levin@bbn.com (Joel B Levin) (01/31/89)
There have been a few misconceptions floating around about INIT29 and how it works. It is quite virulent, spreading at the drop of a hat, and I don't want to minimize it; but there is a slight bit of overstatement in what I have read and I want to try to correct it a bit. 1. If you have booted from a clean system (System file and INIT, cdev, and RDEV type files are all clean), then you are running clean. Nothing will happen if you put an infected disk in your drive, if you look at an infected file with ResEdit or copy a file. The ONLY thing which does damage while you are running clean is to run an infected application. Doing so will infect your CURRENT System file. That's all it will do (not that it isn't enough); you will still be running clean afterward. Rebooting with an infected system file is necessary before the serious damage starts. 2. Booting from an infected system disk (one or more of your System file and the INIT, cdev, and RDEV type files IN YOUR SYSTEM FOLDER are infected) will cause your system to run dirty, i.e. with OpenResFile patched to infect anything it opens. Now you are in a state when merely opening any file with a resource fork will infect it with either an INIT 29 resource (if there is no CODE 0 resource) or with a new CODE resource (if there is a CODE 0 resource). It is thus true that merely inserting a floppy disk (under Finder, not necessarily in applications, which might not cause the Desktop file to be opened) a copy of INIT29 "infects" the Desktop file on that disk. And any documents or other miscellaneous files which are opened for any reason are likely to have an INIT29 written into them. However, the only significant INIT29's are those written into the System file or into a type INIT, cdev, or RDEV file in the system folder. In other files the INIT29 resource is less like an infection than like a benign tumor -- it takes up space, is neither useful nor harmful, and sometimes gets in the way of something and causes it to break. [This doesn't mean that some future virus couldn't activate it somehow.] 3. The only sure way to deal with INIT29 at this moment is to have a completely clean system on a hardware LOCKED diskette, complete with a detection tool like VirusDetective. All copies of INIT29 may be safely removed. All infected applications should be deleted and restored from locked master disks (you did keep those around, of course, and locked :-)). At this moment I know of no available programs capable of properly removing the infection from an application-like file (i.e. has a CODE 0 resource), including Virex; but I guarantee you there will be one or more available before long. /JBL UUCP: {backbone}!bbn!levin POTS: (617) 873-3463 INTERNET: levin@bbn.com