alexis@dasys1.UUCP (Alexis Rosen) (09/24/88)
[It appears that this didn't make it out the first time, thus the repost. Hopefully you'll only see this on...] I discovered the cause of much of my Mac's weirdness yesterday (as bitched about in a previous article in comp.sys.mac.programmer). It was the nVIR virus! This is bad enough under any circumstances, but I am particularly concerned because it appears I have been the victim of a *NEW STRAIN* of this virus. [ As far as the MultiFinder stuff goes, that was just me forgetting that MultiFinder is marked as the Startup app in the boot blocks. Anyway...] I base this conclusion on three facts: 1) When I tried to boot up, all my INITs would load up fine, but the second the last one was done the machine would crash. After I removed Vaccine, everything worked fine. This type of behavior should lead people to believe that Vaccine is at fault, when in fact nVIR is causing the crash. I verified this by killing nVIR and then restoring the same exact copy of Vaccine that caused the crash originally. Vaccine then behaved normally. Thus it appears to me that this nVIR targets Vaccine and attempts to circumvent it. Since I have not read of this previously, I am guessing that this nVIR is new. 2) The article by Chris Borton describing nVIR in detail specifically stated that the CODE 256 resources it created in APPL files was 370-or-thereabouts bytes long. It was always that same size. However, my nVIR creates resources 442 bytes long. This would indicate that about 70 bytes of code have been added to the virus (and perhaps more was changed). 70 bytes is quite enough room to do considerable damage with (it takes a lot less than that to call the disk init package!). 3) As far as I can tell, this nVIR never beeps or gives other notice of its existance. This may just be the result of coincidence, though, or even lack of observation on my part. All this adds up to big trouble. I am particularly perturbed by the Vaccine-specific targeting (no other INIT, out of over a dozen, caused the crash-on-boot). Since this nVIR is an Israeli import, I may be one of the first to be afflicted, but I'm probably not going to be the last. I was very lucky to discover this virus only 36 hours after it first gained a foothold on my hard disk. I was hacking a bit in LS Pascal, when it started bitching about a memory blockage. Maybe Symantec has a blockbuster virus-detecting program on their hands and they don't even know it? :-) If there is someone on the Net who can disassemble this beast and verify or disprove my guesses, please step forward. HOWEVER- I am not crazy enough to start passing out a live (or even dead) virus to anyone who asks. I can't endanger everyone for the sake of satisfying my curiosity. So, if someone who has already proved themselves in this regard volunteers, that's okay. That means John Norstad, Chris Borton, Mattias Urlichs, etc. etc. I wish I had the time to do this myself, but I am more than a little rusty in 68000 and I don't have all the appropriate tools either. Nor, for that matter, the specific expertise, and it's not something I look forward to acquiring... If anyone has seen anything like this strain of nVIR, please tell all. The last thing I need is to find out that it leaves behind time bombs or something similar. Good luck & stay healthy... ---- Alexis Rosen {allegra,philabs,cmcl2}!phri\ Writing from {harpo,cmcl2}!cucard!dasys1!alexis The Big Electric Cat {portal,well,sun}!hoptoad/ Public UNIX Best path: uunet!dasys1!alexis