Security.com

Elk Cloner

By Rahul Awati

What is Elk Cloner?

Elk Cloner is the first personal computer virus or self-replicating program known to have spread in the wild on a large scale. In 1982, 15-year old Richard Skrenta wrote the virus for the Apple II operating system. Stored on floppy disks, the virus copied itself to any uninfected floppy disks when a user booted a computer from an infected floppy disk.

At the time, computers had dual floppy disk drives and diskettes were often shared among people. As a result, the virus was frequently copied, which is how it spread to millions of Apple II systems.

Every 50th time an infected computer booted up, the following poem that Skrenta wrote would be displayed:

     Elk Cloner:  The program with a personality

        It will get on all your disks
          It will infiltrate your chips
            Yes it's Cloner!

        It will stick to you like glue
          It will modify ram too
            Send in the Cloner!

Elk Cloner was not intended to cause damage, rather it was created as a practical joke. It also annoyed users because it also played other tricks every five boots that caused usability and user experience issues.

Understanding the Elk Cloner virus

Elk Cloner is a boot sector virus that invades a computer's hardware. It was written for Apple II systems in assembly language and infected floppy disks.

In addition to infecting its host computer, the virus could also automatically copy itself to other computers via an infected floppy disk. This happened when a clean floppy disk was inserted into the same computer, and the user keyed in the command catalog for a list of files. The virus triggered a network-like infection.

The Elk Cloner lifecycle

There are three primary phases involved in the Elk Cloner lifecycle:

  1. Boot loading
  2. Replication
  3. Manifestation

Boot loading

In the boot loading phase, the virus moved from the infected disk to the system's memory.

A diskette infected with Elk Cloner had the following characteristics:

The Apple II diskettes had 35 tracks. The first three tracks of Apple DOS diskettes were reserved for boot loaders and a copy of DOS. Generally, the last 12 sectors (5 to 16) of track 2 are unused. However, in an infected diskette, these sectors included the Elk Cloner executable.

When a diskette booted, the Apple II started executing a series of complex boot loaders. Boot 2 on Track 0 was responsible for loading DOS into memory. It also loaded the relocator. If a diskette was infected, first sector reserved for the relocator contained the Elk Cloner loader, so the virus could use Boot 2 to add its loader into the memory. Once the loader was in RAM, the next step forced the DOS to execute the virus.

Replication

In this phase, the virus infected new diskettes. Elk Cloner compromised commands including LOAD, BLOAD and CATALOG by overwriting the first instruction of the command's subroutine with the unconditional branch of one of the virus' command handlers. Thus, whenever any of these commands were invoked, the virus gained execution control. Each command handler performed three primary tasks

  1. Determined if the current diskette had already been infected.
  2. Invoked the replication subroutine, if necessary, to replicate the infection to the diskette.
  3. Prepared for re-entry into the DOS command subroutine and relinquished control of execution back to DOS.

Manifestation

In the manifestation phase, the virus exhibited user-observable behavior. The Elk Cloner virus manifested itself using 14 different behaviors, some of which were subtle and difficult to observe, or caused by a transient error.

These behaviors at different boot numbers were:

Boot # Behavior
10 Overwrote the reset vector. Pressing CONTROL-RESET entered the monitor program instead of DOS.
15 Modified the video mode, causing inverted screen text.
20 Wrote to the speaker, causing users to hear a brief click.
25 Modified the video mode so that the on-screen text flashed.
30 Rearranged the characters that represented the file type when executing the CATALOG command.
35 Modified the value that represented CONTROL-D, so that the DOS commands invoked from Applesoft BASIC were printed rather than executed.
40 Overwrote the reset vector so that pressing CONTROL-RESET forced the machine to enter an infinite loop.
45 Set the Applesoft program protection flag.
50 Modified the reset vector. Pressing CONTROL-RESET displayed the Elk Cloner poem.
55 Modified a constant in the diskette calibration code to change the sound the disk calibration process made during the boot process.
60 Wrote a different value to the constant in the disk calibration code, similar to 55th boot.
65 Overwrote the DOS command handler's first instruction to jump to the monitor routine, leading to the disk booting into the monitor.
70 Wrote a different value to the constant in the disk calibration code, similar to 55th boot.
75-78 Unconditionally branched to the first instruction executed when booting a disk, leading to four consecutive reboots.
79 Reset the boot counter.

Behavior types with an Elk Cloner infection

Starting with the 10th boot, Elk Cloner did something different on every 5th boot. The system then displayed different kinds of behaviors.

Obvious misbehaviors

On the 50th boot, Elk Cloner made its presence known by modifying the reset vector. It would reference a subroutine to display Skrenta's poem. Pressing RESET-CONTROL exited the program to a DOS prompt.

Error-like behaviors

Observed in the 10th, 15th, 25th, 40th, 65th and 75th boots, these behaviors led to errors such as entering the monitor program, displaying inverted or flashing text on the screen, or hanging the system. Because the machine returned to normal behavior with a system reboot, most users considered these behaviors a transient problem with the diskette or drive. They also had no reason to suspect tampering because this was the first virus in the wild.

Elusive behaviors

The remaining behaviors were difficult to detect, and occurred in the 20th, 30th, 55th, 60th and 70th boots. Since they were subtle, users often overlooked them.

Enduring impact of the Elk Cloner virus

Elk Cloner was the first virus to affect a system during boot-up. The virus targeted and affected Apple II's boot sector. Apart from display annoying messages, the virus did not have any drastic negative effects. However, it did spread rapidly, and at one point, infected a U.S. Navy member's computer.

When any machine used an infected floppy disk, the virus entered its memory. It also compromised clean floppy disks as soon as they came in contact with the computer carrying an infected floppy. Elk Cloner's capacity to copy itself -- which is a major characteristic of a virus -- annoyed many of Skrenta's friends and classmates.

The term virus was coined in 1984 to describe a self-replicating program that inconvenienced users. Elk Cloner, which predates the term by two years possibly played a role in this new nomenclature. Elk Cloner also predates by four years the world's first Microsoft OS virus, Brain, which came out in 1986.

08 Dec 2021

All Rights Reserved, Copyright 2000 - 2024, TechTarget | Read our Privacy Statement