peter@nuchat.UUCP (Peter da Silva) (03/03/88)
Happy birthday, Mac-II. How many Mac users discovered they were infected with the Hypercard virus today? -- -- a clone of Peter (have you hugged your wolf today) da Silva `-_-' -- normally ...!hoptoad!academ!uhnix1!sugar!peter U -- Disclaimer: These aren't mere opinions... these are *values*.
jwhitnel@csi.UUCP (Jerry Whitnell) (03/05/88)
In article <720@nuchat.UUCP> peter@nuchat.UUCP (Peter da Silva) writes: >Happy birthday, Mac-II. How many Mac users discovered they were infected with >the Hypercard virus today? A lot less then the number of Amiga users who's Amiga was infected by the Amiga virus from Europe, I'll bet. >-- a clone of Peter (have you hugged your wolf today) da Silva `-_-' Jerry Whitnell Been through Hell? Communication Solutions, Inc. What did you bring back for me? - A. Brilliant
klash@uvicctr.UUCP (Karl B. Klashinsky) (03/06/88)
In article <720@nuchat.UUCP> peter@nuchat.UUCP (Peter da Silva) writes: >Happy birthday, Mac-II. How many Mac users discovered they were infected with >the Hypercard virus today? Me, for one, and several people here in our Comp. Sci. department. What follows is a brief description of the virus. As you probably heard, the virus was `benign', ie, caused no ill effects, but, at first, we didn't know that. Myself and a professor here decided to check it out and see. Since the virus removes itself after displaying its message, we first had to find a boot disk that was infected, but had not used to boot a machine that day (Mar. 2). We got lucky, and found one. The virus exists as an INIT resource in the system file itself. It is a named resource, the name being "RR". Its id is 6. You might want to check any un-used boot disks with ResEdit to see if you can find it yourself. Michael Levy (the prof mentioned above) has MacNosy, and, using it, he was able to disassemble the INIT, and figure out what it was doing. In a nutshell, it would check the date, and, if the date was Mar 2, it would display its message, then quietly remove itself. Nothing else. If it was before Mar 2, it would lock itself into system memory, and patch MountVol so that it would get called whenever a volume was mounted. Whenever a valid boot volume (ie, with a system folder) was mounted, it would see if the system file was already infected. If it wasn't, it would copy itself into the system file, then pass on to the real MountVol. The only potential problem here is that it doesn't seem to bother checking for an already existing INIT#6, so the prior existing INIT would be clobbered (I'm not sure of that fact, tho). This virus is probably more widespread than we think. Although it may have orignated in a stack, once in a boot disk, it can propogate WITHOUT the help of HyperCard. As a case in point, back in NOVEMBER, when I first got my HD, I was trying to get it set up, but, at boot time, the machine would lock as soon as the startup screen was displayed. After a little playing around, I determined that the culprit was (you guessed it) INIT "RR" #6! Where it came from, I'll never guess. -- Karl Klashinsky "I shall endeavour to University of Victoria function adequately." British Columbia, Canada Lt. Data e-mail: {uw-beaver, ubc-vision}!uvicctr!klash
farren@gethen.UUCP (Michael J. Farren) (03/14/88)
In article <1438@csib.csi.UUCP> jwhitnel@csib.UUCP (Jerry Whitnell) writes: >In article <720@nuchat.UUCP> peter@nuchat.UUCP (Peter da Silva) writes: >>Happy birthday, Mac-II. How many Mac users discovered they were infected with >>the Hypercard virus today? > >A lot less then the number of Amiga users who's Amiga was infected >by the Amiga virus from Europe, I'll bet. Hardly. I know of only two local people that were bitten by the SCA virus, but at least twenty who got it from the Mac virus. -- Michael J. Farren | "INVESTIGATE your point of view, don't just {ucbvax, uunet, hoptoad}! | dogmatize it! Reflect on it and re-evaluate unisoft!gethen!farren | it. You may want to change your mind someday." gethen!farren@lll-winken.llnl.gov ----- Tom Reingold, from alt.flame