Newsgroups: comp.risks
X-issue: 5.69
Date: Wed, 2 Dec 87 00:14:25 pst
From: Joe Dellinger <joe@hanauma.STANFORD.EDU>
To: risks@csl.sri.com
Subject: An ancient computer virus

	In 1982, while a student at Texas A+M University, I created a
Virus for Apple ][ Dos 3.3. I was curious to see how long it would take
for such a virus to spread through my own disk collection, so I was very
careful to make the virus completely harmless (and indeed even completely
undetectable). I was very careful to operate under strict quarantine.
Unfortunately, several friends let the virus escape, before I was through
perfecting it. The earlier versions of virus would cause the graphics
in a certain game to smear. Within a few weeks, everybody's (pirated) copy
of this game (called "Congo") stopped working. To correct this situation,
we launched another "perfected" virus to displace the first. As it turned
out, the "perfected" virus worked well, and so I never heard from it again.
	Are Apple ]['s running 64K Dos 3.3 still being used? If so, it might
make an interesting study to see how much this virus has spread in 5 years.
If the virus is in memory, there will be a short ASCII text string listing
the generation count starting at location $B6E8 in memory. Normal DOS has
zeroes there.

Newsgroups: comp.risks
X-issue: 5.72
Date: Wed, 9 Dec 87 02:22:36 pst
From: Joe Dellinger <joe@hanauma.STANFORD.EDU>
To: risks@csl.sri.com
Subject: Virus Protection Strategies

	From recent postings it sounds like Personal Computer viruses
are getting to be a problem. In 1982 when I wrote my Virus, nobody I knew
thought such things could even exist. When I explained what I had made to
fellow hacker types, the usual reaction was "What a wonderful idea! But an
innocuous virus is boring. I want to create an EVIL one...". Given this
reaction, and the increasing knowledge of how such things work, I would
expect the number of viruses to increase.

	What strategies can we use to protect ourselves? Best, of course,
is to make it impossible. Make the DOS area on the disk read only. Put DOS
in rom on the machine. Write protect as many disks in your collection as
feasible. Make sure write protection is done in hardware.

	Whenever a new disk is used for the first time, compare the DOS
on that disk with the DOS in memory. If they don't match, issue a warning.
Make a program that performs such a check a standard utility.

	The best solution, I think, is to simply make writing a Virus
difficult. Don't leave any convenient holes in DOS where a Virus can hide
out. Have many places in the boot process where parity checks on pieces of
DOS are done. Have unused bytes scattered here and there in DOS that are
different in every copy of DOS sold. Have code in ROM that performs
some sort of verification before booting a disk. Have several different
versions of this ROM in use, sensitive to different things, so that you
can't assume a virus that works on your machine will also work on all
machines. Use self-modifying code in the boot process. Have several different
ways that DOS can be layed out on the disk, and pick a random one at
initialization time.

While none of these schemes would make a Virus impossible, any of them
would make creating one very tedious. I think the only reason we aren't
experiencing a plague of viruses already is that it is a fair amount of
work to create one. It is also a lot more work to create a "careful" virus
than it is to create a "careless" one. Most of the viruses I have heard
of are not purposefully evil, they just don't bother to check that they
aren't accidentally damaging something.

Newsgroups: comp.risks
X-issue: 12.30
Date: Wed, 11 Sep 91 00:10:48 HST
From: joe@montebello.soest.hawaii.edu (Joe Dellinger)
Subject: RE:  Prize for Most Useful Computer Virus

	In 1981-1983 I wrote a virus for the Apple ][ while an undergrad at
Texas A+M, mostly as a demonstration to friends that such a thing really was
possible. The intended "target" was my own disk collection, which was to be
kept in strict quarantine so the virus wouldn't escape accidentally. The idea
was to see how quickly the virus would spread within my own disk collection if
I used my disks "normally". The virus itself was intended to be entirely
asymptomatic: it did nothing more than check for incompatibilities with
programs or DOS, check for damage to itself, copy itself, and increment a
generation counter each time it infected a new disk. It could easily be removed
from a disk by using the Apple ][ utility "Master Create".

	"Virus 1" DID unfortunately prove to have obvious (if inadvertent)
symptoms, so was considered a failure. I don't believe it ever escaped. A few
months later, using what little free time school work left us, we came up with
"Virus 2". This virus appeared to have no symptoms, so after a while several
friends interested in the project deliberately infected their own disks as part
of the test. The first hint we had something had gone wrong was when pirated
copies of the game "Congo" at UIUC (a friend of mine had finished at A+M and
gone off to grad school at UIUC by this time, taking copies of the virus with
him) started behaving strangely: the game would still run, but its graphics
would smear. (Apple ][ users there were quite perplexed: every time they
tracked down a working copy of the game to get a fresh pirate copy from, it too
would prove to have stopped working. Running "Master Create" or booting from a
write-protected disk was not an obvious cure back then for such a "mysterious"
problem.) We quickly wrote an "immunizer" utility and distributed it at UIUC as
a "cure for the smeared graphics problem with Congo".

	But what if Virus 2 spread faster and farther than copies of the
(nonviral) immunizer program? We analyzed what had gone wrong and created
"Virus 3" to displace the close-but-not-quite-right Virus 2. Amazingly (in
retrospect), this strategy appears to have actually worked. We never noted any
symptoms, and I guess nobody was looking for a "computer virus" back then in
the absence of a red flag demanding attention. And so we heard nothing more
about my virus "in the wild"...

	...until 1985 (or thereabouts). By this time the microcomputer lab at
UIUC was under siege from a vicious virus that would randomly erase infected
disks at boot time. Frantic investigators into the problem discovered some
disks had a form of partial immunity: instead of erasing themselves, they would
merely crash. They could then be fixed up with Master Create, and all would be
well. The cause of the baffling immunity? They were found to have been
previously infected with an undetected asymptomatic virus... Virus 3!  (And
that really is the last I heard of it.)

	I'm in the process of writing this story up for a journal; if you have
any old Apple ][ DOS 3.3 48K slave disks you'd like to look for my virus on,
send me e-mail and I'll tell you how. It would be very interesting to find out
what generation counts the virus got up to! (I only have copies of the virus
from my own collection.) PLEASE NOTE any candidate disk must be absolutely
unmodified standard "slave" DOS 3.3, or my extra-cautious virus would not have
attempted infection. Such disks became progressively rarer in the mid-80's as a
plethora of improved DOS's from various sources became available; it appears
quite likely my virus went extinct as a result. Also please let me know if you
remember hearing anything about Apple ][ viruses around 1981-1985. I have since
heard of at least one other very early Apple ][ virus, called "Elk Cloner".
(That virus did "call attention to itself".)  Thanks.

	-- joe@montebello.soest.hawaii.edu