💾 Archived View for spam.works › mirrors › textfiles › virus › fester.vir captured on 2023-11-04 at 16:01:00.

View Raw

More Information

⬅️ Previous capture (2023-06-16)

-=-=-=-=-=-=-

           
FESTERING HATE
Typed and Compiled by the BOWEN ARROW........
Reformatted to AWP by Doctor Dog 
Converted OUT of AWP by Jason Scott (textfiles.com)

OK, here's what I've been able to dig up so far on the Apple II virus:

It IS real.  It appears to insert/attach itself to the file called   
BASIC.SYSTEM and increases its length by 7-8 Prodos blocks.

I found it on one of my disks as a file called BLAST.START (filetype .SYS). 
This file was part of a download of a packed file called NUKE.BLAST.  
Unpacked you get the BLAST.START (29 Prodos blocks long) + BLAST (an 
11-block Applesoft Basic file).

If you copy Prodos 8, Basic.System, BLAST, and BLAST.START to any disk and 
then boot the disk, you'll be left at the Basic Prompt (]).  If you type RUN 
BLAST or "-BLAST" then the program runs fine and asks a few questions about 
distance from the nuclear blast, height of the explosion, etc and tells you 
the resulting effect on human life.  BLAST DOES NOT NEED BLAST.START TO RUN!  

If you type "-BLAST.START" then different things happen: It searches EVERY
PRODOS volume that you have on-line including 3.5's, 5.25's, hard drives, and 
RAM drives.  If it finds a file on any ONE of those volumes called 
BASIC.SYSTEM then it attaches itself to it.  If you run it a second time then 
it will attach itself to another BASIC.SYSTEM if there is one.  If there 
isn't one then it will attach to the BASIC.SYSTEM on its own disk (which, up 
to this point has remained unchanged).  If it doesn't find a BASIC.SYSTEM 
then it will quite happily boot BLAST leaving you none the wiser.



Before the VIRUS will do anything to your files the following files MUST 
be on the target volume:  Prodos, and Basic.System.  NOTE: This is for the 
initial infestation from running BLAST.START only.  If, instead, the virus is 
to be spread from a volume with an infected BASIC.SYSTEM then the files 
required on the target volume are:  Prodos, Basic.System, AND any Applesoft 
Basic program.  If the above conditions are NOT present then the virus will 
access the volumes but change nothing.  HOWEVER, if a file other than 
BASIC.SYSTEM has been infected (see below for how) then there is no apparent 
minimum requirement for the target volume.  There doesn't seem to be any set 
rule here as the virus can infect more than one file on the same disk.  One 
thing is for certain though...the virus only infects one file per boot 
access, although sometimes it may decide not to infect any files.  I have 
never yet had it infect a file called PRODOS, even though PRODOS is a .SYS 
filetype.  BUT, I have renamed PRODOS to something else and subsequently had 
it infected.

Basically the virus checks the volume for the file called BASIC.SYSTEM...it 
can be any file that you've renamed BASIC.SYSTEM, it doesn't actually have 
to be THE Basic.System file...and then it attaches itself to THE FIRST 
.SYS ON THE VOLUME.  This is an interesting 'feature' of the virus...if 
BASIC.SYSTEM is present on the disk BUT it is not the first .SYS in the 
directory then the virus will NOT infect BASIC.SYSTEM but will infect 
the first SYS filetype (excluding Prodos) in the directory regardless of
what its called and how long it is.  Thus the virus now increases its 
media for spreading.  Apparently the virus does not alter the infected file 
as far as functionality goes...it just takes control for a few seconds after 
the program is loaded...does its dastardly deed, and then hands control back
to the program...pretty sneaky.



Unfortunately, there's no sure way of telling how many of your files 
have been infected.  If you do a lot of downloading from BBS' OR if you get a 
lot of files from friends who do a lot of downloading then you're more 
susceptible.  There are some tell-tale signs though:

Check all volumes (disks, hard drives & RAM) for BASIC.SYSTEM.  It should 
be 21 Prodos blocks in length and have a Modified Date of around JUNE 14, 
1984.  If so, its likely safe.  If, however, it has a length of 29 Prodos 
blocks then its most likely been infected...delete that file!  If your system 
has a clock in it (all IIgs' come with one) then an infected file will have a 
Modified Date of sometime in 1988, most likely within the last two weeks. 

CAUTION: Just because you don't have any BASIC.SYSTEM that's infected doesn't 
mean that you're free and clear because other .SYS files can be infected too. 
These are much harder to detect because most of the time you don't know how 
long an uninfected file is so you won't whether its infected or not.  Those 
of you who have the clock can still check the Modified Date but those of you
without one are without the means to determine for sure.



If you know that a file is infected then delete it and re-copy it from a 
'good' disk.  If there are no other .SYS files on the disk then you are safe.  
If there are other .SYS files on a disk that may have been infected then you 
should format a blank disk, copy Prodos, a good Basic.System, and one of 
these SYS files onto the disk.  Remove ALL other disks from drives, turn off 
hard drives and backup RAM drives...boot the new disk, wait for the Basic 
prompt (]), and run the .SYS file ("-<filename>").  The first clue that the 
.SYS file is infected is if it accesses all drives.  The clincher is if, 
after booting (wkether it ran or not) and cataloging, you find that your good 
BASIC.SYSTEM has been modified to 29 blocks.  *- CAUTION - when running all 
these 'tests' be careful to mark ALL temporary disks with a big "V" and then 
re-format them after your tests are over.  Obviously if your BASIC.SYSTEM has 
been modified then you'll have to DELETE the suspect file and get another 
copy from a friend.

If your hard drive has been infected then there's no telling how many 
files have been infected.  My suggestion is, based on the fact that the virus 
only hits .SYS files, copy all DATA or .TXT or .DOC or .AWP or .ASP or .ADB 
files from your hard drive to backup disks.  Try to keep these files on 
separate disks from program files.  Next copy all BAS files to backups, then 
copy all BIN files to backups, etc, etc until your entire hard drive is 
backed up.  Then you can re-format your hard drive and re-copy the uninfected 
files back to the drive.  Meanwhile examine the .SYS files that you backed up 
and determine which ones you can replace from a new source (a friend, 
etc)...and DO it.  The .SYS files that remain can be tested the same way as 
described above or you can elect to delete them...your choice.



It is advisable that, while this virus threat is still around, you 
pre-test any new downloads that yuo get.  Turn off your hard drive(s) and 
printout a catalog of the program files first.  Then boot the program and see 
if anything changes on the disk.  It'd also be a good idea to have a 'dummy' 
diskette in another drive with just Prodos, a clean Basic.System and one 
Basic program on it.  If this gets infected then you'll know the new program 
you downloaded is also infected.  Please NOTE:  I said that I discovered this 
virus in "NUKE.BLAST"...that doesn't mean that this is the only file OR that 
this is where the virus originated.

OK, that's basically all I have discovered so far.  I was lucky that I 
located my infected file early AND that I had saved it on a file disk that 
ad no .SYS files on it.  I hope everyone else who reads this is as lucky!!

One final note - I, as yet, have not found out exactly what happens 
to trigger the virus to trash the contents of a volume - I only know that 
several people have had their hard drives comletely trashed.  It appears that 
the virus remains dormant and is triggered either by a count of boots or by a 
date or ???  It appears that when it does its thing then it gives you a 
message about it and who's responsible.  I will not lower myself to comment 
on the quality of individual who would dream up a stunt like this.

        As soon as I get more info I will be passing it on.  Meanwhile if 
anyone has anything to add OR if you discover other infected files then 
please share the info.  To date, the files that I have heard of that are 
nfected are as follows:  NUKE.BLAST, ZLINK, SQUIRT v1.5, and Mr. FIXIT v 3.7
         
LATEST UPDATE----

The VIRUS is called FESTERING HATE and when it goes of there is a 
Mpicture of a diskette being pricked by a needle.  It says that it is written 
by the  K/RAD ALLIANCE and, apparently it has been known, on very rare 
occassions, to infect a file more than once.  This last part has not been 
substantiated.

Oh, some guy who had his HD trashed managed to use his FINGERPRINT card to 
capture the title page of the virus:

         [WOP] -666-  FESTERING HATE  -666- [FOG]
         ========================================
         W| The Good News: You now have a copy |F
         o| of one of the  greatest programs   |r
         r|    that has ever been created!     |i
         s| The Bad News:  Its quite likely    |e
         h| that its the only program you now  |n
         i|       have in your possession.     |d
         p|====================================|s
         p|  Hey Glen!  We sincerely hope our  |
         e|  royalty checks are in the mail!   |o
         r|  Seeing how we're making you rich  |f
         s|  by providing a market for virus   |
          |         detection software!        |G
         o|====================================|l
         f|Elect LORD DIGITAL as GOD committee!|e
          |====================================|n
         P| )/>   The Kool/Rad Alliance!   <\( |
         a| Rancid Grapefruit -- Cereal Killer |B
         t|====================================|r
         r| This program is made possible by a |e
         i| grant from  Pig's Knuckle  ELITE   |d
         c| Research.  Orderline: 313/534-1466 |o
         k======[(C) 1988 ELECTRONIC ARTS]======N

 ...more later....
    
Courtesy of Bowen Arrow

                    >>>---Arrow--->