Rich Skrenta's home page

Subject: Re: A (long) story about an (old) Apple ][ virus Newsgroups: alt.hackers Distribution: alt References: <1990Apr2.054914.11842@eng.umd.edu> Approved: elk@cloner In article <1990Apr2.054914.11842@eng.umd.edu> russotto@eng.umd.edu (Matthew T. Russotto) writes: > So are you ELK CLONER???? That is the virus I thought was the first > microcomputer virus, and '81 or '82 is the right time frame. As I recall, > it would put up a message: No, he's not the Elk. Here's the message: "Elk Cloner: The program with a personality It will get on all your disks It will infiltrate your chips Yes it's Cloner! It will stick to you like glue It will modify ram too Send in the Cloner!" This message would appear when you hit reset after your 50th boot of an infected disk. Cloner counted boots; it played other subtle tricks about every five boots. It never tried to harm data, but it could cause problems if it tried to infect a non DOS 3.3 disk. I heard it trashed Diversi-Dos disks if it tried to infect them. Cloner was also mentioned in Computer Recreations (Scientific American, March, 1985 I think), and also made it into Time (November 4, 1985). The most complete description of its creation appeared in The Daily Northwestern, a college paper. Ask me for a copy if you're interested. Joe Dellinger's viruses sound similar to Cloner. Cloner occupied an unused hole in Dos (somewhere on track 2 around sector 8). It also stamped a version ID in the VTOC; manually putting Cloner's ID there yourself provided a way of immunizing your disk. In article <449@helens.Stanford.EDU> joe@hanauma (Joe Dellinger) writes: > The Virus wasn't particularly infectious; it only spread on > "CATALOG" commands. Cloner also spread through the "CATALOG" command. I found it quite infectious, though. Quarantined copies were a must; even so, it would break out from time to time and I'd have to start up The Inspector (a disk sector-editor) to get rid of it. jd> check the version, the simplest way is to do a "CATALOG" of the disk you're jd> checking, and then look at B3BF. jd> jd> (If you don't find zeros at B6E8, 9CFE, and B3BF, but also don't find jd> the bytes I've mentioned, then I don't know any more about it than you do, The similarity is incredible. I guess those unused spaces in the VTOC were popular. Cloner used B3BF for the boot count; its version number was stamped at B3C2. If I can read this old code right, however, there's an easier way to check for Cloner. Pop into the ROM monitor (CALL -151) and ... Hurm, I forget... there was something called the "user" command (was it '&' ?) and it must have taken an argument. $0B shows the Cloner version number, $0C shows the current boot count, $0D forces a clone, and $0A dumps the poem. mr> Lots of them-- I'll check mine, and spread the message to the person I got mr> Elk Cloner from (I have a copy of that, quarantined) Amazing. Really amazing. I don't even have my Apple II anymore, I gave it away. I wrote a lot of stuff for the Apple II--obscure adventure games, a small compiler, a toy multi-user operating system. The stupidest hack I ever coded generated the most interest, and lives on to this day.

Rich Skrenta (skrenta@pbm.com)