hammen@csd4.milw.wisc.edu (Robert J. Hammen) (02/07/89)
This is some info on a new Mac virus. This article was originally posted on CompuServe, and reposted on Delphi by Robert Wiggins: Reposted message at the request of the author, Thierry DeLettre: Until now, all known Macintosh viruses could be easily detected by the additional resources they created. Now, it's over... There is at least one virus that creates no additionnal resource. This virus is called ANTI, and infects only applications (and other files, ID=1 resource. It inserts a JSR at the beginning of the resource and all the virus code at the end. It seems to be very recent, but we have already found infected Macintoshes in Paris and Marseilles, and it is probably making its way fast across all Europe. This virus is _not_ detected by VirusDetective or other utilities. It installs itself even when Vaccine is on. Vaccine beeps only if the 'Always compile MPW Inits' is _not_ checked. Virus Rx does not detect ANTI's presence in other files, but, when infected itself, changes its name to 'Throw me in the trash'. It doesn't seem to infect all applications, but only some (the ones with a CODE 1 resource called 'Main'). We haven't found how it works yet. It doesn't seem to change the System file, which doesn't contain a CODE resource. The contagion seems to be spread by the Finder. To see if an application is infected, you have to open its CODE ID=1 resource with ResEdit and search for the ASCII string 'ANTI'. You can also use the advanced features (resource fork search) of GOfer. We haven't yet found the way to remove it, but only a way to deactivate it by changing the first words of the virus code to a RTS. There is a strange story about this virus. Two years ago, Apple France's developper's support manager, Alain Andrieux, wrote a utility for his own use called 'Stamp', with which he marked the programs he gave to developpers. If a confidential program was given out, he could easily know where it came from. His program added a CODE resource to the marked files, but did _not_ change anything in the CODE 1 resource. In January 89, a 'new' version of this program (Stamp 1.0b5) began to spread in the French Mac community. When run, this program installs the 'ANTI' virus into the marked or checked applications and/or into the Finder. These infected applications and Finders then become contagious themselves. It seems the virus author stole the source code of this program, changed it into a virus installer, then gave it away. Obviously, inserting a virus installer in an Apple program was done to damage Apple France's reputation... Thierry D, Chief Mac Sysop, Calvacom . P.S. A copy of the virus has been sent to Jeffrey Shulman and Robert Woodhead, so that they can update their anti-viruses consequently. . P.P.S. I don't have access to other major American on-line services, so please upload the above information where you can. Thierry can be reached via CompuServe at 76670,2260. /////////////////////////////////////////////////////////////////////////// / Robert Hammen | hammen@csd4.milw.wisc.edu | uwmcsd1!uwmcsd4!hammen / / Delphi: HAMMEN | GEnie: R.Hammen | CI$: 70701,2104 | MacNet: HAMMEN / / Bulfin Printers | 1887 N. Water | Milwaukee WI 53202 | (414) 271-1887 / / 3839 N. Humboldt #204 | Milwaukee WI 53212 | (414) 961-0715 (h) / ///////////////////////////////////////////////////////////////////////////