levin@bbn.com (Joel B Levin) (01/31/89)
There have been a few misconceptions floating around about INIT29 and
how it works. It is quite virulent, spreading at the drop of a hat,
and I don't want to minimize it; but there is a slight bit of
overstatement in what I have read and I want to try to correct it a bit.
1. If you have booted from a clean system (System file and INIT, cdev,
and RDEV type files are all clean), then you are running clean.
Nothing will happen if you put an infected disk in your drive, if you
look at an infected file with ResEdit or copy a file. The ONLY thing
which does damage while you are running clean is to run an infected
application. Doing so will infect your CURRENT System file. That's
all it will do (not that it isn't enough); you will still be running
clean afterward. Rebooting with an infected system file is necessary
before the serious damage starts.
2. Booting from an infected system disk (one or more of your System
file and the INIT, cdev, and RDEV type files IN YOUR SYSTEM FOLDER are
infected) will cause your system to run dirty, i.e. with OpenResFile
patched to infect anything it opens. Now you are in a state when
merely opening any file with a resource fork will infect it with
either an INIT 29 resource (if there is no CODE 0 resource) or with a
new CODE resource (if there is a CODE 0 resource). It is thus true
that merely inserting a floppy disk (under Finder, not necessarily in
applications, which might not cause the Desktop file to be opened) a
copy of INIT29 "infects" the Desktop file on that disk. And any
documents or other miscellaneous files which are opened for any reason
are likely to have an INIT29 written into them. However, the only
significant INIT29's are those written into the System file or into a
type INIT, cdev, or RDEV file in the system folder. In other files
the INIT29 resource is less like an infection than like a benign tumor
-- it takes up space, is neither useful nor harmful, and sometimes
gets in the way of something and causes it to break. [This doesn't
mean that some future virus couldn't activate it somehow.]
3. The only sure way to deal with INIT29 at this moment is to have a
completely clean system on a hardware LOCKED diskette, complete with a
detection tool like VirusDetective. All copies of INIT29 may be
safely removed. All infected applications should be deleted and
restored from locked master disks (you did keep those around, of
course, and locked :-)). At this moment I know of no available
programs capable of properly removing the infection from an
application-like file (i.e. has a CODE 0 resource), including Virex;
but I guarantee you there will be one or more available before long.
/JBL
UUCP: {backbone}!bbn!levin POTS: (617) 873-3463
INTERNET: levin@bbn.com