Tech news today frequently makes mention of the topic of computer viruses. Windows seems to get the lion’s share of these, and Mac OS X continues to have virtually no viruses or malware that affect it. But outside of these major operating systems, it is generally not remembered that viruses have been around as long as there have been computers. In fact, first record of a virus on a microcomputer was on the Apple II. If the other computers that were contemporaries of the Apple II (the Commodore PET 2001, the Radio Shack TRS-80, and the Atari 400 and 800) had problems with viruses, there is little written about them on the Internet. This chapter will examine the few documented viruses that were written to affect the Apple II or Apple IIGS. The majority of the material presented in this chapter is excerpted (with permission) from an article written by Doug Cuff in the Mar/Apr 1994 issue of II Alive magazine, published by Quality Computers, with additional research done to clarify information that was not available when his article was originally written.
David Ferbrache in his book, A Pathology Of Computer Viruses, wrote that the first virus for a microcomputer appeared in 1980 on an Apple II. This happened shortly after Apple released DOS 3.3. According to Ferbrache, this virus was written for research purposes and never publicly released. The virus intercepted every executed CATALOG command. It looked for a specific marker byte in the disk directory; if found, the virus then wrote the full DOS 3.3 code and the virus itself to the boot sectors of the disk. Also, the virus kept track of how many times it had been copied. A second version, written by a friend of the original author, made the code more efficient and smaller in size. Neither virus was ever released “into the wild”.
In mid-1981, the first named virus for an Apple II appeared. It was called Elk Cloner, and resided in the boot sectors of a DOS 3.3 floppy disk. This virus intercepted many DOS commands, including RUN, LOAD, BLOAD, and CATALOG. A counter byte was kept in the boot sectors, and depending on the count would execute various actions. It might infect a disk, reboot, print the version number of the virus, invert the screen, click the speaker, flash text, substitute letters on the text screen, crash to the Monitor, or print this message:
The Elk Cloner virus infected any disks that were not write protected. It was written by a ninth grade student named Richard Skrenta from Pittsburgh, Pennsylvania, who wanted to play pranks on his Apple II-using classmates. The poem on the screen-shot would appear after the fiftieth use of an infected disk, and would work only when the RESET key was presssed.
The next documented virus for the Apple II was written in December 1981 by Joe Dellinger, an undergraduate at Texas A&M University. He was experimenting with DOS 3.3 to find out what was the minimum change necessary to make it copy itself, specifically to make DOS 3.3 itself act like a virus. He found that only 16 bytes of code needed to be changed to make this happen. Unlike the Elk Cloner virus, Dellinger’s virus code was written to do nothing more than copy itself. He wrote the virus code to execute when the CATALOG command was issued, much like the earliest unnamed virus mentioned above.
Dellinger showed his work to some friends, and several of them began to work on improving the code. In early 1982, the group was done with “Virus version 1”. Although it did infect disks as it was designed to do, it had some side-effects. One of the unexpected side effects of the virus involved disks that had been modified in a way that was not directly supported by Apple. The DOS 3.3 INIT command put the full version of DOS onto the first three tracks of a 5.25-inch floppy disk; third-party utilities made it possible to remove DOS from a disk (which made it unbootable), and thus gain back that space. Since Dellinger’s virus specifically wrote DOS 3.3 and itself into that space on a disk, a disk modified to free those tracks would be unstable; files stored there would overwrite the image of DOS 3.3 (and the virus), and when the virus wrote DOS and itself to those tracks, files that happened to be stored there would be damaged.
When the group completed “Virus version 2” several months later, it specifically checked for a disk modified to remove DOS, and if that was found, the virus disconnected itself from DOS and “committed suicide”. This time no unwanted effects were found, and Dellinger tried it out on his own collection of DOS 3.3 disks (much like early medical researchers sometimes did their research on themselves). As he and his friends continued to experiment on it, their care at avoiding its spread to others became more lax, and Dellinger found that people at his graduate school were reporting that their pirated copies of the game Congo were not working properly; specifically, it caused a “smearing” look to the hi-res graphics screen. On investigating, he found the virus had made its way onto those disks. He had to write a program to remove the virus from those disks.
When Dellinger A closer look at the version 2 code found that it made DOS 3.3 one sector (256 bytes) larger than it should have been. Dillenger started working on version 3 of the virus, and planned that it should take up no extra space on a disk or in memory. Dellinger and his friends made use of small free space areas in DOS 3.3, and created a version that did what version 1 did, but didn’t have the problems caused by version 2. By the time Dellinger graduated from Texas A&M in the fall of 1983, he checked out some disks belonging to friends. Some of those disks had version 3 of the virus on them, but since it was benign he made no effort to remove the virus. He moved on to Stanford University.
Dellinger later heard that some Apple II disks at the University of Illinois at Urbana/Champaign seemed to have a virus that was randomly formatting disks. Further investigation into this problem found that some disks seemed to have a form of partial “immunity” to the effects of the disk formatting virus. Instead of being erased, these disks just crashed when booting, which prevented the disk initialization from happening. They found that these crashing disks had been previously infected with an undetected virus – Dellinger’s Virus 3.
It is possible to identify a disk infected with Virus 3 if a sector editor is used. Near the end of track 0, sector 0, there is the text “(GEN 0000000 TAMU)” in a place usually filled with $00 bytes. “GEN” refers to generation counter; “GEN 0000008” would mean that the counter had incremented 8 times. The “TAMU” referred to Texas A&M University. The virus can also be found by going to the Apple II Monitor with CALL -151, and typing “B6E8.B6F9” (which displays the bytes in memory at those locations. If all “00” bytes are displayed, DOS is not infected. If the bytes “A8 C7 C5 CE A0 B0 B0 B0 B0 B0 B0 B0 A0 D4 C1 CE D5 A9” are displayed, Virus 3 is in this DOS. If something different is found, one of the various DOS 3.3 enhancements such as Diversi-DOS or ProntoDOS may be in memory instead of DOS 3.3. (Obviously, if ProDOS was started, there would be different code at these memory locations.)
This virus has never been observed, but was only mentioned in the 1989 obituary of a Jim Hauser of San Luis Obispo, California. This obituary has been reprinted in multiple places on the Internet, and states that Hauser claimed to have created the first computer virus (on an Apple II) in 1982 with the help of a student. This virus was supposed to have given users a “guided tour” of the Apple II system. Other than this obituary notice, there is no record of such a virus having ever existed, and Hauser seems to have had no connection to Joe Dellinger and his Texas A&M group.
First appearing during 1984, Lee’s Diskitis changed the text “DISK VOLUME” on a DOS 3.3 to read “LEE’S DISK” when a CATALOG was displayed. Every disk command caused the virus to check for its ID byte; if not found, it would write the entire operating system to the disk. Unlike Virus 3, this virus was less careful about non-standard DOS installations. If a disk with Diversi-DOS was in the disk drive, Lee’s Diskitis damaged it so that it would crash when trying to boot that disk. Disks that had been modified to free up the first three tracks would also be damaged, as describe above.
The virus could be eliminated by powering off the Apple II, booting a disk that was clean, and then copy DOS from that disk to an infected disk. Nibble magazine once published a program that would copy DOS in this fashion.
Another virus that appeared in 1984 was reported by Guy T. Rice in 1988. Unlike the viruses that existed before, this one was intended to be destructive. After a certain number of times that a disk had been booted, the DOS 3.3 INIT command was executed, erasing the disk and all its contents. The Init Virus differed from normal DOS 3.3 by only forty to fifty bytes. (It is possibly this virus that was afflicting the computer lab at the University of Illinois at Urbana/Champaign at the time that Joe Dellinger found his Virus 3 was providing a type of immunity to the problem.)
With the proliferation of computer bulletin board systems across the country during the 1980s, a number of them were dedicated to talented hackers who were interested in cracking copy-protected software. This interest sometimes extended to breaking into secure computer systems, and sometimes it even involved theft from those systems. Unlike many BBSs, which wanted as wide an exposure as possible, to attract greater and greater numbers of members, these underground hacker systems were intended to be quiet, private, and invitation-only. This was done to avoid attention, especially from authorities trying to track those who were breaking into secure systems.
The culture of these underground hacker groups was not unlike that of street gangs; the status of a hacker group member was based on the daring and impact of his exploits. The more sophisticated the copy-protection system, the more skill was required to break that protection. The hacker who was successful in cracking a piece of software also wanted to call attention to his exploits. This was usually done by including a startup screen that said something like, “Hey! Look at me! Look at what I did!”, prominently featuring the codename of the hacker or hackers (such as “The Grand Vizier” or “Ma$ter Hackr$”), and possibly the name of their group or BBS. With time, some of these hackers turned their attention to ProDOS and looked at ways not to defeat copy protection (ProDOS was unprotected), but instead at how to create a virus for it. And just like the vanity splash screens put on cracked commercial software, the virus writers wanted to let the world know who had made this virus.
It took nearly five years after the introduction of ProDOS in 1983 for someone to write a virus that targeted it. The CyberAIDS virus, which appeared in 1988, reproduced by attaching itself randomly to SYS files in the root directory of all mounted disks. The virus was sophisticated enough to bypass locked files by unlocking them first. However, write-protecting the disk would keep the virus from being able to alter those SYS files.
A2-Central‘s editor Dennis Doms disassembled an early version of CyberAIDS, and wrote this about it:
CyberAIDS attaches itself to the system files by moving 6 bytes from the start of the file to the end of the file, replacing these  bytes with a JMP and three consecutive $13 bytes used as an ID.
These three $13 bytes near the beginning helped in identification of an infected file. The virus code was copied to the end of the file. When an infected file was executed, it jumped immediately to the CyberAIDS code, and then returned to normal execution of the SYS file.
Part of CyberAIDS worked at making copies of itself. Another part checked and updated a counter byte. When that byte reached 16, the virus deployed itself, and displayed the vanity screen. The first version of the virus, written by “The BOY!”, included a phone number with a New York State area code and displayed the date only as a year, 1988. The second version was more completely dated April 13, 1988, and displayed this screen:
Tom Weishaar posted this message on GEnie about the virus:
When a SYS file containing the CyberAIDS virus is executed, the disk drive will turn off and then back on again. While the drive spins the second time, CyberAids tries to replicate itself inside all of the online SYS files that are in root directories. It doesn’t look in subdirectories, it doesn’t (can’t really) mess with write-protected disks, it doesn’t attack locked SYS files, and it doesn’t attack the PRODOS file. CyberAIDS also updates a counter stored in the last byte of the first block of the disk directory. When this counter reaches 16, CyberAIDS writes $FFs through the root directory of all online volumes and puts a message describing what’s happening on the screen.
He went on to say that Quality Software’s Bag Of Tricks 2 could recover the damaged directory. MR.FIXIT, a part of Glen Bredon’s ProSel suite of utilities, could also recover subdirectories that were damaged. Weishaar’s post also included an Applesoft program that could look at a file and determine whether or not it contained the virus.
Peter J. Paul was one Apple II user who was hit by this virus, but who was also able to recover most of what he lost through the use of ProSel utilities. He found one of the infected SYS files and sent it to Glen Bredon, who analyzed the file and created a program called Apple.Rx which could detect and remove the virus. The authors of the virus reportedly called Bredon on the phone and harassed him about his virus detection program.
The same group who created CyberAIDS came back with a new version in June 1988. This one, called Festering Hate, worked in a similar fashion. It attached itself to SYS files on all available volumes. According to Glen Bredon, who disassembled the virus to see how it worked (and how to neutralize it), it only affected SYS files in the root directory. There was a random factor that determined whether the virus would replicate itself. Like CyberAIDS it could attack locked files, but still was unable to act on a disk that was write-protected. The virus spread from underground pirate BBSs through a telecommunication program called ZLink, which was a valid program but which had been infected with the virus.
Brian McCaig was a CompuServe Apple II user who first reported on this virus. In analyzing infected files, he found that the code for Festering Hate added about eight 512-byte blocks to the size of an infected SYS file. It would not attack the file PRODOS unless its name was changed to something else. The 4th through 6th bytes on a file with the virus were harder to identify than with CyberAIDS. Instead of three bytes that were easy to see (“13 13 13”) as had been the case with CyberAIDS, Festering Hate used different bytes that added up to $39.
The virus put a one-byte counter in block 0 of a disk that had infected files, and with each reboot of that disk it incremented the counter. When the count reached 25, the virus would start destroying the entire disk (not just the directory). As a result, an infected disk could not be recovered.
While the disk destruction process was going on, a picture was displayed in the hi-res screen. It displayed the words “Festering Hate”, a picture of a needle injecting a diskette, and the Electronic Arts logo and company name. The picture then scrolled off the screen, and was replaced by this text screen:
The phone number listed was for private investigator John Maxfield, who worked specifically on computer crime and hackers. It was placed there to irritate Maxfield. What is unknown is whether Electronic Arts was also mentioned by name was because the virus authors liked or disliked the company.
Just as a biological virus is more easily spread in conditions where people live crowded together, the increasing use of telecommunications in discovery and download of new software was making it easier to rapidly spread a computer virus. With humans it is necessary to immunize (if possible) and treat those infected with a disease, and updates in treatment are needed when the infections mutate. Similarly, it was necessary to make changes to Apple II virus detection and eradication software. Glen Bredon updated his Apple.Rx program, and Morgan Davis wrote a new program, VirusMD, to help the problem. The sysops for the Apple II communities on CompuServe, GEnie, America Online, and Delphi began to use these and other programs to scan files uploaded there, to be sure they were free of either virus before making them available for download.
Oddly enough, the CyberAIDS and Festering Hate source code was published in 2600 Magazine (a hacker publication) in the summer of 1988 by a writer who called himself “The Plague of MOD”. The article identified “Cereal Killer” as another name for Lord Digital (Patrick Karel Kroupa), who had a long history of involvement in underground hacking and phone phreaking groups, including The Apple Mafia, the Knights of Shadow, and the Legion of Doom. “Rancid Grapefruit” was also known as Dead Lord (Bruce Fancher), and was likewise a member of the Legion of Doom. With the publication of this article, the virus authors’ interest in writing further Apple II viruses appeared to have disappeared, and no further versions of these virus programs for the Apple II were released., 
In late 1989 a new virus for the Apple II appeared, though it seems to have not spread beyond the borders of Texas. Glen Bredon was notified of it, and added detection of this virus to his Apple.Rx program. BURP would attach itself to all SYS files it could find on any disk volume that was currently mounted (CyberAIDS and Festering Hate limited their activity to a single SYS file). Also, BURP would recursively go into subdirectories and attach itself to SYS files it found there.
When the BURP virus activated, it destroyed volume directories and then renamed the damaged disk to “BURP!”
Brian McCade described the Apple IIGS Load Runner virus in July 1989. It was named after the famous Brøderbund game Lode Runner, and was thought to have originated in France through a IIGS fast disk copy program called Speedy Smith. This program used its own disk operating system, which made it hard to examine. Since the text screens displayed by the virus were in French, as were Speedy Smith‘s screens, it was suspect.
Load Runner affected the boot block only on 3.5-inch disks; it did not affect 5.25-inch disks or hard drives. The virus activated when infected disk was booted on any odd-numbered day in October when the time in minutes was divisible by 8 (8, 16, 24, 32, 40, 48, and 56). It would change the screen color to red with white text, and printed the following message:
It took four seconds to count down from 9 to 0. The screen would then change to a green background, with the border color cycling through all colors, and the following text was displayed:
The computer would then become unresponsive. Rebooting from another disk resulted in that disk also becoming infected.
On the displayed screen, the number in the upper left corner represented the number of copies the virus made of itself before it was triggered. The name “Lyon” was thought to refer to the city of Lyon, France.
When an infected disk was booted, it copied itself to RAM on the IIGS, and then looked for 3.5-inch disks to which it could spread. It would then infect any 3.5-inch disks that were booted without turning off the power. When the virus deployed and displayed its red countdown screen and green result screen, it had also wiped out the boot block of the disk in the 3.5-inch drive. It was significantly less destructive than CyberAIDS or Festering Hate, but it did cause damage nonetheless.
To remove the virus, it was necessary to completely power off the computer and restart with a clean disk. A simple reboot (by pressing Ctrl-Open Apple-RESET) did not remove it from memory. An infected disk could be identified by examining the contents of block 0 on a boot disk. If the first three bytes were “01 A9 50”, the Load Runner virus was likely on that disk.
Besides Glen Bredon’s Apple.Rx and Morgan Davis’ Virus MD programs, Neil Parker wrote a freeware program, VIRUS.KILLER. This program would check memory for the virus, and then examine disks to look for the infection and remove it if found.
The virus known as Blackout also went by the names Apocalypse I and Apocalypse II. It was similar to Load Runner because the only type of disks affected were 3.5-inch disks.
When activated, Blackout made it look as if the IIGS was not working at all. There was no “beep” sound when starting, and the screen display was blank. The disk drives did not make any noise. What Blackout had done was to make changes to Control Panel settings, changing the background and text color to black (which was ordinarily not allowed by the Control Panel), moving the sound volume to zero, and changing the startup disk to “ROM Disk”, which usually had no bootable volume at all. Since these settings were stored in the Battery RAM, the changes lasted through a reboot, whether a cold boot (from power off) or a warm boot.
It was easy to return settings to normal, if a IIGS user realized that Blackout was the cause of the problem. To do this, it was necessary to power on while holding down the Option key. Though not visible, a screen was displayed at this point that would allow entry to the Control Panel, or to set the system standards to 60 hertz or 50 hertz, or to continue starting the system. Pressing the number “2” at this point would change all of the Control Panel settings to their defaults (for 60 hertz operation), which restored the proper screen colors, sound volume, and startup slot set for “Scan”.
When Wozniak designed the Apple-1, the Apple II, and the Disk II, there was no concept of any security issues for the computer platform. The computing world at that time was much like a small town, where everybody (for the most part) trusts each other, and nobody locks their doors. In fact, there was not much reason to lock the doors because there weren’t much of value to steal. But like a town that grows, security began to be something to think about as the number of Apple II owners increased, and viruses mentioned in this chapter appeared. However, it was not something that Apple addressed (the problem was not widespread enough to warrant such action), but rather it was dealt with by applying a fix after an act of vandalism (much like fixing damage caused by a burglar, but not thinking of putting a lock on the door to prevent future burglaries).
Even on the Apple IIGS and its more complex and sophisticated firmware and system software, security was still not a big enough problem to warrant security software beyond those programs created by Glen Bredon and Morgan Davis, and a program called Exorciser that was written by Joe Jaworski and sold by Vitesse. These programs could scan for possible known viruses, but were not sophisticated enough to detect suspicious activity by an unknown virus.
However, further virus detection turned out to be unnecessary. By the time CyberAIDS, Festering Hate, Load Runner, and Blackout had come and gone, the Apple II and IIGS platform appeared to have been abandoned as a target for authors of viruses and other malware, and nothing more of note ever appeared. Those interested in writing viruses had apparently moved on to the greener fields with larger numbers of potential victims (and greater glory for the hackers) found in the MS-DOS and Windows platforms, and to a lesser extent, the Macintosh. Interestingly, even the Amiga and Atari ST computers, which were released in 1985 (a year before the Apple IIGS) were a much greater target for viruses in their day, probably because they were viewed as more interesting computers to work with than the Apple II and IIGS, which were being slowly starved to death by neglect from Apple.