A couple of years ago, a friend of my teenage son showed up at our house with an old computer he'd found in his Grandma's attic .. a Commodore PC20-II, which was a very early PC clone, as in 8088 and MS-DOS ..
The story went that his grandparents had bought the thing brand new, used it for a couple of months, and then 'something went wrong with it', they stashed it in the attic and its been there ever since.
Would I take a look at it and see whats up?
Indeed I would! I have a bit of a thing for old computers.
We plug it in, boot it up, and there she is in all the amber glory, C:\>
I tell the kids "let her settle for a bit, lets just bathe in the glory a little more", a few seconds go by .. and sure enough .. that old clunky 20Meg hard drive gives a little tick.
Okay, I have a hunch.
C:\> echo > DEADBEEF.COM
C:\> dir DEADBEEF.COM
DEADBEEF.COM 0 bytes
(I'm paraphrasing)
Okay .. interesting, what happens if we:
C:\>DEADBEEF.COM
<blink blink>
C:\> dir DEADBEEF.COM
DEADBEEF.COM 76 bytes
Ah hah! Kids, we have a Virus. And probably one of the very, very early viruses. "And very well self-contained", I proclaim as I duct-tape the 5.4" floppy drive with great drama, because there's no way any of the highly valuable 5.4" floppy disks in my collection are ever going in there ..
We spend a few days delighting in all the things we can do with C:\DOS\DEBUG.COM and that little virus, which happily copies itself wherever we tell it to, and the kids get a boot camp introduction into interrupt service routines, BIOS calls and old-school hygiene techniques ..
After a week or so of this, the caps blow, and the virus returns to its slumber.
We'll replace the caps soon enough, and it'll become an exhibit .. its the perfect way to explain to interested young computer nerds what a virus is, how it works, and what you can do with it/for it/against it, in a controlled environment ..
I didn't want to write a wall of text here, but my single-line dismissive comment was probably worse. So here goes:
There are so many "little details" to nitpick, that in combination it becomes unbelievable. It has a similar feel to hallucinated GPT output. Or someone with a bit of half-remembered knowledge about old computers making things up for a movie script.
>a hunch (because the disk drive was ticking once?)
>creating empty file using echo
>a 0-byte program that returns to DOS instead of crashing
>5.4" floppy disks
>duct taping the drive shut
>the size of the virus (assuming the paraphrased 76 bytes is supposed to mean something close to it, like less than 100)
I spent some time trying to write the smallest possible virus that can actually infect files instead of overwriting them, just as an experiment in a VM. I managed to get the code down to 96 bytes.
It moves itself into a reserved area in low memory and hooks INT 21h. Whenever a file is written that starts with byte E9h (common for .COM programs), the virus then prepends itself to the program. So it only infects certain programs, does so when they are copied, and also may corrupt data files that start with this byte.
I consider myself a fairly good x86 asm programmer, but certainly someone out there might have managed to make a better & smaller virus. However, anything that tiny will be limited in what it can do, and likely make more assumptions about the environment it is run in (186+ instruction set available, initial register state matching a particular DOS version, etc).
It would be very bad at spreading "in the wild", and not be found on some grandma's computer.
You're really pushing the boundaries of paranoia. I'm just a good writer. Every single thing happened pretty much exactly as I described it.
Yes, back in the day, unexpected drive activity was a sign there was an active virus. (I have 40 years experience in systems software development and know where to look.)
Creating an empty file with echo: common, standard practice. Hey, maybe it was "copy con: deadbeef.com", so sue me (like I said, I was paraphrasing..) Its also common knowledge that a zero-byte .COM is perfectly executable on DOS ..
5.4" disks - I am a systems software developer who has kept every machine I've ever worked with since 1978, and with hundreds of 5.4" discs in my collection of works, over 40 years worth. This is why the kids brought the machine to me in the first place. Want me to bust out my tape drives and card decks?
76-byte viruses, or even less, were common in those days. Your 8088/MSDOS assembly fu is simply weak. Check the book "The Giant Black Book of Computer Viruses" for examples. I may have gotten the exact number incorrect, perhaps it was 67 bytes, but whatever .. the point is the 0-byte .COM got infected immediately.
Anyway, your doubt is entirely misguided. The machine exists, we played with the virus for weeks. In a few months it'll get its caps replaced and be installed in a retro computing museum for kids of the future to learn assembly techniques and generally get exposed to old-school computer viruses in a controlled setting.
Okay, you're most likely trolling. Hexdump of this alleged virus or it didn't happen.
Just to make sure, I tested this on MS-DOS 2.0 in an online emulator[1] for a machine of the vintage you described, and it did exactly what I expected:
A> echo>deadbeef.com
A> dir deadbeef.com
DEADBEEF.COM 12
A> type deadbeef.com
ECHO is on
A> deadbeef
(starts spewing gibberish)
COPY CON can't create an empty file either.
Running an empty program (or falling off the end of this one containing the message from ECHO) will execute whatever happens to already be in memory at the time. Might work if there was another program loaded before, but not from a freshly booted system.
The disk format is 5.25", not 5.4"
Unexpected disk activity when the machine is idle would mean the virus also hooks the timer interrupt and does stuff in the background, instead of (or in addition to) infecting programs you actively run. Implementing that on an OS not designed for multitasking is certainly possible, but would take quite a bit more than 100 bytes of code.
As for viruses of 76 bytes or less being common, AFAIK all of those are direct-action overwriting. Meaning that they don't stay active in the background, and any infected program will no longer work. Too simple and destructive to be viable.
There is apparently a memory resident 76-byte virus, however note that it simply overwrites programs when they are copied, is "Rare", and was discovered in 1994, quite late for the machine you described:
Oh p'schaw, you are the troll. Copy CON: can create an empty file, you just don't know how to do it.
An 'empty program' such as a zero-byte .COM file created with COPY CON: is loaded into memory by DOS, and thus attackable by any virus set up with the suitable vector to do so.
5.25" was supposed to be typed 5¼", duh.
Unexpected disk activity when the machine is idle would mean the virus also hooks the timer interrupt and does stuff in the background, instead of (or in addition to) infecting programs you actively run. Implementing that on an OS not designed for multitasking is certainly possible, but would take quite a bit more than 100 bytes of code.
False. Read more virus code.
I don't care for your conclusions, which are merely fallacious and ill-intentioned. The machine exists, as does the virus, and it'll be in a museum in a month or so, folks will play with it. That's all that matters to me. Your faith in your own knowledge doesn't impress me.
The BBC Micro / Econet network used in UK schools was a lot of fun, very open, and not at all secure. There was no internet so you had to work everything out by reading the docs (which were very good) and reverse engineering.
Each account started with a quota (8K!), but you could easily steal more if you could persuade someone to run a program under your control. That was because if they created a file in your directory, and you deleted that file, then the quota to write the file came from their account, but deleting the file credited the quota back to your account. Needless to say I had a lot of spare quota after a while, so much so that I had to "hide" the fact by creating lots of random-filled files, since the system only tracked quota for free space, possibly the root cause of the bug.
Another one was that writing to address 3362 allowed you to change your station number (think IP address if you only had 256 addresses) on the Econet network. So you could trivially impersonate any other logged in account by assuming their station number and sending requests to the file server. I worked out the address (3362) by printing every address that contained the same byte as the station number across a few machines and cross-referencing them by hand.
Another one was the *NOTIFY command which sent messages to other machines on the network. Except it worked by literally typing those strings as if they had been entered on the keyboard of the other machine, obviously allowing you to send arbitrary commands. The system admins at our school removed the program but couldn't remove the underlying "system call" [as we'd refer to it nowadays] in ROM, so I wrote a program that performed a broadcast notify letting you type commands to as many other machines in the room as you liked.
I was banned from the school computer room after a couple of years of this.
One great way to get banned from school computers is to have any talent at computing. It's a bit like banning the kids with music talent from music class.
Quite the opposite here. The IT person, a former mathematics teacher, had no idea about anything so she let us run the old Econet network. They'd send students around with boxes of EPROMs and a screwdriver while she'd sit in her office smoking.
> Each account started with a quota (8K!), but you could easily steal more if you could persuade someone to run a program under your control. That was because if they created a file in your directory, and you deleted that file, then the quota to write the file came from their account, but deleting the file credited the quota back to your account. Needless to say I had a lot of spare quota after a while, so much so that I had to "hide" the fact by creating lots of random-filled files, since the system only tracked quota for free space, possibly the root cause of the bug.
Memory unlocked! We had a messaging program that worked by passing files between accounts. I modded it to siphon a few bytes into my account every time a message was sent, and I added some extra features to make it more attractive than the original version (wish I could remember what I added).
I was banned from the school computer room within a few days of my first computer lesson.
Also using BBC Micro / Econet. While the teacher was typing in their admin password to the Econet file server, I quickly typed a one-liner on one of the BBC Micros in the class that all of us children could see.
It fetched the contents of the keyboard buffer from the file server repeatedly and displayed it on the BBC Micro screen. So we watched, fascinated, as the teacher's very secret admin password appeared one character at a time on our screen.
After logging in, teacher turned round to see what the class was so excited by, and then I was banned from that room for the next 5 years. Never saw it again, couldn't take computer studies as a class.
Even so, when the school held a programming competition to make a pretty demo, I won the competition with my animated story about a plant being rained on and growing to a big happy plant, complete with music and unfurling leaves. Programmed outside school of course.
It was also possible to jam the network by futzing with the MC68B54 registers on any beeb. Can’t remember exactly how though as it was so long ago. Also breaking into the clock boxes and setting the rate too high for the cable span.
When I was in my early teens I wrote a worm for HyperCard on the Mac (it did nothing but spread. No messages or anything). In my infinite wisdom, I thought the ideal way to put my mark on history was to post it to Usenet to spread it... Of course, nearly all news servers filtered out binaries from discussion groups, so I assumed nobody ever saw it.
Years and years later, I was poking through the virus definition files for a Mac antivirus to see how they worked, and lo and behold - there was the HyperTalk source code for my worm, verbatim in the antivirus definition file... I guess someone did end up seeing it in the end... sorry for wasting someone's time!
In the beginning of the 2010's I was at a train station with my laptop and a dude walks up to me holding a USB stick. (Or was it an SD card?) Asks me if he can send an email or something. I remember him opening his storage device on my computer and he had some sketchy looking files. Was there a trojan on his USB stick? If there was, had he put them there intentionally? Is this how he scammed people? By approaching them at train stations with some device and an excuse to plug it in? Or was he just an unknowing carrier of the malicious files, a victim to his own habit of plugging his device into random strangers computers?
Perhaps there was nothing there and I was mistaken?
I never found out. But I also haven’t noticed anything out of the ordinary with any of my accounts since then. So even if something was up, I think it was not successful.
Your story reminded me of this experience. And also of autorun.inf files on CD-ROMs that would make Windows 95 and later run things. I think at some point in WinXP they disabled auto run of CDs and you had to explicitly choose to run programs that autorun.inf wanted to run.
Only tangentially related to what those GoPro cameras you mention would do with memory cards of course. But a memory nonetheless.
Reminds me of the Bu£a virus for C64, that infected the 1541 disk drive, thus could survive power cycling of the main unit. Here’s a detailed analysis - https://youtu.be/4k9EKkCcWoc
I posted this the last time this topic surfaced - apparently I can’t figure out how to permalink a post, it’s probably just too late for my tired brain :)
Along the same lines, I wrote my first ever (and last) virus for the BBC micro... Some history:
Waaay back in the mists of time (1988) I was a 1st-year undergrad in Physics. Together with a couple of friends, I wrote a virus, just to see if we could (having read through the Advanced User Guide and the Econet System User Guide), then let it loose on just one of the networked BBC machines in the year-1 lab.
I guess I should say that the virus was completely harmless, it just prepended 'Copyright (c) 1988 The Virus' to the start of directory listings. It was written for the beebs (the lab hadn't got onto PC's by this time, and the Acorn range had loads of ports, which physics labs like :-)
It spread like wildfire. People would come in, log into the network, and become infected because the last person to use their current computer was infected. It would then infect their account, so wherever they logged on in future would also infect the computer they were using then. A couple of hours later, and most of the 50 or so computers in the yr1 lab was infected, and it had spread to the yr2 machines as well, we were told later.
You have to remember that viruses in those days weren't really networked. They came on floppy disks for Atari ST's and Amiga's. I witnessed people logging onto the same computer "to see if they were infected too" - at which point the act of logging in would infect them...
Of course "authority" was not amused. Actually they were seriously unamused, not that they caught us. They shut down the year-1,2,3 network and disinfected all the accounts on the network server by hand. Ouch.
There were basically 3 ways the virus could be activated:
- Typing any 'star' command (eg: "* .", which gave you a directory listing). Sneaky, I thought, since the virus announced itself when you did a '* .' When you thought you'd beaten it, you'd do a '* .' to see if it was still there :-)
- The events (keypress, network, disk etc.) all activated the virus if inactive, and also re-enabled the interrupts, if they had been disabled
- The interrupts (NMI,VBI,..) all activated the virus if inactive, and also re-enabled the events, if they had been deactivated.
On activation, the virus would replicate itself to the current mass-storage media if it wasn’t already present. This was to cause problems because we hadn't really counted on just how effective this would be. Within a few days of the virus being cleansed (and everyone settling back to normal), it suddenly made a re-appearance again, racing through the network once more within an hour or two. Someone, we decided, had put the virus onto their floppy disk (by typing *. on the floppy when saving their work, rather than the network) and had then brought the disk back into college and re-infected the network.
If we thought authority was unamused last time, this time they held a meeting for the entire department, and calmly said the culprit, when found, would be expelled - no ifs, no buts. Excrement and fans came to mind. Of course, they thought we'd just re-released it, but in fact it was just too successful for comfort...
Since we had "shot our bolt", owning up didn't seem like a good idea. The only solution we came up with was to write another (silent, this time :-) virus which would disable any copy of the old one, whilst hiding itself from the users. We built in a time-to-die of a couple of months, let it go, and prayed...
We had actually built in a kill-switch to the original virus, which would disable and remove it - we didn't want to be infected ourselves (at the start). Of course, it became a matter of self-preservation to be infected later on in the saga - 3 accounts unaccountably (pun intended :-) uninfected... It wasn't too hard to destroy the original by having the new virus "press" the key combination that deleted the old one.
So, everyone was happy. Infected with the counter-virus for a while, but happy. "Authority" thought they'd laid down the law, and been taken seriously (oh if they knew...) and we'd not been expelled. Everyone else lost their infections within a few months ...
It is vaguely possible that I still have the source code, on a degrading 5.25” floppy somewhere in the attic, but it’s not likely, and I don’t have any way to read that hypothetical floppy disk anyway…
In any event, I've never written anything remotely like a virus since [grin].
On a Prime in EE school I had 'infinite compute' due to some happy coincidence. Never mind that I only had a few seconds of compute time left when I figured out how the quota system worked. Computers were so much more fun than wiring diagrams. Fortunately whoever managed the computer there was completely clueless.
A somewhat interesting aspect is the assembly by hand and the POKEs from DATA statements (as you would do on most other micro computer systems). Notably, BBC BASIC featured a built-in assembler, so you could directly interleave 6502 assembler code with BASIC statements. – Was this some kind of obfuscation, or did the built-in capabilities of BBC BASIC fail to come to the notice of an otherwise well-versed kid? Or was this an intricacy of the Sideways RAM, which couldn't be reached this way?
The story went that his grandparents had bought the thing brand new, used it for a couple of months, and then 'something went wrong with it', they stashed it in the attic and its been there ever since.
Would I take a look at it and see whats up?
Indeed I would! I have a bit of a thing for old computers.
We plug it in, boot it up, and there she is in all the amber glory, C:\>
I tell the kids "let her settle for a bit, lets just bathe in the glory a little more", a few seconds go by .. and sure enough .. that old clunky 20Meg hard drive gives a little tick.
Okay, I have a hunch.
C:\> echo > DEADBEEF.COM
C:\> dir DEADBEEF.COM
DEADBEEF.COM 0 bytes
(I'm paraphrasing)
Okay .. interesting, what happens if we:
C:\>DEADBEEF.COM
<blink blink>
C:\> dir DEADBEEF.COM
DEADBEEF.COM 76 bytes
Ah hah! Kids, we have a Virus. And probably one of the very, very early viruses. "And very well self-contained", I proclaim as I duct-tape the 5.4" floppy drive with great drama, because there's no way any of the highly valuable 5.4" floppy disks in my collection are ever going in there ..
We spend a few days delighting in all the things we can do with C:\DOS\DEBUG.COM and that little virus, which happily copies itself wherever we tell it to, and the kids get a boot camp introduction into interrupt service routines, BIOS calls and old-school hygiene techniques ..
After a week or so of this, the caps blow, and the virus returns to its slumber.
We'll replace the caps soon enough, and it'll become an exhibit .. its the perfect way to explain to interested young computer nerds what a virus is, how it works, and what you can do with it/for it/against it, in a controlled environment ..