From: akcs.joehorn@hpcvbbs.cv.hp.com (Joseph K. Horn) Newsgroups: comp.sys.hp48 Subject: VIRUS ALERT Keywords: virus vaccine Message-ID: <294dc568:401comp.sys.hp48@hpcvbbs.cv.hp.com> Date: 17 Dec 91 09:40:11 GMT Lines: 141 * * * * * * * * * * * * * * * * * * * V I R U S A L E R T * * * * * * * * * * * * * * * * * * * "Next to a battle lost, the greatest misery is a battle gained." -- Wellington It was just a matter of time. Three viruses (all very similar) have been written for the HP 48. As if this weren't bad enough, they are being spread around on college campuses as a practical joke. Not funny at all, when it's your 48 that gets sick, then goes psychotic, and finally dies. I must admit, however, a certain morbid respect for the author(s); these little timebombs are well written. When stripped from their host program, they look like this harmless little 3-object snippit: "*" External Code where the * is the null character (displayed as a little square blob). The "External" is not at all what it appears to be! It's really an "external type 2" object, one of the four unused object types; and it contains the real body of the virus, in System RPL. The subsequent Code object merely jumps backwards into the External object, just past its object header, thus executing its contents as an RPL program. If you engage in promiscuous I/O with college students (who doesn't?), be on the lookout for the following bogus "error messages": "System Malfunction" "Defective ROM" "Damaged ROM" "Invalid Addressing" Also, the virus attaches itself to other program objects in the current directory (thereby earning the name "virus"). Since it modifies objects without your knowledge, it may wreak havoc that the author(s) never intended, especially if you are into System RPL programming. It may cause objects to be purged, entire directories to be lost, memory corrupted, and even total Memory Clear. And the null character at the beginning prevents you from removing the virus by normal editing, because when you hit EDIT you'll get the "Can't Edit Null Char." error message. This sucker not only propagates itself, it even has self-preservation instincts! Geez. Since the current "strains" of this virus all contain the same Code object, it's easy to write a "vaccine" that checks a program for the virus, and if found, "disinfects" it. If you'd like to do it yourself, here's the recognizable 29.5-byte Code object: In ASC-> format: %%HP:T(1); "CCD20630001741433450000EA1411C414334A0000CA14134E8F60DA808C4ECA" Source code: HP AG opcode -------- ------------ -------- D1=D1+ 5 ADD.A #5,D1 174 A=DAT1 A MOVE.A @D1,A 143 LC(5) 5 MOVE.P5 #5,C 3450000 A=A-C A SUB.A C,A EA DAT1=A A MOVE.A A,@D1 141 D1=D1- 5 SUB.A #5,D1 1C4 A=DAT1 A MOVE.A @D1,A 143 LC(5) 10 MOVE.P5 #A,C 34A0000 A=A+C A ADD.A C,A CA DAT1=A A MOVE.A A,@D1 141 LC(5) #06F8E MOVE.P5 #06F8E,C 34E8F60 A=C A MOVE.A C,A DA PC=(A) JUMP.A @A 808C The "External" object immediately precedes this Code object. It consists of its five-nibble prolog (02BCC), followed by a five-nibble length field (nib distance to the following Code object). The length field is immediately follwed by an RPL program object (beginning D9D20, of course), which is the nucleus of the virus, the part that does all the dirty work; the "DNA" part, as it were. For obvious reasons, I will not post the virus itself. Brian Maguire considered this sordid situation to be a delightful programming challenge, and whipped up the following two programs. 'VACCINE.1' disinfects program objects, and 'CLEAN' disinfects entire directories. INSTRUCTIONS: Place program on stack and press VACCINE.1 to disinfect it, or run CLEAN to disinfect all the programs in the current directory. Obviously it is best to keep these programs protected in a card switched to the ROM position. They can be run from there, for example via a CST key, or a user-mode key assignment. %%HP:T(1); @ VACCINE.1 and CLEAN, by Brian Maguire "69A20E33A8000000005034C45414E450D9D20E1632C53A2FA1A1A59C19C2A2DB BF10A132D6E20109678BF104B0284E20906514343494E454E213DBBF1DCC02C4 23293632B2130B7000906514343494E454E21390D9D20D2951D9F81F3040D9D2 02A170D9D2013236A9226DA9160CA308813030040C9B267E126DA916C0126132 3698226DA916C0126D0040C9B2679E60CCD20630001741433450000EA1411C41 4334A0000CA14134E8F60DA808C79B30B2130EE170980505E170B2130B213072 25" -------< Begin VACCINE in UUencoded format >------- begin 600 virus M2%!(4#0X+466*N`SB@`````%0TQ%04X%G2W@82-<H_(:&EK)D2PJO?L!&B-M M+A"0=K@?0`N"Y`()5D%#0TE.12XQO?O1S"!,,I)C(RLQL`<`"59!0T-)3D4N M,0F=+="2%9V/\0,$G2T@&@>=+1`C8YHBUIIAP#J`&`,#0,"Y8N<AUIIA#"$6 M(V.)(M::80PAU@`$G"MVZ0;,+6`#`'$4-$,%`.`:%,$4-$,*`,`:%$..;]"* 3@'RY`RLQX!X'B5!0'@<K,;`2`R`` ` end -------< End VACCINE >------- Here's the source code for the curious and curiouser: 'VACCINE.1' ( in System RPL ) :: CK1NoBlame CK&DISPATCH0 EIGHT :: BEGIN :: DUPLENCOMP #2= NOTcase FALSE DUP TWO NTHCOMPDROP DTYPECOL? NOTcase DROPFALSE DUPLENCOMP #3= NOTcase DROPFALSE THREE NTHCOMPDROP ' CODE 49 1741433450000EA1411C414334A0000CA14134E8F60DA808C EQUAL ; WHILE CARCOMP REPEAT ; ; 'CLEAN' ( in User RPL ) \<< 8 TVARS LIST\-> 1 SWAP FOR i DUP RCL VACCINE.1 SWAP STO NEXT \>> Many thanx to Brian Maguire for making this potentially terrifying situation so easy to cope with. -jkh- EQU akcs.joehorn@hpcvbbs.cv.hp.com
Areas
General
Craig's Articles
Last modified Saturday, 2012-02-25T17:30:44-06:00.