jln@accuvax.nwu.edu (John Norstad) (03/17/89)
There has been some confusion over exactly what the nVIR A and nVIR B viruses actually do. In fact, I don't believe the details have ever been published. I just finished spending a few days researching the two nVIR viruses. This report presents my findings. As with all viruses, nVIR A and B replicate. When you run an infected application on a clean system the infection spreads from the application to the system file. After rebooting the infection in turn spreads from the system to other applications, as they are run. At first nVIR A and B only replicate. When the system file is first infected a counter is initialized to 1000. The counter is decremented by 1 each time the system is booted, and it is decremented by 2 each time an infected application is run. When the counter reaches 0 nVIR A will sometimes either say "Don't Panic" (if MacinTalk is installed in the system folder) or beep (if MacinTalk is not installed in the system folder). This will happen on a system boot with a probablity of 1/16. It will also happen when an infected application is launched with a probability of 31/256. In addition, when an infected application is launched nVIR A may say "Don't Panic" twice or beep twice, with a probability of 1/256. When the counter reaches 0 nVIR B will sometimes beep. nVIR B does not call MacinTalk. The beep will happen on a system boot with a probability of 1/8. A single beep will happen when an infected application is launched with a probability of 15/64. A double beep will happen when an infected application is launched with a probability of 1/64. I've discovered that it is possible for nVIR A and nVIR B to mate and sexually reproduce, resulting in new viruses combining parts of their parents. For example, if a system is infected with nVIR A, and if an application infected with nVIR B is run on that system, part of the nVIR B infection in the application is replaced by part of the nVIR A infection from the system. The resulting offspring contains parts from each of its parents, and behaves like nVIR A. Similarly, if a system is infected with nVIR B, and if an application infected with nVIR A is run on that system, part of the nVIR A infection in the application is replaced by part of the nVIR B infection from the system. The resulting offspring is very similar to its sibling described in the previous paragraph, except that it has the opposite "sex" - each part is from the opposite parent. It behaves like nVIR B. These offspring are new viruses. If they are taken to a clean system they will infect that system, which will in turn infect other applications. The descendents are identical to the original offspring. I've also investigated some of the possible incestual matings of these two kinds of children with each other and with their parents. Again, the result is infections that contain various combinations of parts from their parents. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@acns.nwu.edu Applelink: a0173
kweeder@sunny3.che.clarkson.edu (Jim Kweeder) (03/17/89)
In article <10330150@accuvax.nwu.edu> jln@accuvax.nwu.edu (John Norstad) writes: >I've discovered that it is possible for nVIR A and nVIR B to mate and >sexually reproduce, resulting in new viruses combining parts of their >parents. We have enough trouble with people writing viruses and here's John running a breeding program for new strains! :-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-):-) Anyway, thanks for the informative run-down. Remember to put in your yes vote for comp.virus. (If you want to flame me on this, redirect to news.groups). Jim Kweeder kweeder@sun.soe.clarkson.edu