On February 7, 1988, users of Compuserve’s Hypercard Forum were greeted with an intriguing warning message. It told them that the NEWAPP.STK Hypercard stack file was no longer on the system. The notice suggested that if they had downloaded the file, they should not use it. If they had used it, they should isolate the system the file had run on.
The story, on Compuserve, had actually started a day earlier. A user had earlier downloaded the same Hypercard stack from the Genie system, and noticed, when he used it, that an INIT resource had been copied into his system folder. (In the Mac world, this generally means that a program is executed upon startup. Many of these programs are “background” utilities which remain active during the course of the session.) The user, noticing that this same file was posted on Compuserve, had put up a warning that this file was not to be trusted.
The moderator of the Forum initially downplayed the warning. He stated that there was no danger of any such activity, since Hypercard “stacks” are data files, rather than programs. Fortunately, the moderator did check out the warning, and found that everything happened as the user had said. Furthermore, the INIT resource was “viral”: it spread to other “systems” that it came in contact with. (At that time “system” disks were more common among Mac users, as “bootable” disks were among MS-DOS users.) The moderator apologized, posted the warning, and a number of people started looking into the structure of the virus.
The virus appeared to be benign. It attempted to reproduce until March 2, 1988. When an infected computer was booted on that date, the virus would activate a message that “RICHARD BRANDOW, publisher of MacMag, and its entire staff would like to take this opportunity to convey their UNIVERSAL MESSAGE OF PEACE to all Macintosh users around the world.” A laudable sentiment, perhaps, although the means of distribution was unlikely to promote a “peaceful, easy feeling” among the targeted community. Fortunately, on March 3 the message would appear once and then the virus would erase itself.
Authorship
Richard Brandow was the publisher and editor of the MacMag computer magazine. Based out of Montreal, it was reported at the time to have a circulation of about 40,000. An electronic bulletin board was also run in conjunction with the magazine.
Brandow at one point said that he had been thinking about the “message” for two years prior to releasing it. (Interesting, in view of the fact that the date selected as a “trigger”, March 2, 1988, was the first anniversary of the introduction of the Macintosh II line. It is also interesting that a “bug” in the virus which caused system crashes affected only the Mac II.) Confronted by users upset by the virus, Brandow never denied it. Indeed, he was proud to claim “authorship”, in spite of the fact that he did not, himself, write the virus. (Brandow had commissioned the programming of the virus, and internal structure contains the name “Drew Davidson”.)
Brandow gave various reasons at various times for the writing of the virus. He once stated that he wanted to make a statement about piracy and copying of computer programs. (As stated before in association with the Brain virus, a viral program can have little to do with piracy per se, since the virus will spread on its own.) However, most often he simply stated that the virus was a “message”, and seemed to imply that somehow it would promote world peace. When challenged by those who had found and disassembled the virus that this was not an impressively friendly action, Brandow tended to fall back on rather irrational arguments concerning the excessive level of handgun ownership in the United States. (My apologies on behalf of my countrymen. While few of us like handguns, not many of us show this level of illogic.)
(It is interesting, in view of the “Dutch Crackers” group, the Chaos Computer Club and the Bulgarian “virus factory”, that Brandow apparently felt he had a lot of support from those who had seen the virus in Europe. The level of social acceptance of cracking and virus writing shows an intriguing cultural difference between the European states and the United States.)
My suspicion, once again, is that the MacMag virus was written primarily with advertising in mind. Although it backfired almost immediately, Richard Brandow seems to have milked it for all it was worth, in terms of notoriety. For a time, in fact, he was the “computer commentator” for the CBC’s national mid-morning radio show, “Morningside” (somewhat of an institution in Canada.) While I never heard of MacMag before the virus, I’ve never seen a copy since, either. According to the recent news reports, Richard Brandow now writes for “Star Trek”.
Spread
Brandow claims to have infected two computers in MacMag’s offices in December of 1987 in order to “seed” the infection. It probably isn’t beyond the bounds of possibility that a few deliberately infected disks were distributed as well.
A resource (named DREW in the Hypercard stack and DR in its viral form) was copied into the System folder on Mac systems. The System folder, as the name implies, is the “residence” of the operating system files. With the resource based structure of the Mac OS, the operating system can be configured and customized by “dropping” resources into the System folder. (MS-DOS users, tired of fiddling with entries in CONFIG.SYS, conflicting TSRs and the like, might be warned that this does not always work as easily as it sounds.)
“Bootable” Mac disks contained a System folder, in the same way that “bootable” MS-DOS disks contain the “hidden” system files and COMMAND.COM. In those days, “system” disks were much more common than they are now. In addition, Mac users would often create “system” disks that would have specialized configurations. (I well remember, at the time, a number of Macintosh programs which would work with one specific version of the Finder only. This would put the user in the position of having to “downgrade” the computer each time it was desired to run these programs.) The Mac OS “opens” each disk inserted into the machine. Therefore, on an infected machine, any diskette which was inserted into the drive would have the MacMag virus into the system folder.
The MacMag viral resource was placed into the folder as an “INIT”. This meant that it would be one of the “initial” programs automatically run on system startup. Many, if not most, INITs are background or resident programs which either monitor or support different functions on an ongoing basis. Therefore, this was a perfect position for a virus. On an ongoing basis it would be able to watch for opportunities to spread.
The MacMag virus was not a sophisticated piece of programming. As one of the earliest (one of the (rarely used) names for it was the “Macinvirus”) Mac viral programs, it didn’t have to be. (Some would say that Mac viri [viruses] don’t have to be sophisticated anyway. Although the Mac world have far fewer viral strains than does the MS-DOS world, infection rates of a given virus have tended to be far higher in Mac populations.) There is no particular secrecy to the MacMag virus. Anyone who looked could find it. Few, however, looked.
Robert M. Slade’s history is available here with permission of Robert M. Slade. Please do not further use the material without obtaining your own permission to use it.
Thank you Mr. Slade.
Move on now to the Virus Protection Chapter.
Robert Slade Computer Virus History | |
Chapter 7 (c) Brain | Virus Protection |