it and re-copy it from a
'good' disk. If there are no other .SYS files on the disk then you are safe.
If there are other .SYS files on a disk that may have been infected then you
should format a blank disk, copy Prodos, a good Basic.System, and one of
these SYS files onto the disk. Remove ALL other disks from drives, turn off
hard drives and backup RAM drives...boot the new disk, wait for the Basic
prompt (]), and run the .SYS file ("-<filename>"). The first clue that the
.SYS file is infected is if it accesses all drives. The clincher is if,
after booting (wkether it ran or not) and cataloging, you find that your good
BASIC.SYSTEM has been modified to 29 blocks. *- CAUTION - when running all
these 'tests' be careful to mark ALL temporary disks with a big "V" and then
re-format them after your tests are over. Obviously if your BASIC.SYSTEM has
been modified then you'll have to DELETE the suspect file and get another
copy from a friend.
If your hard drive has been infected then there's no telling how many
files have been infected. My suggestion is, based on the fact that the virus
only hits .SYS files, copy all DATA or .TXT or .DOC or .AWP or .ASP or .ADB
files from your hard drive to backup disks. Try to keep these files on
separate disks from program files. Next copy all BAS files to backups, then
copy all BIN files to backups, etc, etc until your entire hard drive is
backed up. Then you can re-format your hard drive and re-copy the uninfected
files back to the drive. Meanwhile examine the .SYS files that you backed up
and determine which ones you can replace from a new source (a friend,
etc)...and DO it. The .SYS files that remain can be tested the same way as
described above or you can elect to delete them...your choice.
It is advisable that, while this virus threat is still around, you
pre-test any new downloads that yuo get. Turn off your hard drive(s) and
printout a catalog of the program files first. Then boot the program and see
if anything changes on the disk. It'd also be a good idea to have a 'dummy'
diskette in another drive with just Prodos, a clean Basic.System and one
Basic program on it. If this gets infected then you'll know the new program
you downloaded is also infected. Please NOTE: I said that I discovered this
virus in "NUKE.BLAST"...that doesn't mean that this is the only file OR that
this is where the virus originated.
OK, that's basically all I have discovered so far. I was lucky that I
located my infected file early AND that I had saved it on a file disk that
ad no .SYS files on it. I hope everyone else who reads this is as lucky!!
One final note - I, as yet, have not found out exactly what happens
to trigger the virus to trash the contents of a volume - I only know that
several people have had their hard drives comletely trashed. It appears that
the virus remains dormant and is triggered either by a count of boots or by a
date or ??? It appears that when it does its thing then it gives you a
message about it and who's responsible. I will not lower myself to comment
on the quality of individual who would dream up a stunt like this.
As soon as I get more info I will be passing it on. Meanwhile if
anyone has anything to add OR if you discover other infected files then
please share the info. To date, the files that I have heard of that are
nfected are as follows: NUKE.BLAST, ZLINK, SQUIRT v1.5, and Mr. FIXIT v 3.7
LATEST UPDATE----
The VIRUS is called FESTERING HATE and when it goes of there is a
Mpicture of a diskette being pricked by a needle. It says that it is written
by the K/RAD ALLIANCE and, apparently it has been known, on very rare
occassions, to infect a file more than once. This last part has not been
substantiated.
Oh, some guy who had his HD trashed managed to use his FINGERPRINT card to
capture the title page of the virus:
[WOP] -666- FESTERING HATE -666- [FOG]
========================================
W| The Good News: You now have a copy |F
o| of one of the greatest programs |r
r| that has ever been created! |i
s| The Bad News: Its quite likely |e
h| that its the only program you now |n
i| have in your possession. |d
p|====================================|s
p| Hey Glen! We sincerely hope our |
e| royalty checks are in the mail! |o
r| Seeing how we're making you rich |f
s| by providing a market for virus |
| detection software! |G
o|====================================|l
f|Elect LORD DIGITAL as GOD committee!|e
|====================================|n
P| )/> The Kool/Rad Alliance! <\( |
a| Rancid Grapefruit -- Cereal Killer |B
t|====================================|r
r| This program is made possible by a |e
i| grant from Pig's Knuckle ELITE |d
c| Research. Orderline: 313/534-1466 |o
k======[(C) 1988 ELECTRONIC ARTS]======N
...more later....
Courtesy of Bowen Arrow
>>>---Arrow--->