macak@lakesys.UUCP (Jim Macak) (04/13/88)
Another rather ugly virus has reared its head in the Macintosh world. This
one has come to be known as the "SCORES" virus, for a file that it leaves in
the System Folder.
I am taking the liberty of uploading two rather lengthy messages that I found
in the User Group area of AppleLink regarding this virus. Although I realize
that these files are quite long, I thought the subject important enough to
share over the net. Feel free to flame away if you feel differently and I
will refrain from posting this sort of info in the future.
Following, then, is the first file from AppleLink, titled "Virus Info #1" on
that system.
This originally appeared on the Washington Apple Pi TCS:
All information is from Dave Lavery.
If you encounter this virus please contact at him at:
(202) 453-2720 (work) [the area code might be 703 or 301]
We have discovered a new virus that is circulating through the Macintosh
community. This is not the now-infamous MacMag virus, but is a completely new
and, as far as I can tell, unreported version.As of this date, we have not
determined exactly what the virus does other than replicate itself. Because
we do not know exactly what this thing does yet, we are very concerned about
the possibility of any invisible operations and "time bombs" that it may
contain. The presence of the virus in the Macintosh memory does causes
several symptoms, which have caused losses of data. These symptoms include
difficulty running MacDraw, difficulty printing from any applications
(especially MacDraw), difficulty using the "Set Startup" option, difficulty
running Excel, corruption of Excel files, and frequent crashes when starting
applications. This virus has existed since at least February, 1988, and may
have been around as early as September, 1987.
Identification of infection:
It is possible to determine if this virus has infected your Macintosh with the
following procedure: 1) Open the System Folder of the Macintosh and locate
the "Note Pad File" and "Scrapbook File." 2) Examine the icons used on these
files and check that they resemble the small Macintoshes seen on the "System"
and "Finder" icons. If they do not, and instead resemble the standard
Macintosh document icon (an upright piece of paper with the upper right corner
folded forward), you are probably infected. 3) To verify infection, execute
ResEdit or some other utility which can see "invisible" files. Examine the
System Folder. 4) If the System Folder contains two invisible files named
"Desktop" and "Scores," you are definitely infected.
The infection process:
The virus transmits itself from Macintosh to Macintosh by invading a standard
executable application file on a contaminated Macintosh. When this
contaminated application is copied to a "sterile" Macintosh, the virus attacks
the new system by making these changes to the System Folder: three INIT
resources are added to the "System" file. If the files "Note Pad File" and
"Scrapbook File" do not exist in the System Folder, they are created. The
type and creator fields of the "Note Pad File" are changed from "ZSYS" and
"MACS" to "INIT" and "ZSYS," respectively, and an INIT resource is added to
the file. The type and creator fields of the "Scrapbook File" are changed
from "ZSYS" and "MACS" to "RDEV" and "ZSYS," respectively, and an INIT
resource is added to the file. Two new, invisible file are added to the
system folder, named "Desktop" and "Scores," each with an atpl, DATA and INIT
resource. These changes are summarized below:
FILE TYPE CREATOR NEW INVIS RESOURCES SIZE
System ZSYS MACS No No INIT ID=6 772 bytes
ID=10
1020 bytes
ID=17
480 bytes
Desktop INIT FNDR Yes Yes atpl ID= 128 2410 bytes
DATA ID= -4001 7026
bytes
INIT ID= 10
1020 bytes
Note Pad File INIT ZSYS No No INIT ID=6 772 bytes
Scores RDEV ZSYS Yes Yes atpl ID=128 2410 bytes
DATA ID=-4001 7026
bytes
INIT ID=10 1020
bytes
Scrapbook File RDEV ZSYS No No INIT ID=17 480 bytes
ID=6
772 bytes
Note that, unlike the MacMag virus, no "nVIR" resource are used anywhere. The
modified files, "Note Pad" and "Scrapbook," still appear to function normally
with the Note Pad and Scrapbook Desk Accessories, and any existing contents of
the file's Data Fork are not disturbed.
Once the system files on the target Macintosh have been infected, the virus
will then begin to attack applications. Not every application is attacked by
the virus Q the determination of whether or not to infect an application is
apparently a random decision (at this point, no discernible pattern has been
found, except that "Finder" and "MultiFinder" are usually attacked).
Applications that are attacked on one Macintosh may remain "sterile" on
another Mac, and vice versa.
As each application is attacked, the virus installs a new CODE resource into
the application. The identification of this new resource is variable,
depending upon the existing resources within the application. The virus looks
for the first available CODE resource slot, then places the new resource one
position above that. For example, HyperCard contains CODE resources 0 through
20, leaving an ID of 21 as the first available resource ID. The virus placed
the new CODE resource in the application as CODE ID=22.
The second step of the infection of the application is the modification of the
CODE ID=0 resource of the application. The virus modifies the eleventh word
of this resource, which is the start of the application's jump table. Where
the application would normally jump to the CODE ID=1 segment, the virus
modifies this pointer to refer to the new CODE resource that has just been
installed. The example below shows the first sixteen words of a "sterile" and
infected version of HyperCard:
Sterile Infected
0000 1EF0 0000 559C 0000 1EF0 0000 559C
0000 1ED0 0000 0020 0000 1ED0 0000 0020
0008 3F3C 0001 A9F0 0008 3F3C 0016 A9F0
0000 3F3C 0001 A9F0 0000 3F3C 0001 A9F0
... ...
Note that the eleventh word has been changed from "0001" to "0016," which
points to the new CODE ID=22 resource (hex 16 = decimal 22). Also note that
during our examination of suspected applications, we found that at least one
compiler - LightSpeed C, I think - normally places non-"0001" values in the
eleventh word of the CODE ID=0 resource. To verify infection if the eleventh
word is not "0001," check to see that the tenth word is NOT "4EED" and that
the eleventh word points to another CODE resource. If both of these are true,
then the application is infected.
The new CODE resource is a copy of the virus code, is of size 7026, and is
executed when the infected application is invoked. When the virus completes
execution, it returns to the invoked application, which appears to proceed
normally. The first sixteen words of the virus are:
0000 0001 xxxx 3F3C
0001 A9F0 4EBA 002E
204D D0FC 0020 43FA
FFEC 20D9 2091 204D
...
The third word of the virus code is variable, and appears to be based on the
return address used when the execution of the virus is completed. The virus
further modifies the code of the application in a manner which has not been
fully deciphered. This was determined by attempting to recover the HyperCard
application by removing the new CODE ID=22 resource and patching the eleventh
word of the CODE ID=0 resource. Any attempt to run the rebuilt application
resulted in a system bomb, intimating that the virus has modified other
sections of the application which prevented its complete exorcism.
Vaccinating your Macintosh:
If your Macintosh is infected, the contaminated system files and applications
must be completely removed from the Macintosh, and new ORIGINAL copies should
be installed. When removing the virus from the Macintosh system files, you
cannot just go in with ResEdit and delete the offensive INIT resources - this
virus is apparently intelligent enough to recognize this attempt, and modifies
it's resource identification and memory location when probed by resource
utilities. ResEdit "thinks" that the virus resources have been deleted, but
they have been renamed and will return when the Macintosh is restarted. The
system must be sterilized by:
1) Examine EVERY application (including any in the System Folder, and on EVERY
diskette you may have) you have with ResEdit, and check if a new CODE resource
has been added and if the CODE ID=0 resource has been modified to refer to the
new CODE. This is the most tedious part of the process, and will probably
take quite a bit of time. I have about 160MB of stuff on two 100MB drives,
and this step took about three hours. If the application has been infected,
list it.
2) Using ResEdit, open the infected System Folder and locate the "Desktop"
file. Select the file and use the "Get Info" option on the "File" menu.
When the file information window opens, turn off the "Invisible" bit, then
close the window and save the file information. Do the same for the "Scores"
file.
3) Locate a sterile system diskette (preferably one of the "System Tools"
diskettes from Apple), LOCK IT, and boot from it.
4) Throw away the following files from the infected System Folder: "System,"
"Finder," "MultiFinder," "Desktop," "Scores," "Scrapbook File," and "Note Pad
File." Once these files are in the Trash Can, EMPTY THE TRASH IMMEDIATELY!
Note: this is the minimum required to remove the System portion of the virus
- my personal preference is to delete the ENTIRE System Folder, not just the
suspect files in it.
5) Locate all of the applications which you listed in Step 1. Throw them
away, and empty the Trash Can.
6) Shut down the Macintosh, and turn the power off. Wait at least 30 seconds
for memory to clear before rebooting again from the sterile diskette (this may
not really be necessary, but better safe than sorry).
7) Reinstall the Macintosh operating system from the System Tools diskette to
your Macintosh.
8) Locate your original copies of the deleted applications software. Before
reinstalling the applications, examine each one with ResEdit to be sure that
it is sterile. If there is no problem, reinstall the application.
A word of warning:
The "Vaccine" CDEV which is currently appearing on bulletin boards is only
marginally useful in fighting this virus - if your system is already infected
when you install Vaccine, you will not get any warning from Vaccine that the
virus exists. If you have Vaccine installed on a sterile system, and this
virus is introduced at a later time, Vaccine will only warn you of the virus
attack, but will not prevent infection.
I do not know how far this virus has spread, or where it came from (although
we are working on that). The information contained above reflects only what
we know so far about this virus - I do not know if it has any maliciously
destructive functions which have not yet activated, or if it does anything
other than replicate. I do know that it is extremely virulent - it has
defensive mechanisms built in to protect itself from deletion, most of it's
resources are protected, and it places multiple copies of it's components
throughout the system to avoid single point of failure destruction. This
thing is an order of magnitude more sophisticated than the MacMag virus, and
is considerably tougher to kill.
So far, the virus appears to only affect system files and application files.
Data files (documents, spreadsheet data, HyperCard stacks, etc.) do not appear
to be affected, and do not seem to transmit the virus.
While not apparently maliciously destructive, I have established that the mere
presence of this virus in the system is sufficient to cause the printing and
application instability problems (like the ones we have been experiencing).
Once the virus has been removed, all of our reported Macintosh problems have
gone away. I believe that whoever wrote this could not foresee enough of the
potential system configurations to prevent an occasional collision between the
virus and other active applications and printer drivers.
Apple in Cuppertino has become intimately aware of this virus in the last two
days. They are going to be working on a more complete disassembly of the
virus, and will hopefully be able to determine exactly what this thing does.
(Please see a following article for the second file regarding this virus.)
--
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Jim --> macak@lakesys.UUCP (Jim Macak) {Standard disclaimer, nothin' fancy!}
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<macak@lakesys.UUCP (Jim Macak) (04/13/88)
Here is the second file (Virus Info #2) from AppleLink regarding the "SCORES"
virus:
The word from Dallas:
The information provided in the Virus Info # 1 Document is substantially
correct, although I will disagree with certain aspects according to my own
experiences with this plague.
Detection:
Check the System Folder for Scrapbook File and Note Pad File. If they have
BOTH and they are generic document icons, i.e., a blank, dog-eared page,
assume you are infected. If the icons are small Macs, like the System and
Finder icons, you are most likely safe. But please read and try to understand
this document because failure to take precautions may cause you to be infected
tomorrow.
The viral files contain several distinct and possibly unique strings. Use
Fedit to search for VULT and/or ERIC. If you do not find either of these
strings on your disk, it is NOT infected. If you find them, proceed as though
you are infected and make further tests.
When Vaccine has been installed on your disk and is running, opening an
infected application will produce either an alert message from Vaccine, a
bomb, or the Mac will hang up. In any case, the application should be examined
more closely: Use ResEd to open the CODE resource of the application. If the
top one is two numbers higher than the next highest number, do a Get Info on
it. If the size of this code resource is 7026, you have confirmed it as an
infected application. Throw it in the trash as it is unusable and will cause
you problems if you run it with Vaccine off. If it is an application for
which you do not have a clean backup, save it to a floppy. I'm sure that
before too long, someone will write an application that will repair
applications and you can recover it then.
If you have installed Vaccine and it periodically gives you a warning, even
when you are doing nothing to change anything on the Mac, Vaccine is NOT
defective. It is telling you that you are contaminated and that the virus has
tried and failed to attack a previously clean application. If you do not have
Vaccine installed and have noticed your disk drive (hard or floppy) run for a
few seconds when there is no cause, it is quite likely the same thing, except
in this case you just lost the application.
Check ALL of your applications. It is easy to overlook some of the smaller and
common ones like Font/DA Mover and backup programs. Be sure to check Finder,
MultiFinder, and ResEd itself. Remember, you do NOT have to have run an
application for it to be contaminated. Thus far I have not seen a
contaminated document. The virus seems to attack only those files which have
CODE resources, and virtually all documents do not contain these. If there is
a type of document that does, please let me know and I will edit this notice.
Removal:
The virus CAN be removed from your System by less stringent means than
described in document # 1.
Open your System folder with ResEd.
Select and Clear Scrapbook File, Note Pad File, Desktop, and Scores.
Open the System and clear these resources: atpl ID 128, DATA ID -4001, and
INITs 10, 17, & 6.
Close ResEd and save changes.
Note that the System file atpl and DATA resources are not mentioned in the
Virus Info # 1 document. However, they are in the System and should be
removed. A virgin System (4.1, at least) from Apple does not contain either
resource type, but some programs - LaserSpeed, for one - legitimately place
them in the System. Remove only the ID numbers listed.
My experiences with this virus over the past three months have shown this to
be an effective and relatively simple way to clean the System. I did this
three months ago and have seen no more Scores, etc. files until a week ago,
when a friend gave me an infected application. Even then I had to turn
Vaccine off to get it to do its dirty work. I have seen several infected
Finders. If Vaccine is running and the Finder is contaminated, the Mac will
NOT boot. In this case, boot with a CLEAN floppy and replace the Finder on
the hard drive.
This rather simple method of decontaminated the System is suggested because it
allows you to keep any special fonts, DAs, or other System modifications you
may have made. If you want to go the full route and re-initialize the hard
disk, you should be thoroughly de-contaminated, but I feel that may be
overkill. Just be sure to check all of the files you are re-installing. A
friend went to an Apple dealer to get a new System and Finder, only to
discover that the dealer's Mac II was infected!
After you feel that all infected applications have been removed and replaced,
run Disk Express, if you have it, with the Erase Free Space option turned on.
This will cluster your good data to the start of the disk and zero out all
remaining space. Then use Fedit to search for the VULT and ERIC strings. If
they are gone, you are cured. If they are still there, do what you can to find
out which file they are in and remove it from the disk. (Since the version of
Fedit I bought (1.1) had not yet implemented the "Sector Info" feature, it
would not show me the name of the file(s) which contained these strings. I
had to search sectors before and after them to make a guess as to which files
I was looking at.) Repeat this until there is no ERIC or VULT. (By the way,
if anyone knows where I might find a jerk named Eric Vult who wrote this
virus, I have a few things I'd like to say - and do - to him.)
Speculation:
In addition to ERIC and VULT, several of the viral resources contain another
possibly important string: HD20. Pure supposition on my part, but this could
be a two-step virus. First the spread. You get a bad application. It infects
your System. Once active, it spreads to applications. You give one of these
to a friend or put it on a BBS. It infects other Systems, which infect more
applications... In a finite and rather short time it is all over the country.
I know for a fact that as of April 5, 1988, it is in Hawaii, Dallas,
Washington, and a prominent computer in Cupertino! Then on some predetermined
date, or following some specific action on your part, it performs some heinous
act, and possibly on HD20's.
If you own an HD20, I recommend the following: Choose a disk name other than
HD20. The name may or may not have anything to do with the possible purpose
of this virus, but don't take a chance. The bad news is that the name HD20 is
found in multiple places on your disk. To simplify the name changing
procedure, choose a name comprised of four letters like Mine, Disk, or Bomb.
Use Fedit to search the disk for HD20, and change EVERY occurrence to the new
name. You will also find your disk name in the next to the last sector on the
disk. Don't overlook this one. Changing to a name of other than four letters
is much more complex and I can't explain how to do it here, but merely
changing the name of the hard disk from the Finder is NOT enough. Just a
friendly suggestion.
Prevention:
Contrary to the advice in the Info # 1 document, I have so far found Vaccine
to be very effective in controlling this virus. Make sure you have the real
Vaccine and not a phony. It is 11,875 bytes in size, created March 19,1988 at
11:49 PM. (I guess CE Software worked long hours on this one. Have you thought
of paying them, even though the program is free?) Notice that the file name "
Vaccine" starts with a space. Leave it this way, as programs like this are
loaded alphabetically, and the space makes sure Vaccine is loaded first for
maximum protection. Keep Vaccine running at all times. For those who do not
know how to use it, place Vaccine in your System Folder and then open the
Control Panel under the Apple menu. Vaccine will appear in the left window.
Select it with the mouse and read the instructions. I suggest putting an X in
the top box, the second one, and the fourth one.
Research:
We know that an infected application grows in size by 7042 bytes. CODE 0
resource is altered, but with no change in size, and a new CODE of 7026 bytes
is created. Where is the additional 16 byte increase? Apparently not in the
CODE resources. Help here would be appreciated. Vaccine will beep three times
when an attempt is made to infect an application. My guess is one for adding
the 7026, one for the CODE 0 change, and one for the 16 bytes. Finding the
last may provide the means for rescuing a sick application.
Does the atpl resource have any reference to AppleTalk? Can this virus be
spread over a network? I am not a programmer, just a hacker, and do not know.
Me:
One hates to publish a phone number in a document designed for public
distribution, but without it you could not relay any important information.
Please call only from 8 AM to 8 PM Central time, and only if you have found
something not in either of the two documents in this package. Long distance
callers, please leave a complete message on the answering machine if it
answers, as I cannot afford to return many long distance calls. And thanks for
any help.
Howard Upchurch
3409 O'Henry Drive
Garland, TX 75042
(214) 272-7826
Notices:
I have reported information as I have found it. If there are any errors in the
above, I apologize but ask not to be held responsible. Some statements may
prove false or incomplete as more information comes to light.
Although most references in this document concern hard disks, floppies can be
infected in the same way. Even if you do not use a hard disk, check
everything you own.
--
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
Jim --> macak@lakesys.UUCP (Jim Macak) {Standard disclaimer, nothin' fancy!}
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<alibaba@ucscb.UCSC.EDU (Alexander M. Rosenberg) (04/14/88)
To clear up this whole virus thing: Beside the Scores/Desktop/VULT virus a few others exist. Robert Woodhead (Wizardry I-IV, a reversi game, etc.) is writing and has almost completed "Interferon". Interferon is an application that will check all connected volumes and delete files that appear infected. The info I have lists several known viruses including the VULT one mentioned here. It is known to detect these viruses. I assume that one uses Vaccine nnormally, then periodically uses Interferon to do an indepth check. Other things about the VULT virus: If I am correct, the virus has several bugs. It tries to modify the Desktop file, but incorrectlly creates one in the System Folder. The atpl resource is supposed to make it infect things connected via AppleTalk, but doesn't appear to work correctly. ------------------------------------------------------------------------------- - Alexander M. Rosenberg - INTERNET: alibaba@ucscb.ucsc.edu - Yoyodyne - - Crown College, UCSC - UUCP:...!ucbvax!ucscc!ucscb!alibaba- Propulsion - - Santa Cruz, CA 95064 - BITNET:alibaba%ucscb@ucscc.BITNET - Systems - - (408) 426-8869 - Disclaimer: Nobody is my employer - :-) - - - so nobody cares what I say. - -
dudek@csri.toronto.edu (Gregory Dudek) (04/15/88)
In article <576@lakesys.UUCP> macak@lakesys.UUCP (Jim Macak) writes: > > > The word from Dallas: > >The viral files contain several distinct and possibly unique strings. Use >Fedit to search for VULT and/or ERIC. If you do not find either of these >strings on your disk, it is NOT infected. If you find them, proceed as though >you are infected and make further tests. For whatever it's worth, there used to be a very notorious bozo using Apple II's who called himself "The Vulture". A large number of commercial programs with copy-protection removed sported complex logos ``advertising'' the fact that the "vulture" had done it. It sounds like the same kind of mentality & the same kind of skills at work. I don't know where the vulture-cracked programs came from, but I saw a number of them here in Toronto Canada. -- Dept. of Computer Science (vision group) University of Toronto Reasonable mailers: dudek@ai.toronto.edu Other UUCP: {uunet,ihnp4,decvax,linus,pyramid, dalcs,watmath,garfield,ubc-vision,calgary}!utai!dudek ARPA: user%ai.toronto.edu@relay.cs.net