borton@uva.UUCP (Chris Borton) (09/23/88)
In article <3716@charon.unm.edu> cn4gr8ag@ariel.unm.edu.UUCP (Bob Knudson) writes: >I'm also interested in knowing what damage the sneak and nVir viruses do >to Macs...MacUser had an article about them recently stating their >existance, but they didn't go into detail about their possibly destructive >nature... Information about nVIR, what it does, and how to combat it is contained in the lead article in MacTutor April 1988. (hmm, 90% sure it's April but don't have it handy. +-1 month if not) This article was also distributed over comp.sys.mac and info-mac in January, along with a Vaccination program for curing programs infected with nVIR and an INIT to warn when it was trying to infect. This article and the programs should be available via sumex; if there is need I can mail them (they're not very big either). BTW: Vaccination 1.0 put out over the net neglected to show the Finder and DA Handler as applications to cure. Fix: replace the two with original versions or ask me for 1.1. -cbb -- Chris Borton borton%uva@mcvax.{nl,bitnet,uucp} Rotary Scholar, University of Amsterdam CS "MesS-DOS programmers did it yesterday. Mac programmers do it today. OS/2 programmers claim they will do it tomorrow. [I don't believe them :-)]"
ccasths@pyr.gatech.EDU (Scott Hinckley) (09/25/88)
How about this for Virus protection - First, you assume that you start with a clean system. Then you take your back up program and back it up. Now, you log (on paper) every file you change and when you change it. Now, when you go to do your next back up you tell the backup program to only back up files that have changed (requires some sort of checksum and date modified disk from last backup?) When it finds a changed file it tells you what was changed and when it was last modified. You check this against your list before allowing the backup. Would it work? Would it take way too much time? Just some thoughts. +=======================================================================+ |Scott Hinckley - OCS User Assistant AKA - Galaxy's End | |Georgia Insitute of Technology, Atlanta Georgia, 30332 | |uucp: ...!gatech!pyr!ccasths USnail: 345 Peachtree Pl NW | |ARPA: ccasths@pyr.gatech.edu Atlanta, Ga. 30318 | | I reply to ALL E-Mail | +=======================================================================+
werner@utastro.UUCP (Werner Uhrig) (09/25/88)
[ I'm not sure if I posted a follow-up to this discussion-thread before. I'd hope to be forgiven though .... ] If someone gets hit by a virus and has FTP-powers, you should remember my archives on RASCAL.ICS.UTEXAS.EDU as source for quick enlightenment. In an emergency, I will mail out files to non-FTP-capable netters near- instantly.... :-) if anyone notices anything missing in my collection, please let me know (or, better, send me what you have); thanks. here's a quick index of what's currently available on RASCAL: (NOTE that files ending in .Z indicate compression which requires binary FTP-tranfer!) werner on rascal <147> cd ~ftp /usr2/ftp werner on rascal <148> ls bin/ explore-me@ mac@ pub/ etc/ funny@ misc/ unix@ werner on rascal <149> ls mac 0.about.compressed-files DIR.with-comments* 0.remote.mac-archives.info INFO-MAC.at.SUMEX@ 0.remote.mac-archives.info~ MAC.at.SALLY@ 00.README-for-this-directory* MACINTOSH.at.SIMTEL20@ BRAND-NEW/ NEW-in-8805/ DIR.LOG-of-NEW* NEW-in-8807/ DIR.NEW-in-8804* NEW-in-8808/ DIR.NEW-in-8805* dataframe-support/ DIR.NEW-in-8806* mac-utilities/ DIR.NEW-in-8807 sounds-archives.pointer DIR.NEW-in-8808 stuffit/ DIR.unix-utilities* unix-utilities/ DIR.virus-tools* virus-tools/ werner on rascal <150> ls mac/virus-tools Ferret-1pt0_APPL.sit_hqx.Z Vaccine_CDEV.Hqx.Z Guard_Dog_CDEV.sit_hqx.Z VirusDetective-DA_1pt2.Hqx.Z Interferon-2pt0_APPL.pit_hqx.Z VirusRx.Hqx.Z* KillScores_1pt0_APPL.hqx.Z VirusWarningINIT.hqx.Z KillVirus_INIT.Urlichs.Z virus.SCORES.news.Z Vaccination_APPL.pit_hqx.Z virus.news.Z -- --------------------> PREFERED-RETURN-ADDRESS-FOLLOWS <--------------------- (ARPA) werner@rascal.ics.utexas.edu (Internet: 128.83.144.1) (INTERNET) werner%rascal.ics.utexas.edu@cs.utexas.edu (UUCP) ..!utastro!werner or ..!uunet!rascal.ics.utexas.edu!werner
Mark_Peter_Cookson@cup.portal.com (09/27/88)
About checking each file and/or program. When you run a program, most of the time it gets its "changed" bit changed. This is why some backup programs offer not to back up applications since you can waste a lot of disk space backing up something that looks like it has changed, but really hasn't. I don't think that your method would work with applications or system files (they also get changed when run, sometimes....). Since the virus can't change anything until it is run, and it will probably only change the program that is running (it would get obvious if it started doing all the files on the HD). All in all, I don't think that the plan would work too well since too many are changed just by normal use and might be hard to tell from virus changed.... Mark Cookson
md32+@andrew.cmu.edu (Michael Joseph Darweesh) (12/12/88)
Here's some nVIR info Collected by: -Mike Darweesh md32 -Chuck Silvers cs4n @andrew.cmu.edu Carnegie Mellon University From borton@net1.UUCP Tue Mar 8 02:04:12 1988 From: borton@net1.ucsd.edu (Chris Borton) To: werner Subject: nVIR: I've got a virus and I don't like it Date: 8 Mar 88 02:04:12 GMT Organization: UCSD Network Operations Group Newsgroups: comp.sys.mac This is a warning and plea for more information, if anyone has any. We just discovered a virus in some of our systems (not all) at work today, and it has permeated my system at home as well. The symptoms are simple: INIT 32 in System File nVIR resources in various applications and the System File. This sucker is tricky -- it is getting itself loaded before any INITs do (we believe the INIT 32 is just a teaser), like PTCHs do, but it isn't in PTCH. Our two best programmers spent today tracing through it and still haven't found a real solution other than offloading and re-initializing. To our knowledge it is non-malicious (yet). The nVIR resources are usually small, sometimes 8 bytes, sometimes ~360. If you remove them from both System and ResEdit, the virus won't let you run ResEdit because it is looking for those resources and can't find them. It occasionally beeps when running a program. We have no idea what installed this. We are fairly certain it originated from one of the many small programs that come over the net. Many of these would be perfect 'carriers' -- little demo program that's an "aww, that cute, now let's trash it." I'm not putting down these programs, just pointing out what I feel is obvious. I don't believe this is any cause for panic -- it hasn't done any known harm yet. I would, however, like to get to the bottom of this! If it's a joke, I don't find it very funny. (unless it de-installs itself completely after April Fool's Day :-)). If it is someone's graduate thesis, you get an A-. But enough is enough! -cbb Chris "Johann" Borton, UC San Diego ...!sdcsvax!borton From spector@vx2.GBA.NYU.EDU Tue Mar 8 09:34:00 1988 Path: ut-emx!ut-sally!tut.cis.ohio-state.edu!mailrus!nrl-cmf!cmcl2!vx2!spector From: spector@vx2.GBA.NYU.EDU (David HM Spector) To: werner Newsgroups: comp.sys.mac Subject: Re: nVIR: I've got a virus and I don't like it Message-ID: <650007@vx2.GBA.NYU.EDU> Date: 8 Mar 88 15:34:00 GMT Article-I.D.: vx2.650007 Posted: Tue Mar 8 09:34:00 1988 References: <4731@sdcsvax.UCSD.EDU> Organization: New York University Lines: 39 It seems you have been bitten by a virus whose sources were uploaded to Compu- serve sevral months ago... The author, a fellow in West Germany, thought it would be educational to distribute these example viruses in source form to encourage people to write defenses against them. His stated intent in writing a virus in the first place was to keep people from running possibly virus ridden program on their production Macintoshes which had been previously hit by viruses.... its signature, in the orignal sources, was a resource type of nVir... its a simple yet potent virus and very easily modified to do bad things. ... unfortunately the only way around most of these viruses is to replace your system folder. (Make sure you do this from a WRITE-LOCKED copy of the Apple System installer... or else you'll end up back where you started, with an infected system.... there is another problems, that being that the virus that was on CompuServe knows how to infect APPLICATIONS, as well as the system itself. Pretty depressing.... For more info on this virus, take a look at Risks Digest volume 6, Nos. 7, 22,23,24, 27 (a few of the articles are ones I wrote regarding this and other Macintosh viruses...) Good Luck.... David PS: If anyone else out there has seen Macintosh viruses, besides the "DR" ( Richard Brandow/MacMag virus), I would appreciate hearing about it.. I am trying to work up some stats on the spread and possible strategies for combating thses things... ------------------------------------------------------------------------------- David HM Spector New York University --- and was derived from the existing "nVir" virus we are all experiencing. It cost me considerable time to dissect the beast and I thought it a good idea to post a watered-down version of it so that someone might find some means of defeating future examples of this behavior. I fully agree that viruses (even non-malignant ones) are far from funny. I did not think that anyone would recompile the beast since to derive the missing pieces is about as hard as starting from scratch; I assume the original has travelled to the US. I will delete the "example" if there is a consensus that it will do more bad than good. The "nVir" virus installs itself in the System file using an INIT 32, and into any program you start by patching itself into the "CODE 0" resource. This is accomplished by patching the TEInit trap. The programmer built a defeat mechanism into the virus: it will do nothing if there is a resource "nVIR", ID 10, present in your System file. To deinstall the virus from your System, simply delete all "nVIR" resources and the infamous INIT 32, and create a (empty) "nVIR" 10 resource to prevent further problems. Getting it out of programs is more difficult. The old entry from the CODE 0 is stored in nVIR ID 2. Open that resource, copy the eight bytes, open CODE 0, select the third line, and paste. Then delete all nVIRs, and CODE 256 (this does belong to the virus). You might have to use ResEdit 1.2 for some programs which have a CODE 0 too large for ResEdit 1.1 to handle. The original of this virus came in three flavors. The first simply beeps when you start a program (not always). The second opened MacinTalk and tried to say "Don't Panic" instead. The third selected a random file in your System folder and killed it. Fortunately the former two are more agressive and do overwrite the third one if they see it. All three variants sometimes crash programs when you try to start them. This does not seem to cause any further problems. I hope this information helps. Please do not mail to me if possible because I have to pay $1 per kByte if it gets too much. -- Matthias Urlichs CompuServe: 72437,1357 Delphi: URLICHS Rainwiesenweg 9 8501 Schwaig 2 "Violence is the last refuge West Germany of the incompetent." -- Salvor Hardin From borton@net1.UUCP Tue Mar 15 12:40:01 1988 Path: ut-emx!ut-sally!tut.cis.ohio-state.edu!mailrus!nrl-cmf!ames!ucsd!sdcsvax!net1!borton From: borton@net1.ucsd.edu (Chris Borton) To: werner Newsgroups: comp.sys.mac Subject: Vaccination for nVIR virus (MacTutor article) Keywords: virus Message-ID: <4761@sdcsvax.UCSD.EDU> Date: 15 Mar 88 18:40:01 GMT Article-I.D.: sdcsvax.4761 Posted: Tue Mar 15 12:40:01 1988 Sender: nobody@sdcsvax.UCSD.EDU Reply-To: borton@net1.UUCP (Chris Borton) Organization: UCSD Network Operations Group Lines: 192 Here is the article Mike Scanlin wrote for MacTutor describing the effects and inner workings of the nVIR virus lately discussed. This is reprinted by special permission of David Smith of Mactutor P.O. Box 400 Placentia, CA 92670 (714) 630-3730 Many thanks to David for encouraging the rapid spread of information on this subject. The program and INIT to combat this virus described in the article have been posted to comp.binaries.mac. -cbb ---- Vaccination by Mike Scanlin Reprinted by special permission of David Smith from MacTutor P.O. Box 400 Placentia, CA 92670 (714) 630-3730 Unless you are going to Africa or Indochina, viruses and vaccinations are not something that most of us need to worry about. However, even if you're not planning on travelling, there is one virus you need to be aware of. It is a computer virus that is infecting Macintoshes everywhere. Are you infected? Use ResEdit to open your system file and look for 'nVIR' resources. If you have them, then your system has been infected and chances are that at least some (if not most or all) of your applications are infected. Don't panic. This particular virus is relatively harmless. There is an application at the end of this article that will allow you to remove the virus from your infected applications. There is also an 'INIT' resource you can put in your System Folder that will warn you if this virus ever shows up on your system. How I found it Until last week, I had had no experience with computer viruses. I had heard rumors about the existence of Mac viruses, but didn't really believe them. I do not know when this virus first got into my system. It must have come from some program I downloaded off of a network, but I do not know which one. By the time I figured out what was going on, the virus had modified seventeen of the applications on my hard disk and my System file. Sometime near the beginning of last week, I started hearing a beep when launching programs. It didn't happen every time, only once in a while and with no discernable pattern. Using TMON, I trapped SysBeep() and discovered that something was modifying 'CODE' 0 and installing several 'nVIR' resources into every application I launched. I looked in my System file and, in addition to several 'nVIR' resources, found an 'INIT' 32 resource that I didn't put there. I compared the standard 'INIT's from an original system disk and none of them matched the 'INIT' 32 I had found. What really clued me in to the idea of a virus was that if I took the 'INIT' 32 resource out of my System file, quit ResEdit, and then relaunched ResEdit, the 'INIT' 32 resource would be back in there. After disassembling 'INIT' 32, I learned how it worked and how to make my system immune to it. I am sharing this information so that other Mac users can protect themselves as well. How to make your System file immune Use ResEdit to open your System file. Create an 'INIT' 32 resource that consists of these 2 hex bytes: 4E 75 (which is an RTS instruction). If 'INIT' 32 already exists and has a size of 366 bytes, then you can be pretty sure it is the virus' 'INIT'. Replace the existing 'INIT' 32 with the 2 byte version (4E 75). Now create 8 resources of the type 'nVIR'; the case of the resource type is important Q do not use 'NVIR' or 'nvir'. Their IDs should be 0 through 7, with size zero bytes. If they already exist, then delete them and create 8 new empty ones (with IDs 0-7). That's it. Your system is now immune to this particular virus (but not all possible viruses). If you now run an infected application, the virus will think that it is already installed in your system file, since it sees the 'INIT' and 'nVIR' resources it expects, and will leave it alone. If your System file was infected before you immunized it, you should reboot the system before using the procedure below to remove the virus from your applications. This guarantees that the effects of 'INIT' 32 are removed from memory. Removing the virus from infected applications If an application has been infected, it will have several 'nVIR' resources, a 'CODE' 256 resource, and a possibly modified 'CODE' 0 resource. Here are instructions on how to restore an infected application (note: this is only useful if you are certain that your System file is not infected. Otherwise, the applications will become infected again. Also, you should practice on a copy of an infected application): 1) Open the application with ResEdit. If 'CODE' 256 exists, use GetInfo on it to check its size. If it is 372 bytes, then remove it. The reason we check for the size is because some applications, such as ReadySetGo, already have a 'CODE' 256 resource of their own and we don't want to remove part of the application's code. 2) Open 'CODE' 0 and look at the 3rd line of 8 hex bytes (bytes 16-23). If it is "0000 3F3C 0100 A9F0" then you need to replace that line of hex numbers with the 8 bytes contained in the 'nVIR' 2 resource. If the third line does not look like the above 8 bytes, then the 'CODE' resource is probably protected and did not get modified Q see below for an explanation. In this case leave it alone. 3) Remove all 'nVIR' resources. Make sure you have completed step 2 before removing 'nVIR' 2. You cannot restore the application without it. Because this procedure is so automatic, I have written a program that does it for you. The application Vaccination displays the SFGetFile dialog and allows you to choose an application to vaccinate. A message is displayed that tells you the result of the vaccination and the SFGetFile dialog is displayed again. If your system has been infected, you should vaccinate every application on your hard drive. You will only see files of type 'APPL' in the SFGetFile dialog so you might want to do a manual tree walk of your hard drive to be sure you vaccinate all of your applications. There is no harm in vaccinating an uninfected application or in vaccinating the same application more than once. This program does not make applications immune to this virus, it only removes this virus from them. But if your System file is immune, then there is no way this particular virus can spread to your applications. Note: you cannot use the Vaccination program to make your System file immune. You will have to do that manually using the procedure above. How this virus works This particular virus modifies the 'CODE' 0 resource of an application in such a way that when you launch that application the first thing to execute is a piece of virus installation code. That installation code looks for the virus' presence in the System file you are launching from. If it does not find evidence of the virus, it then installs itself (as 'INIT' 32 and several 'nVIR' resources) into your System file and then executes the application you had originally launched. Once your System file is infected, every application launched from that system will become infected. The whole infection process only takes a second or two, so there is little chance you will notice it. If the virus detects that it is already in the System file and in the application you are launching (meaning that no installation of itself is necessary on this launch), then there is about a 6% chance (1 in 16) that you will hear a short beep. This is the beep that first got my attention. According to a friend of mine, Chris Borton, whose computer was also infected, if you have MacinTalk in your System Folder, then the virus speaks the words "Don't Panic" instead of beeping. This virus does not check if the 'CODE' 0 resource of the application it is trying to infect is protected or not. Consequently, applications that have 'CODE' 0 resources with the resProtected bit set are still infected, but are not contagious, i.e. they have the 'CODE' 256 resource and the 'nVIR' resources added to them, but they can not pass the virus on to a clean System file. I learned this by noticing that QUED/M and PageMaker were infected, but were not contagious. I couldn't figure out why some programs had protected 'CODE' resources and others didn't. Then one of the people I work with, Victor Romano, put it together. He told me that Lightspeed C (which QUED/M and PageMaker were written in) automatically sets the resProtected bit of the 'CODE' resources it generates. MPW does not. So, protecting the 'CODE' resources (which can be done with ResEdit) is another simple way of preventing this virus from affecting an application. To be forewarned I don't know how far this virus has already spread, or how far it will spread. As a partial defense, however, I have written a piece of code that can be installed as an 'INIT' file in your System Folder that will warn you if it detects something that looks like this particular virus. VirusWarnINIT is a patch on 2 routines that this virus relies on: GetResource() and ChangedResource(). The patch to GetResource() makes a beep if theType == 'nVIR'. The patch to ChangedResource() makes a beep if theResource is a handle to a 'CODE' 0 resource. I wouldn't suggest installing this 'INIT' in a system known to be infected Q the number of beeps is sure to annoy you. I would have used something like an alert window instead of a beep as a warning, but I can't be sure that the Window Manager has been initialized at the time the virus is detected. If you install this 'INIT' in a clean system and then launch a contagious application, you will hear about 5 or 6 beeps in a row as the virus tries to install itself in your System file. Note that this 'INIT' is only a warning, not a vaccination. The virus will still install itself. The advantage is that you will know about it right away and can stop it before it spreads very far. Now that my Mac has been vaccinated, it's my turn. After Typhoid, Yellow Fever, Cholera and Meningococcal vaccinations, I'm off to Africa and Indochina. I wonder if I can get David Smith to send MacTutor to Serengeti National Park? Or do they already get it there? I'll let you know... Chris "Johann" Borton, UC San Diego ...!sdcsvax!borton borton@ucsd.edu or BORTON@UCSD.BITNET Letztes Jahr in Deutschland, nog een jaar hier, en dan naar Amsterdam! "H = F cubed. Happiness = Food, Fun, & Friends." --Steve Wozniak From borton@net1.ucsd.edu Wed Mar 16 09:30:14 1988 From: borton@net1.ucsd.edu (Chris Borton) Newsgroups: comp.binaries.mac Subject: nVIR virus vaccination INIT & program Message-ID: <5948@dhw68k.cts.com> Date: 16 Mar 88 15:30:14 GMT Organization: UCSD Network Operations Group [nVIR virus vaccination INIT & program] This is the INIT and program to combat the nVIR virus discovered here in San Diego. See comp.sys.mac for an extensive article describing how it works et al. Reprinted by special permission of David Smith of Mactutor P.O. Box 400 Placentia, CA 92670 (714) 630-3730 Many thanks to David for encouraging the rapid spread of information on this subject! Any questions or replies to Mike Scanlin, author of these programs and the article, may be directed to me: Chris Borton, borton@ucsd.edu. Mike will be 'reachable' until mid-April. -- Chris "Johann" Borton, UC San Diego ...!sdcsvax!borton borton@ucsd.edu or BORTON@UCSD.BITNET Letztes Jahr in Deutschland, nog een jaar hier, en dan naar Amsterdam! "H = F cubed. Happiness = Food, Fun, & Friends." --Steve Wozniak