borton@uva.UUCP (Chris Borton) (09/23/88)
In article <3716@charon.unm.edu> cn4gr8ag@ariel.unm.edu.UUCP (Bob Knudson) writes: >I'm also interested in knowing what damage the sneak and nVir viruses do >to Macs...MacUser had an article about them recently stating their >existance, but they didn't go into detail about their possibly destructive >nature... Information about nVIR, what it does, and how to combat it is contained in the lead article in MacTutor April 1988. (hmm, 90% sure it's April but don't have it handy. +-1 month if not) This article was also distributed over comp.sys.mac and info-mac in January, along with a Vaccination program for curing programs infected with nVIR and an INIT to warn when it was trying to infect. This article and the programs should be available via sumex; if there is need I can mail them (they're not very big either). BTW: Vaccination 1.0 put out over the net neglected to show the Finder and DA Handler as applications to cure. Fix: replace the two with original versions or ask me for 1.1. -cbb -- Chris Borton borton%uva@mcvax.{nl,bitnet,uucp} Rotary Scholar, University of Amsterdam CS "MesS-DOS programmers did it yesterday. Mac programmers do it today. OS/2 programmers claim they will do it tomorrow. [I don't believe them :-)]"
ccasths@pyr.gatech.EDU (Scott Hinckley) (09/25/88)
How about this for Virus protection - First, you assume that you start with a clean system. Then you take your back up program and back it up. Now, you log (on paper) every file you change and when you change it. Now, when you go to do your next back up you tell the backup program to only back up files that have changed (requires some sort of checksum and date modified disk from last backup?) When it finds a changed file it tells you what was changed and when it was last modified. You check this against your list before allowing the backup. Would it work? Would it take way too much time? Just some thoughts. +=======================================================================+ |Scott Hinckley - OCS User Assistant AKA - Galaxy's End | |Georgia Insitute of Technology, Atlanta Georgia, 30332 | |uucp: ...!gatech!pyr!ccasths USnail: 345 Peachtree Pl NW | |ARPA: ccasths@pyr.gatech.edu Atlanta, Ga. 30318 | | I reply to ALL E-Mail | +=======================================================================+
werner@utastro.UUCP (Werner Uhrig) (09/25/88)
[ I'm not sure if I posted a follow-up to this discussion-thread before. I'd hope to be forgiven though .... ] If someone gets hit by a virus and has FTP-powers, you should remember my archives on RASCAL.ICS.UTEXAS.EDU as source for quick enlightenment. In an emergency, I will mail out files to non-FTP-capable netters near- instantly.... :-) if anyone notices anything missing in my collection, please let me know (or, better, send me what you have); thanks. here's a quick index of what's currently available on RASCAL: (NOTE that files ending in .Z indicate compression which requires binary FTP-tranfer!) werner on rascal <147> cd ~ftp /usr2/ftp werner on rascal <148> ls bin/ explore-me@ mac@ pub/ etc/ funny@ misc/ unix@ werner on rascal <149> ls mac 0.about.compressed-files DIR.with-comments* 0.remote.mac-archives.info INFO-MAC.at.SUMEX@ 0.remote.mac-archives.info~ MAC.at.SALLY@ 00.README-for-this-directory* MACINTOSH.at.SIMTEL20@ BRAND-NEW/ NEW-in-8805/ DIR.LOG-of-NEW* NEW-in-8807/ DIR.NEW-in-8804* NEW-in-8808/ DIR.NEW-in-8805* dataframe-support/ DIR.NEW-in-8806* mac-utilities/ DIR.NEW-in-8807 sounds-archives.pointer DIR.NEW-in-8808 stuffit/ DIR.unix-utilities* unix-utilities/ DIR.virus-tools* virus-tools/ werner on rascal <150> ls mac/virus-tools Ferret-1pt0_APPL.sit_hqx.Z Vaccine_CDEV.Hqx.Z Guard_Dog_CDEV.sit_hqx.Z VirusDetective-DA_1pt2.Hqx.Z Interferon-2pt0_APPL.pit_hqx.Z VirusRx.Hqx.Z* KillScores_1pt0_APPL.hqx.Z VirusWarningINIT.hqx.Z KillVirus_INIT.Urlichs.Z virus.SCORES.news.Z Vaccination_APPL.pit_hqx.Z virus.news.Z -- --------------------> PREFERED-RETURN-ADDRESS-FOLLOWS <--------------------- (ARPA) werner@rascal.ics.utexas.edu (Internet: 128.83.144.1) (INTERNET) werner%rascal.ics.utexas.edu@cs.utexas.edu (UUCP) ..!utastro!werner or ..!uunet!rascal.ics.utexas.edu!werner
Mark_Peter_Cookson@cup.portal.com (09/27/88)
About checking each file and/or program. When you run a program, most of the time it gets its "changed" bit changed. This is why some backup programs offer not to back up applications since you can waste a lot of disk space backing up something that looks like it has changed, but really hasn't. I don't think that your method would work with applications or system files (they also get changed when run, sometimes....). Since the virus can't change anything until it is run, and it will probably only change the program that is running (it would get obvious if it started doing all the files on the HD). All in all, I don't think that the plan would work too well since too many are changed just by normal use and might be hard to tell from virus changed.... Mark Cookson
md32+@andrew.cmu.edu (Michael Joseph Darweesh) (12/12/88)
Here's some nVIR info
Collected by:
-Mike Darweesh md32
-Chuck Silvers cs4n
@andrew.cmu.edu
Carnegie Mellon University
From borton@net1.UUCP Tue Mar 8 02:04:12 1988
From: borton@net1.ucsd.edu (Chris Borton)
To: werner
Subject: nVIR: I've got a virus and I don't like it
Date: 8 Mar 88 02:04:12 GMT
Organization: UCSD Network Operations Group
Newsgroups: comp.sys.mac
This is a warning and plea for more information, if anyone has any. We
just discovered a virus in some of our systems (not all) at work today,
and it has permeated my system at home as well. The symptoms are simple:
INIT 32 in System File
nVIR resources in various applications and the System File.
This sucker is tricky -- it is getting itself loaded before any INITs do
(we believe the INIT 32 is just a teaser), like PTCHs do, but it isn't
in PTCH. Our two best programmers spent today tracing through it and
still haven't found a real solution other than offloading and
re-initializing.
To our knowledge it is non-malicious (yet). The nVIR resources are
usually small, sometimes 8 bytes, sometimes ~360. If you remove them
from both System and ResEdit, the virus won't let you run ResEdit because
it is looking for those resources and can't find them. It occasionally
beeps when running a program.
We have no idea what installed this. We are fairly certain it originated
from one of the many small programs that come over the net. Many of these
would be perfect 'carriers' -- little demo program that's an "aww, that
cute, now let's trash it." I'm not putting down these programs, just
pointing out what I feel is obvious.
I don't believe this is any cause for panic -- it hasn't done any known
harm yet. I would, however, like to get to the bottom of this! If it's
a joke, I don't find it very funny. (unless it de-installs itself
completely after April Fool's Day :-)). If it is someone's graduate
thesis, you get an A-. But enough is enough!
-cbb
Chris "Johann" Borton, UC San Diego ...!sdcsvax!borton
From spector@vx2.GBA.NYU.EDU Tue Mar 8 09:34:00 1988
Path: ut-emx!ut-sally!tut.cis.ohio-state.edu!mailrus!nrl-cmf!cmcl2!vx2!spector
From: spector@vx2.GBA.NYU.EDU (David HM Spector)
To: werner
Newsgroups: comp.sys.mac
Subject: Re: nVIR: I've got a virus and I don't like it
Message-ID: <650007@vx2.GBA.NYU.EDU>
Date: 8 Mar 88 15:34:00 GMT
Article-I.D.: vx2.650007
Posted: Tue Mar 8 09:34:00 1988
References: <4731@sdcsvax.UCSD.EDU>
Organization: New York University
Lines: 39
It seems you have been bitten by a virus whose sources were uploaded to Compu-
serve sevral months ago... The author, a fellow in West Germany, thought it
would be educational to distribute these example viruses in source form to
encourage people to write defenses against them. His stated intent in writing
a virus in the first place was to keep people from running possibly virus
ridden program on their production Macintoshes which had been previously hit
by viruses.... its signature, in the orignal sources, was a resource type of
nVir... its a simple yet potent virus and very easily modified to do bad
things.
... unfortunately the only way around most of these viruses is to
replace your system folder. (Make sure you do this from a WRITE-LOCKED
copy of the Apple System installer... or else you'll end up back where you
started, with an infected system.... there is another problems, that being
that the virus that was on CompuServe knows how to infect APPLICATIONS, as
well as the system itself. Pretty depressing....
For more info on this virus, take a look at Risks Digest volume 6, Nos. 7,
22,23,24, 27 (a few of the articles are ones I wrote regarding this and other
Macintosh viruses...)
Good Luck....
David
PS: If anyone else out there has seen Macintosh viruses, besides the "DR" (
Richard Brandow/MacMag virus), I would appreciate hearing about it.. I am
trying to work up some stats on the spread and possible strategies for
combating thses things...
-------------------------------------------------------------------------------
David HM Spector New York University ---
and was derived from the existing "nVir" virus we are all
experiencing. It cost me considerable time to dissect the beast and I thought
it a good idea to post a watered-down version of it so that someone
might find some means of defeating future examples of this behavior.
I fully agree that viruses (even non-malignant ones) are far from funny. I did
not think that anyone would recompile the beast since to derive the
missing pieces is about as hard as starting from scratch; I assume the
original has travelled to the US.
I will delete the "example" if there is a consensus that it will do more
bad than good.
The "nVir" virus installs itself in the System file using an INIT 32,
and into any program you start by patching itself into the "CODE 0"
resource. This is accomplished by patching the TEInit trap.
The programmer built a defeat mechanism into the virus: it will do nothing
if there is a resource "nVIR", ID 10, present in your System file.
To deinstall the virus from your System, simply delete all "nVIR" resources and
the infamous INIT 32, and create a (empty) "nVIR" 10 resource to prevent
further problems.
Getting it out of programs is more difficult. The old entry from the CODE 0
is stored in nVIR ID 2. Open that resource, copy the eight bytes,
open CODE 0, select the third line, and paste. Then delete all nVIRs, and CODE
256 (this does belong to the virus). You might have to use ResEdit 1.2
for some programs which have a CODE 0 too large for ResEdit 1.1 to handle.
The original of this virus came in three flavors. The first simply beeps
when you start a program (not always). The second opened MacinTalk and tried
to say "Don't Panic" instead. The third selected a random file in your System
folder and killed it. Fortunately the former two are more agressive and
do overwrite the third one if they see it.
All three variants sometimes crash programs when you try to start them.
This does not seem to cause any further problems.
I hope this information helps. Please do not mail to me if possible because
I have to pay $1 per kByte if it gets too much.
--
Matthias Urlichs CompuServe: 72437,1357 Delphi: URLICHS
Rainwiesenweg 9
8501 Schwaig 2 "Violence is the last refuge
West Germany of the incompetent." -- Salvor Hardin
From borton@net1.UUCP Tue Mar 15 12:40:01 1988
Path: ut-emx!ut-sally!tut.cis.ohio-state.edu!mailrus!nrl-cmf!ames!ucsd!sdcsvax!net1!borton
From: borton@net1.ucsd.edu (Chris Borton)
To: werner
Newsgroups: comp.sys.mac
Subject: Vaccination for nVIR virus (MacTutor article)
Keywords: virus
Message-ID: <4761@sdcsvax.UCSD.EDU>
Date: 15 Mar 88 18:40:01 GMT
Article-I.D.: sdcsvax.4761
Posted: Tue Mar 15 12:40:01 1988
Sender: nobody@sdcsvax.UCSD.EDU
Reply-To: borton@net1.UUCP (Chris Borton)
Organization: UCSD Network Operations Group
Lines: 192
Here is the article Mike Scanlin wrote for MacTutor describing the effects and
inner workings of the nVIR virus lately discussed. This is reprinted by
special permission of David Smith of
Mactutor
P.O. Box 400
Placentia, CA 92670
(714) 630-3730
Many thanks to David for encouraging the rapid spread of information on this
subject. The program and INIT to combat this virus described in the article
have been posted to comp.binaries.mac.
-cbb
----
Vaccination
by Mike Scanlin
Reprinted by special permission of David Smith from
MacTutor
P.O. Box 400
Placentia, CA 92670
(714) 630-3730
Unless you are going to Africa or Indochina, viruses and vaccinations are
not something that most of us need to worry about. However, even if you're
not planning on travelling, there is one virus you need to be aware of. It
is a computer virus that is infecting Macintoshes everywhere.
Are you infected?
Use ResEdit to open your system file and look for 'nVIR' resources. If you
have them, then your system has been infected and chances are that at least
some (if not most or all) of your applications are infected. Don't panic.
This particular virus is relatively harmless. There is an application at
the end of this article that will allow you to remove the virus from your
infected applications. There is also an 'INIT' resource you can put in your
System Folder that will warn you if this virus ever shows up on your
system.
How I found it
Until last week, I had had no experience with computer viruses. I had heard
rumors about the existence of Mac viruses, but didn't really believe them.
I do not know when this virus first got into my system. It must have come
from some program I downloaded off of a network, but I do not know which
one. By the time I figured out what was going on, the virus had modified
seventeen of the applications on my hard disk and my System file.
Sometime near the beginning of last week, I started hearing a beep when
launching programs. It didn't happen every time, only once in a while and
with no discernable pattern. Using TMON, I trapped SysBeep() and discovered
that something was modifying 'CODE' 0 and installing several 'nVIR'
resources into every application I launched. I looked in my System file
and, in addition to several 'nVIR' resources, found an 'INIT' 32 resource
that I didn't put there. I compared the standard 'INIT's from an original
system disk and none of them matched the 'INIT' 32 I had found. What really
clued me in to the idea of a virus was that if I took the 'INIT' 32
resource out of my System file, quit ResEdit, and then relaunched ResEdit,
the 'INIT' 32 resource would be back in there. After disassembling 'INIT'
32, I learned how it worked and how to make my system immune to it. I am
sharing this information so that other Mac users can protect themselves as
well.
How to make your System file immune
Use ResEdit to open your System file. Create an 'INIT' 32 resource that
consists of these 2 hex bytes: 4E 75 (which is an RTS instruction). If
'INIT' 32 already exists and has a size of 366 bytes, then you can be
pretty sure it is the virus' 'INIT'. Replace the existing 'INIT' 32 with
the 2 byte version (4E 75). Now create 8 resources of the type 'nVIR'; the
case of the resource type is important Q do not use 'NVIR' or 'nvir'. Their
IDs should be 0 through 7, with size zero bytes. If they already exist,
then delete them and create 8 new empty ones (with IDs 0-7).
That's it. Your system is now immune to this particular virus (but not all
possible viruses). If you now run an infected application, the virus will
think that it is already installed in your system file, since it sees the
'INIT' and 'nVIR' resources it expects, and will leave it alone.
If your System file was infected before you immunized it, you should reboot
the system before using the procedure below to remove the virus from your
applications. This guarantees that the effects of 'INIT' 32 are removed
from memory.
Removing the virus from infected applications
If an application has been infected, it will have several 'nVIR' resources,
a 'CODE' 256 resource, and a possibly modified 'CODE' 0 resource. Here are
instructions on how to restore an infected application (note: this is only
useful if you are certain that your System file is not infected. Otherwise,
the applications will become infected again. Also, you should practice on a
copy of an infected application):
1) Open the application with ResEdit. If 'CODE' 256 exists, use GetInfo on
it to check its size. If it is 372 bytes, then remove it. The reason we
check for the size is because some applications, such as ReadySetGo,
already have a 'CODE' 256 resource of their own and we don't want to remove
part of the application's code.
2) Open 'CODE' 0 and look at the 3rd line of 8 hex bytes (bytes 16-23). If
it is "0000 3F3C 0100 A9F0" then you need to replace that line of hex
numbers with the 8 bytes contained in the 'nVIR' 2 resource. If the third
line does not look like the above 8 bytes, then the 'CODE' resource is
probably protected and did not get modified Q see below for an explanation.
In this case leave it alone.
3) Remove all 'nVIR' resources. Make sure you have completed step 2 before
removing 'nVIR' 2. You cannot restore the application without it.
Because this procedure is so automatic, I have written a program that does
it for you. The application Vaccination displays the SFGetFile dialog and
allows you to choose an application to vaccinate. A message is displayed
that tells you the result of the vaccination and the SFGetFile dialog is
displayed again. If your system has been infected, you should vaccinate
every application on your hard drive. You will only see files of type
'APPL' in the SFGetFile dialog so you might want to do a manual tree walk
of your hard drive to be sure you vaccinate all of your applications. There
is no harm in vaccinating an uninfected application or in vaccinating the
same application more than once. This program does not make applications
immune to this virus, it only removes this virus from them. But if your
System file is immune, then there is no way this particular virus can
spread to your applications. Note: you cannot use the Vaccination program
to make your System file immune. You will have to do that manually using
the procedure above.
How this virus works
This particular virus modifies the 'CODE' 0 resource of an application in
such a way that when you launch that application the first thing to execute
is a piece of virus installation code. That installation code looks for the
virus' presence in the System file you are launching from. If it does not
find evidence of the virus, it then installs itself (as 'INIT' 32 and
several 'nVIR' resources) into your System file and then executes the
application you had originally launched. Once your System file is infected,
every application launched from that system will become infected. The whole
infection process only takes a second or two, so there is little chance you
will notice it. If the virus detects that it is already in the System file
and in the application you are launching (meaning that no installation of
itself is necessary on this launch), then there is about a 6% chance (1 in
16) that you will hear a short beep. This is the beep that first got my
attention. According to a friend of mine, Chris Borton, whose computer was
also infected, if you have MacinTalk in your System Folder, then the virus
speaks the words "Don't Panic" instead of beeping.
This virus does not check if the 'CODE' 0 resource of the application it is
trying to infect is protected or not. Consequently, applications that have
'CODE' 0 resources with the resProtected bit set are still infected, but
are not contagious, i.e. they have the 'CODE' 256 resource and the 'nVIR'
resources added to them, but they can not pass the virus on to a clean
System file. I learned this by noticing that QUED/M and PageMaker were
infected, but were not contagious. I couldn't figure out why some programs
had protected 'CODE' resources and others didn't. Then one of the people I
work with, Victor Romano, put it together. He told me that Lightspeed C
(which QUED/M and PageMaker were written in) automatically sets the
resProtected bit of the 'CODE' resources it generates. MPW does not. So,
protecting the 'CODE' resources (which can be done with ResEdit) is another
simple way of preventing this virus from affecting an application.
To be forewarned
I don't know how far this virus has already spread, or how far it will
spread. As a partial defense, however, I have written a piece of code that
can be installed as an 'INIT' file in your System Folder that will warn you
if it detects something that looks like this particular virus.
VirusWarnINIT is a patch on 2 routines that this virus relies on:
GetResource() and ChangedResource(). The patch to GetResource() makes a
beep if theType == 'nVIR'. The patch to ChangedResource() makes a beep if
theResource is a handle to a 'CODE' 0 resource. I wouldn't suggest
installing this 'INIT' in a system known to be infected Q the number of
beeps is sure to annoy you. I would have used something like an alert
window instead of a beep as a warning, but I can't be sure that the Window
Manager has been initialized at the time the virus is detected. If you
install this 'INIT' in a clean system and then launch a contagious
application, you will hear about 5 or 6 beeps in a row as the virus tries
to install itself in your System file.
Note that this 'INIT' is only a warning, not a vaccination. The virus will
still install itself. The advantage is that you will know about it right
away and can stop it before it spreads very far.
Now that my Mac has been vaccinated, it's my turn. After Typhoid, Yellow
Fever, Cholera and Meningococcal vaccinations, I'm off to Africa and
Indochina. I wonder if I can get David Smith to send MacTutor to Serengeti
National Park? Or do they already get it there? I'll let you know...
Chris "Johann" Borton, UC San Diego ...!sdcsvax!borton
borton@ucsd.edu or BORTON@UCSD.BITNET
Letztes Jahr in Deutschland, nog een jaar hier, en dan naar Amsterdam!
"H = F cubed. Happiness = Food, Fun, & Friends." --Steve Wozniak
From borton@net1.ucsd.edu Wed Mar 16 09:30:14 1988
From: borton@net1.ucsd.edu (Chris Borton)
Newsgroups: comp.binaries.mac
Subject: nVIR virus vaccination INIT & program
Message-ID: <5948@dhw68k.cts.com>
Date: 16 Mar 88 15:30:14 GMT
Organization: UCSD Network Operations Group
[nVIR virus vaccination INIT & program]
This is the INIT and program to combat the nVIR virus discovered here
in San Diego. See comp.sys.mac for an extensive article describing how
it works et al.
Reprinted by special permission of David Smith of
Mactutor
P.O. Box 400
Placentia, CA 92670
(714) 630-3730
Many thanks to David for encouraging the rapid spread of information on
this subject!
Any questions or replies to Mike Scanlin, author of these programs and
the article, may be directed to me: Chris Borton, borton@ucsd.edu.
Mike will be 'reachable' until mid-April.
--
Chris "Johann" Borton, UC San Diego ...!sdcsvax!borton
borton@ucsd.edu or BORTON@UCSD.BITNET
Letztes Jahr in Deutschland, nog een jaar hier, en dan naar Amsterdam!
"H = F cubed. Happiness = Food, Fun, & Friends." --Steve Wozniak