franco@bbn.com (Frank A. Lonigro) (03/15/89)
Some friends of mine were just hit with the nVIR virus and I jumped in and helped them cleanup there hard disk. For the most part, I ran VirusRx to find the infected files and then threw them in the trash. But their System file was also infected. Instead of throwing that away and getting a new clean one from a backup, I ran ResEdit and just removed the nVIR resource that was present in the System file. After saving the changes I ran VirusRx again and the disk was clean of viruses. Is it safe to assume that the System file is now completely rid of nVIR or is there something else that needs to be fixed or removed??? Inquiring minds want to know!!!! Thanks, -franco =================================== === ========= ===================== = Frank A. Lonigro = === ========= ===================== = franco@bbn.com = === === === === = franco%bbn.com@relay.cs.net = === === === === === === === = ...!harvard!bbn!franco = === === === === === === === = BBN Inc., Cambridge, Mass. = === === === === === =================================== =======================================
levin@bbn.com (Joel B Levin) (03/15/89)
In article <37259@bbn.COM> franco@bbn.com (Frank A. Lonigro) writes: |But their System file was also infected. Instead of throwing that away |and getting a new clean one from a backup, I ran ResEdit and just removed |the nVIR resource that was present in the System file. After saving the |changes I ran VirusRx again and the disk was clean of viruses. | |Is it safe to assume that the System file is now completely rid of nVIR |or is there something else that needs to be fixed or removed??? You also need to remove INIT32, if I am not mistaken. If you don't, the next time the mac is rebooted >from that hard disk<, it will become reinfected. /JBL UUCP: {backbone}!bbn!levin POTS: (617) 873-3463 INTERNET: levin@bbn.com
trebor@biar.UUCP (Robert J Woodhead) (03/16/89)
In article <37259@bbn.COM> franco@bbn.com (Frank A. Lonigro) writes: >Is it safe to assume that the System file is now completely rid of nVIR >or is there something else that needs to be fixed or removed??? nVIR adds an INIT 32 resource to the System File. Use Resedit to remove this INIT. Note that if you have booted using this system file since you did your cleanup, you have reinfected your disk. There are several shareware products that scan for and clean up nVIR, of which Pennicillin is probably the best. There are also two commercial products (of which I am the author of one) that find and _repair_ all known viruses. Your computer store can help you if you decide that one of these products is what you need. -- * Robert J Woodhead * The true meaning of life is cunningly encrypted and * * uunet!biar!trebor * hidden somewhere in this signature... * * Biar Games, Inc. * ...no, go back and look again *
franco@bbn.com (Frank A. Lonigro) (03/16/89)
In article <383@biar.UUCP> trebor@biar.UUCP (Robert J Woodhead) writes: >In article <37259@bbn.COM> franco@bbn.com (Frank A. Lonigro) writes: >>Is it safe to assume that the System file is now completely rid of nVIR >>or is there something else that needs to be fixed or removed??? > >nVIR adds an INIT 32 resource to the System File. Use Resedit to remove >this INIT. Note that if you have booted using this system file since you >did your cleanup, you have reinfected your disk. > >There are several shareware products that scan for and clean up nVIR, of >which Pennicillin is probably the best. There are also two commercial >products (of which I am the author of one) that find and _repair_ all >known viruses. Your computer store can help you if you decide that one >of these products is what you need. > >-- >* Robert J Woodhead * The true meaning of life is cunningly encrypted and * >* uunet!biar!trebor * hidden somewhere in this signature... * >* Biar Games, Inc. * ...no, go back and look again * Thanks for your reply, I have since removed INIT 32 from my friends System file and everything seems fine. But I have an other question. After I removed the infected applications and then removed just the nVIR resource from the System file(leaving behind and still installed the INIT 32), VirusRx1.4a2 and Interferon3.1 both reported that the disk was free of known viruses. Shouldn't they have reported that the System file was still infected with the INIT 32???? Also, is their some sort of delay in the re-infection of the disk from the INIT 32?? With the INIT 32 still in place in the System file, my friends rebooted their Mac at least 5 to 10 times before I came over and removed INIT 32. After removing the INIT 32, VirusRx and Interferon claim that the disk is free of known viruses and ResEdit1.2d1 shows that the System file is cleaned of nVIR and INIT 32. Is their disk really clean and safe now? They have Vaccine and nVIRWarningINITs!!! Thanks, -franco =================================== === ========= ===================== = Frank A. Lonigro = === ========= ===================== = franco@bbn.com = === === === === = franco%bbn.com@relay.cs.net = === === === === === === === = ...!harvard!bbn!franco = === === === === === === === = BBN Inc., Cambridge, Mass. = === === === === === =================================== =======================================
trebor@biar.UUCP (Robert J Woodhead) (03/17/89)
In article <37317@bbn.COM> franco@ferrari.bbn.com (Frank A. Lonigro) writes: >file and everything seems fine. But I have an other question. After I >removed the infected applications and then removed just the nVIR resource >from the System file(leaving behind and still installed the INIT 32), >VirusRx1.4a2 and Interferon3.1 both reported that the disk was free of known >viruses. Virus checking programs tend to be pretty specific in their checks. They do things like "if INIT 32 is there and it starts with bytes XYZ AND there are nVIR resources", nVIR is present". This is to avoid a "false positive". In Interferon, there are problems with "anomalies" being interpreted as viruses incorrectly. And the one "general" virus check I did, the "sneak" virus, generates a false positive on the latest version of "Tops". -- * Robert J Woodhead * The true meaning of life is cunningly encrypted and * * uunet!biar!trebor * hidden somewhere in this signature... * * Biar Games, Inc. * ...no, go back and look again *