ll12+@andrew.cmu.edu (Laura Ann Lemay) (12/07/88)
It has been confirmed that there IS a new nVIR floating around on the west coast. Would someone who has come acroos this virus PLEASE send me a little application infected with it, so I can testit and put the information my virus guide? I've tried to contact everyone who's mentioned it, but I've had no reply from anyone. Please make sure that this is the NEW nVIR (the one that just appeared last week), and not the original. I have more copies of the original than I'll ever need :-) Help me out here so I can explain it all -- -Laura ll12+@andrew.cmu.edu
billkatt@caen.engin.umich.edu (Steve Bollinger) (12/07/88)
In article <4Xb0I9V28k-0A1zVwN@andrew.cmu.edu> ll12+@andrew.cmu.edu (Laura Ann Lemay) writes: > > >It has been confirmed that there IS a new nVIR floating around on the west >coast. > What distinguishes this one from the old one? And who confirmed it? +----------------------+----------------------------------------------------+ | Steve Bollinger | Internet: billkatt@caen.engin.umich.edu | | 4297 Sulgrave Dr. +------+---------------------------------------------+ | Swartz Creek, Mi. 48473 | "My employer doesn't take my opinion any | +-----------------------------+ more seriously than you do." | | "You remember the IIe, it +---------------------------------------------+ | was the machine Apple made before they decided people didn't need | | machines with big screens, color, or slots." | | - Harry Anderson (from NBC's Night Court) | +---------------------------------------------------------------------------+
wade@sdacs.ucsd.EDU (Wade Blomgren) (12/07/88)
In article <4Xb0I9V28k-0A1zVwN@andrew.cmu.edu>, ll12+@andrew.cmu.edu (Laura Ann Lemay) writes: > > > It has been confirmed that there IS a new nVIR floating around on the west > coast. > > Would someone who has come acroos this virus PLEASE send me a little > application infected with it, so I can testit and put the information my > virus guide? I've tried to contact everyone who's mentioned it, but I've had > no reply from anyone. > WHO exactly has confirmed this? I hope this statement is not based on rumours published in MacWeek. Please follow up with the basis for this confirmation. Wade Blomgren UC San Diego Academic Computing Services ("west coast" division) wade@sdacs.ucsd.edu
LaserMan@cup.portal.com (Bob LaserMan Murrow) (12/22/88)
I have a new virus that may be the NEW nVir. The virus I got uploaded to my BBS PhoenixII at 408-252-3926 is of the type Hpat. It infects your SYSTEM file the first time it sees it. It is caught by Vaccine on boot but may be able to get by Vaccine if it is in a program that runs from a floppy. I modified a copy of RWatcher to catch it. It builds the following resourses: In an application: Hpat 1 size 428 Hpat 2 size 8 Hpat 3 size 416 Hpat 6 size 66 Hpat 7 size 2106 INIT 32 size 416 CODE 255 size 422 In your SYSTEM: Hpat 0 size 0 Hpat 1 size 428 Hpat 4 size 442 Hpat 5 size 8 Hpat 6 size 66 Hpat 7 size 2106 I am in the process of dissassembling this thing to see if it is going to be nasty. At first glance it appears to be only replicating itself and not doing damage. Bob Murrow laserman@cup.portal.com
alexis@ccnysci.UUCP (Alexis Rosen) (01/04/89)
Bob Murrow recently wrote an article describing the new Hpat virus. While I have not seen it yet, from looking at the sizes of the various resources I would guess that the Hpat virus is nothing but nVIR type 'B' (as classified by John Norstad) with the appropriate resource types changed from 'nVIR' to 'Hpat'. To confirm this, Bob can send a copy of the virus to a trusted person who can test it. 1) Don't send a live virus!!! You can paste the viral resources into a separate file, they'll be dead there. 2) 'Trusted person' is a tricky term. If you choose to trust me, fine. Otherwise I suggest that John Norstad is sufficiently well-known to be safe and reliable. On the other hand I can't volunteer his time. So, John, if you're willing to compare the two, please say so. 3) Of course Bob could do the comparison himself if he has both viruses. Has anyone else been infected by Hpat, and noticed any damage? I suppose we all knew that it was only a matter of time before someone did another modification of nVIR. Hopefully the idiot responsible for this one wasn't clever or malicious enough to do anything besides changing its name. Still, if Hpat spreads over the next few months, that will just show how susceptible the entire user community is to a really nasty virus. If we can't even protect ourselves from the relatively well-understood nVIR variants, how will we deal with something much much worse? I'd like to remind everybody that for all of the havoc caused by Mac viruses, _NOT ONE_ of them has actually been generally malignant. If we suffer so much from benign viruses, what happens when a nasty one comes along? In a poor frame of mind to be writing coherent sentences, Alexis Rosen alexis@ccnysci.uucp
alexis@ccnysci.UUCP (Alexis Rosen) (01/04/89)
By the way, I believe Bob Murrow made a small mistake in his Hpat posting. He wrote that there is an INIT 32 in each infected application. I think he meant that the INIT 32 is in the System File. If I'm wrong, please correct me. Alexis Rosen alexis@ccnysci.uucp
jln@accuvax.nwu.edu (John Norstad) (01/05/89)
Thanks for volunteering my time, Alexis :-) Actually, I just got a copy of Hpat last week, and I've already compared it to what I call nVIR B. It is indeed a very simple clone of nVIR B. Bob Murrow's original posting was accurate, except for a few typos. As Alexis pointed out, the INIT 32 resource lives on an infected system file, not an infected application file. Also, the Hpat 0 resource has size 2, not size 0. So the only differences between Hpat and nVIR B are that Hpat uses the resource type Hpat instead of nVIR, and it uses CODE id 255 instead of 256. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@acns.nwu.edu