From: akcs.joehorn@hpcvbbs.cv.hp.com (Joseph K. Horn)Newsgroups: comp.sys.hp48Subject: VIRUS ALERTKeywords: virus vaccineMessage-ID: <294dc568:401comp.sys.hp48@hpcvbbs.cv.hp.com>Date: 17 Dec 91 09:40:11 GMTLines: 141                * * * * * * * * * * * * * * * *                *                             *                *    V I R U S   A L E R T    *                *                             *                * * * * * * * * * * * * * * * *"Next to a battle lost, the greatest misery is a battle gained."  --  WellingtonIt was just a matter of time.  Three viruses (all very similar) havebeen written for the HP 48.  As if this weren't bad enough, they arebeing spread around on college campuses as a practical joke.  Notfunny at all, when it's your 48 that gets sick, then goes psychotic,and finally dies.I must admit, however, a certain morbid respect for the author(s);these little timebombs are well written.  When stripped from theirhost program, they look like this harmless little 3-object snippit:                    "*" External Codewhere the * is the null character (displayed as a little square blob).The "External" is not at all what it appears to be!  It's really an"external type 2" object, one of the four unused object types; and itcontains the real body of the virus, in System RPL.  The subsequentCode object merely jumps backwards into the External object, just pastits object header, thus executing its contents as an RPL program.If you engage in promiscuous I/O with college students (who doesn't?),be on the lookout for the following bogus "error messages":                    "System Malfunction"                    "Defective ROM"                    "Damaged ROM"                    "Invalid Addressing"Also, the virus attaches itself to other program objects in thecurrent directory (thereby earning the name "virus").  Since itmodifies objects without your knowledge, it may wreak havoc that theauthor(s) never intended, especially if you are into System RPLprogramming.  It may cause objects to be purged, entire directories tobe lost, memory corrupted, and even total Memory Clear.  And the nullcharacter at the beginning prevents you from removing the virus bynormal editing, because when you hit EDIT you'll get the "Can't EditNull Char." error message.  This sucker not only propagates itself, iteven has self-preservation instincts!  Geez.Since the current "strains" of this virus all contain the same Codeobject, it's easy to write a "vaccine" that checks a program for thevirus, and if found, "disinfects" it.  If you'd like to do ityourself, here's the recognizable 29.5-byte Code object:In ASC-> format:%%HP:T(1);"CCD20630001741433450000EA1411C414334A0000CA14134E8F60DA808C4ECA"Source code:       HP                AG             opcode    --------        ------------        --------    D1=D1+ 5        ADD.A #5,D1         174    A=DAT1 A        MOVE.A @D1,A        143    LC(5) 5         MOVE.P5 #5,C        3450000    A=A-C A         SUB.A C,A           EA    DAT1=A A        MOVE.A A,@D1        141    D1=D1- 5        SUB.A #5,D1         1C4    A=DAT1 A        MOVE.A @D1,A        143    LC(5) 10        MOVE.P5 #A,C        34A0000    A=A+C A         ADD.A C,A           CA    DAT1=A A        MOVE.A A,@D1        141    LC(5) #06F8E    MOVE.P5 #06F8E,C    34E8F60    A=C A           MOVE.A C,A          DA    PC=(A)          JUMP.A @A           808CThe "External" object immediately precedes this Code object.  Itconsists of its five-nibble prolog (02BCC), followed by a five-nibblelength field (nib distance to the following Code object).  The lengthfield is immediately follwed by an RPL program object (beginningD9D20, of course), which is the nucleus of the virus, the part thatdoes all the dirty work; the "DNA" part, as it were.For obvious reasons, I will not post the virus itself.Brian Maguire considered this sordid situation to be a delightfulprogramming challenge, and whipped up the following two programs.'VACCINE.1' disinfects program objects, and 'CLEAN' disinfects entiredirectories.INSTRUCTIONS: Place program on stack and press VACCINE.1to disinfect it, or run CLEAN to disinfect all the programs inthe current directory.  Obviously it is best to keep theseprograms protected in a card switched to the ROM position.They can be run from there, for example via a CST key, or auser-mode key assignment.%%HP:T(1);@ VACCINE.1 and CLEAN, by Brian Maguire"69A20E33A8000000005034C45414E450D9D20E1632C53A2FA1A1A59C19C2A2DBBF10A132D6E20109678BF104B0284E20906514343494E454E213DBBF1DCC02C423293632B2130B7000906514343494E454E21390D9D20D2951D9F81F3040D9D202A170D9D2013236A9226DA9160CA308813030040C9B267E126DA916C01261323698226DA916C0126D0040C9B2679E60CCD20630001741433450000EA1411C414334A0000CA14134E8F60DA808C79B30B2130EE170980505E170B2130B21307225"-------< Begin VACCINE in UUencoded format >-------begin 600 virusM2%!(4#0X+466*N`SB@`````%0TQ%04X%G2W@82-<H_(:&EK)D2PJO?L!&B-MM+A"0=K@?0`N"Y`()5D%#0TE.12XQO?O1S"!,,I)C(RLQL`<`"59!0T-)3D4NM,0F=+="2%9V/\0,$G2T@&@>=+1`C8YHBUIIAP#J`&`,#0,"Y8N<AUIIA#"$6M(V.)(M::80PAU@`$G"MVZ0;,+6`#`'$4-$,%`.`:%,$4-$,*`,`:%$..;]"*3@'RY`RLQX!X'B5!0'@<K,;`2`R```end-------< End VACCINE >-------Here's the source code for the curious and curiouser:'VACCINE.1' ( in System RPL ):: CK1NoBlame CK&DISPATCH0 EIGHT  :: BEGIN    :: DUPLENCOMP #2= NOTcase FALSE DUP TWO NTHCOMPDROP      DTYPECOL? NOTcase DROPFALSE DUPLENCOMP #3= NOTcase      DROPFALSE THREE NTHCOMPDROP '      CODE 49 1741433450000EA1411C414334A0000CA14134E8F60DA808C      EQUAL    ; WHILE CARCOMP REPEAT  ;;'CLEAN' ( in User RPL )\<< 8 TVARS LIST\-> 1 SWAP  FOR i DUP RCL VACCINE.1 SWAP STO  NEXT\>>Many thanx to Brian Maguire for making this potentially terrifyingsituation so easy to cope with.-jkh-   EQU   akcs.joehorn@hpcvbbs.cv.hp.com