Computer viruses for OS CP
> Radovan Garabik February 22, 2019 at 8:46 am
Are there (known) viruses for CP/M? Chronologically, CP/M machines fit into the period of the first home computer viruses, starting with other 8-bit computers.
Given the hardware independence, CP/M viruses could spread quite successfully, and speculation about a possible mechanism – a virus that attaches to an executable, runs when the executable is run, infects a random file, and then jumps to the real code – is well within the technical capabilities. Even virus hiding could be well supported by the existing file system block padding.
OTOH, boot viruses are probably out of the question if we want to move beyond a single architecture.
Here I use the term “virus” quite broadly – Trojans and worms are included, and of course Trojans are quite possible under any OS.
The question is primarily about “classic” CP/M or MP/M, but CP/M-86 and other examples are also welcome (I suppose that technically a CP/M-86 virus would be feasible in much the same way as the MS-DOS ones were).
I tried an extensive search on the net but found nothing.
> dirkt 22 February 2019 at 11:23
Writing a proof of concept CP/M virus seems like a good project. However, I don't think distribution would work easily – the typical workflow was to have one “system” diskette, one “data diskette”, and the “system” disks were created by hand copying. So, although the virus would infect other executables on the system disk, it would only spread to other disks if that disk was copied. Also, accessing the “wrong” disk is quite noticeable.
> Ross Ridge 22 February 2019 21:47
Most early viruses (such as those for the Apple II, which had a similar floppy disk boot environment) interfered with the boot process in some way. As you say, this would have limited a CP/M virus to just one particular implementation of CP/M, since there was no common boot environment for CP/M. By the time people were creating viruses that could infect executables, CP/M was largely obsolete and uninteresting to hackers. So it wouldn't surprise me if there were few or no CP/M viruses.
> Martin Rosenau 22 February 2019 9:08
CP/M viruses could spread quite successfully
I doubt it:
The virus cannot infect all types of file formats, but only files that contain code:
Executable files
Other files containing any code (for example, macros in office documents)
File formats that can be manipulated in such a way that when the file is opened, an error occurs that causes the computer to execute some code – for example, by forcing a buffer overflow
In the 1970s and 1980s, file types that met criteria (2) and (3) were not used very often (if they existed at all), so the virus could only spread using executable files.
While home computer users very often exchanged executables (illegally copied games!), I doubt that professional users (using CP/M) exchanged executables.
Added.
After reading the comments, I would like to expand on my answer a little:
In the days when computers did not have access to the network/modem/Internet/…, viruses could only spread widely in the following scenario:
Some user runs an infected CP/M program
The virus infects other CP/M programs on the user's computer.
The user transfers some of these CP/M programs to a second user.
The second user passes some infected CP/M programs to the third user.
The third user passes some infected CP/M programs to the fourth user.
And so on …
I doubt this scenario ever happened as often as a comparable scenario happened with C64 programs. (Note that a CP/M virus probably won't be able to infect non-CP/M programs on computers where CP/M is not the only OS, such as the Amstrad CPC, Commodore 128, or some MSX machines.)
You should also see that the actual process of infecting a file is much less likely in the case of a CP/M virus:
CP/M computers were not compatible with the hardware at all. A program or virus could not directly access the hardware, nor could it do anything else that was not officially supported by the operating system.
Thus, the only way a CP/M virus can infect another program is when the program is stored on a disk that was supposed to be on the disk when the infected program was running. (Most versions of CP/M do not support parts of a program remaining in RAM after the program has terminated.)
In contrast, an MS-DOS or C64 virus can do things that are not officially supported by the operating system. They can remain in RAM after the program has terminated (MS-DOS even officially supports this). When you insert the disk much later, it can infect the programs on the disk.
> Raffzahn 22 February 2019 11:38
On the one hand, there is no difference between those who seek to copy, and those who change the role from “private” to “business”. In fact, being more visible (shown on TV) as being done privately, “program sharing” in companies was much more common. That's why copy protection (Dongles) where such a big business during the 80's – almost all for non-home machines. The second CP/M was not entirely professional. Where home machines running CP/M are quite popular – think Amstrad/Schneider CPC series.
> RichF 23 February 2019 19:45
Malware was a concern, but I don't remember viruses spreading from one computer to another being a big problem. Communication programs like XModem don't allow executable programs to be transferred by their names. For example, “newprog.exe” would have to be named something like “newprog.ex_” before it could be run. This put the onus entirely on the bootloader to run the malware, because it would have to rename it manually first.
> tofro Feb 26 February 2019 12:31
CP/M executables would be particularly vulnerable because their size is determined not by the byte, but by the cluster. So if someone wrote a knapsack that filled the last cluster of a .COM file, no one would be able to notice without a debugger.
> john_e April 2 at 10:10
this 1993 USENET thread people claim to have written simple proof-of-concept viruses for CP/M. Since they claim they were programming exercises, it is unlikely that they ever left their authors' computers.
CP/M virus
> Paul Martin
Can I get more information about this “virus” – if it is not too much trouble? Some time ago I made a request on the Net about viruses in CPM systems. I only got a few answers saying that it is almost impossible (compared to MS-DOS) because you have to ENTER the file name of this virus – it will not be “activated” in any other way
All virus-infected programs must be executed before they can infect your system, regardless of whether they target MSDOS or CP/M.
The virus was very simple. It could only infect CP/M Plus systems (because they have the ability to disable BDOS error messages) that used Z80s (because I needed the Jump Relative instruction to keep the code as position-independent as possible). It also checked to see if there was enough free memory for its DMA sector buffer.
It copied the first eight bytes from the beginning of the COM file, placed it in the virus code at the end of the COM file and replaced them with a jump to the virus code and the identifier “GOON”. The virus infects the first COM file found in the same area of the disk/user and installs something so that the file is not touched again.
Every 10 uses of the infected program, she would print “I've been sponned” and return to the CCP prompt.
infection, the .COM file will increase by three sectors (3×128 bytes).
Before you ask, I don't want to give the full source to anyone. I'm not going to be responsible for people letting other idiots write programs to crash their computers or wipe their disks.
> Dr. Henry Brancik
I experienced a virus called [форма]. I discovered a virus when I tried to copy some data files from my hard drive to a floppy disk. The error message said the disk was not formatted when the disk was taken from a new pack of 10, all of which were factory formatted. The disks were OK on other MS-DOS machines, but not OK here. After reformatting, I was able to copy the files to this disk. A similar thing happened when I tried to copy files to a floppy disk I had used the day before on this machine. The disk was “readable and writable” on the other machine, but not on this one. Running a virus scan found a virus called [форма].
The virus was removed and the system files were restored from backups. The virus was not found after this. The virus was found on a reformatted floppy disk, as expected. By filling that floppy disk with data files, copying them from the hard drive, and then creating a temporary directory and copying all the files back there, the virus was transferred to the hard drive. A virus scan found it there. When I rebooted the computer, the virus was (apparently) activated and I was unable to copy the files to the floppies without reformatting them first. The “infected” file was a binary data file, not a .COM or .EXE. No one was using that file at all.
My argument: you CANNOT have this happen on a CP/M system. You would have to run a virus program – it would not be “activated” when the system was rebooted. I have no explanation for what happened on this MS-DOS system, but it seems to me that the system is definitely not bug-free and that someone is exploiting this fact. If the virus is just a piece of extra code tacked on to the end of a file (as all those virus articles claim), how does COPY know what to do with that extra code and where to put it to be activated on reboot? If that piece of code can be “simulated” somewhere in the data file (as just data), then why is that extra code not picked up by virus scans?
In a CP/M system, you have to type the name of the file you want to run, there is no other way to run a program without the user's knowledge. So any program written by someone to destroy your directory while displaying funny messages on the screen can be considered a “virus”. If you don't know what a program does, or if you are suspicious, you will create a scratch disk and try the program there. No harm will come. No program on a CP/M machine will activate itself without the user's knowledge or without someone interfering with the system. And that's all.
Is there anyone on the net to support my claim (there is no “virus” possible on CP/M), or is there anyone who has experienced a “virus” on CP/M?
> Peter Herweijer
Since I also wrote a toy CP/M virus after reading that “it was impossible” — let me assure you — it is eminently possible.
The argument that “a CP/M virus is impossible because you have to explicitly run the virus on CP/M and not on MSDOS” is invalid.
In brief: MSDOS CP/M
mbr, boot sector boot sector
config.sys, autoexec.bat profile.sub
fat directory
com, exe files com files
hdd, fdd fdd (sometimes hdd)
*all* popular MSDOS virus infection methods are available for CP/M. The main differences are: [1] more variations in boot sectors, so it is impossible to write a *generic* boot sector virus; [2] software setup (device drivers, etc.) is often simpler, offering fewer opportunities for downloading viruses; [3] Many CP/M systems do not have a hard disk, and viruses must be more discreet and spread more slowly on floppy disks. The virus must also be smaller so as not to attract attention. This makes writing a CP/M virus more difficult, but not impossible.
Imagine, for example, a virus embedded in a strategic program like PIP or NSWEEP. It would attempt to infect one .COM program each time a file was opened for writing (i.e. at a time when some additional disk activity would not be apparent), but ONLY if the file size in KB did not increase… 'Nuff said…
> Paul Martin
The argument that “a CP/M virus is impossible because you have to explicitly run the virus on CP/M, not MSDOS” is invalid. In short: MSDOS CP/M mbr, boot sector boot sector
immune to this: I boot CP/M Plus (lot) from ROM.
config.sys, autoexec.bat profile.sub
Only available with CP/M Plus.
An image of a virus embedded in a strategic program such as PIP or NSWEEP. It will attempt to infect a single .COM program.
You forgot to mention the CP/M equivalent of the MSDOS TSR program, RSX. RSXes can also be attached to any .COM file. The hard bit is that they must be inserted at the beginning. There are other ways…
Enough said? This is just an academic exercise – the first person to release such a beast will have a group of CP/Mers converging on him/her, ready to do something horrible and lasting to them.
> David Goodenough
I experienced a virus called [форма]……
Running a virus scan has detected a virus called [форма]. The virus was removed, system files restored from backups. The virus was not found after this. The virus was found on a reformatted floppy disk – as expected. By filling this floppy disk with data files, copying from the hard drive, and then creating a temporary directory and copying all the files back there, the virus was transferred to the hard drive. A virus scan found it there. When I rebooted the computer, the virus was (apparently) activated, and I was unable to copy files to the floppies without reformatting them first. The “infected” file was a binary data file, not a .COM or .EXE. No one was using this file at all.
This sounds very close to a boot sector virus. The first sector of any DOS disk is the boot loader, even in the case of an unbootable floppy disk. In this case, the boot loader tries to load the operating system, but when it doesn't find one, it prints a “non-system disk” message. However, the code still had a chance to run.
When you format a disk, the boot sector from your hard drive is copied to the floppy disk, this is how they are transferred, and can also “jump” back from an infected floppy disk when you boot from it.
Is there anyone on the net to support my claim (there is no “virus” possible on CP/M), or is there anyone who has experienced a “virus” on CP/M?
Well, in a futile attempt to keep this on topic, I'll make the comment that boot sector viruses are probably impossible under CP/M. The reason for this is that, due to different hardware, the boot sector of (for example) a Kaypro 4 will not work on a Televideo 803. Because of this boot sector viruses under CP/M will have a very hard time spreading: one written for Kaypros will only work on Kaypros, you'll have to write another version for Televideos, and so on.
*HOWEVER* there are other types of viruses: those that infect .EXE and/or .COM files and are activated when the program is run. *THIS* type of virus is possible under CP/M, although with the exception of the “unreleased” Mr. Martin,
[*] I have never heard of such a thing
[*] Thanks to Paul for keeping me safe – it's nice to know there's a little purity left in the world.
