alexis@dasys1.UUCP (Alexis Rosen) (09/24/88)
[It appears that this didn't make it out the first time, thus the repost.
Hopefully you'll only see this on...]
I discovered the cause of much of my Mac's weirdness yesterday (as bitched about
in a previous article in comp.sys.mac.programmer). It was the nVIR virus! This
is bad enough under any circumstances, but I am particularly concerned because
it appears I have been the victim of a *NEW STRAIN* of this virus.
[ As far as the MultiFinder stuff goes, that was just me forgetting that
MultiFinder is marked as the Startup app in the boot blocks. Anyway...]
I base this conclusion on three facts:
1) When I tried to boot up, all my INITs would load up fine, but the second the
last one was done the machine would crash. After I removed Vaccine, everything
worked fine. This type of behavior should lead people to believe that Vaccine
is at fault, when in fact nVIR is causing the crash. I verified this by killing
nVIR and then restoring the same exact copy of Vaccine that caused the crash
originally. Vaccine then behaved normally. Thus it appears to me that this nVIR
targets Vaccine and attempts to circumvent it. Since I have not read of this
previously, I am guessing that this nVIR is new.
2) The article by Chris Borton describing nVIR in detail specifically stated
that the CODE 256 resources it created in APPL files was 370-or-thereabouts
bytes long. It was always that same size. However, my nVIR creates resources
442 bytes long. This would indicate that about 70 bytes of code have been added
to the virus (and perhaps more was changed). 70 bytes is quite enough room to
do considerable damage with (it takes a lot less than that to call the disk
init package!).
3) As far as I can tell, this nVIR never beeps or gives other notice of its
existance. This may just be the result of coincidence, though, or even lack of
observation on my part.
All this adds up to big trouble. I am particularly perturbed by the
Vaccine-specific targeting (no other INIT, out of over a dozen, caused the
crash-on-boot). Since this nVIR is an Israeli import, I may be one of the first
to be afflicted, but I'm probably not going to be the last.
I was very lucky to discover this virus only 36 hours after it first gained a
foothold on my hard disk. I was hacking a bit in LS Pascal, when it started
bitching about a memory blockage. Maybe Symantec has a blockbuster
virus-detecting program on their hands and they don't even know it? :-)
If there is someone on the Net who can disassemble this beast and verify or
disprove my guesses, please step forward. HOWEVER- I am not crazy enough to
start passing out a live (or even dead) virus to anyone who asks. I can't
endanger everyone for the sake of satisfying my curiosity. So, if someone who
has already proved themselves in this regard volunteers, that's okay. That
means John Norstad, Chris Borton, Mattias Urlichs, etc. etc.
I wish I had the time to do this myself, but I am more than a little rusty in
68000 and I don't have all the appropriate tools either. Nor, for that matter,
the specific expertise, and it's not something I look forward to acquiring...
If anyone has seen anything like this strain of nVIR, please tell all. The last
thing I need is to find out that it leaves behind time bombs or something
similar.
Good luck & stay healthy...
----
Alexis Rosen {allegra,philabs,cmcl2}!phri\
Writing from {harpo,cmcl2}!cucard!dasys1!alexis
The Big Electric Cat {portal,well,sun}!hoptoad/
Public UNIX Best path: uunet!dasys1!alexis