msurlich@faui44.UUCP (Matthias Urlichs ) (03/15/88)
Place this short INIT into your active System folder and reboot. From now on, the virus will be removed automatically from every program you start. Your System will also be virus-free. The INIT installs a "nVIR" 10 resource in the System to prevent the virus from doing anything. (This is a feature the virus author has thoughtfully put in - didn't want to get problems with his own Mac, I suppose.) I've decided to post it here because it's (a) faster and (b) needed by about everyone. Take it as sort of vaccination... (Convert with BinHex or StuffIt) :#8YTE'a@DA*eF`"*6NP82cmr2`%)!!!!!!!!!p1`NJ!!!!!"!!!!!h`!!!*m!!! !9eC85%&14!!!6PB!!#m-6Ud&-LKZ!!JJ9%US!!*R)Lmm#8YTE'a@DA*eF`)!!!" *6NP82cmr2`%!!$!!B!!!!!!!!%P1593r2cmr!3!!-!"J!!!!!!!!!!!!!!!!!!! !!!!!RMc*D`!!!!!!!!266Ud&-LKZ!!JJ9%US!!*R($mmFQF[,J!3,bi!$#"8,bJ !!NkY'X)GA`!8B#B`,J!5N!"Z!!jU!N4!-Li!%**Z!!aU!N4"dN"`"E""A-"%!"e !!"41V38k+&p1AL"Ih[`!$%l3a-p098a8580849C85%&14!!!6PB!!#m-+'i!##" 85UJ!!!'+6[S!ANj@rr`[$%+R,cS!6Mmm!!'TS#KI)!aR,Lm-UC)[$%kk!8JJ9#m )3UFr2+R-6VS"4#!I)&mK3!!#)&4)D!!'2cbTc%kk!6JSAdjH,Tp1GFP18e4"6%a 8!!4Z9NP56PErp%MR!aK#Tdkk!-JQAd+R,VJ#TNkk!-BI2!!"UCX[$Nkkri"#CkQ 82"p#CkQB3QHTQd*(B"C#Tbmk!*!!2`HTS#KI)!aR"#m-UDe54h!*X%GXj%+R,cS !H$mm!##TS#KI)!aR"#m-UDe#Tbmk!&ir2!!+UD!SAamm!!'TQb!-CKT#Td+R6VS !H#KI,``[1J!m2c`!#NKk!#5TUd*RUCNr"UQB,`Y1ZJ!f60mB`%jH6RA$6de33b! J)!!B$Qj@59)J5@jSD@*TG'pb!'j@59**6NP8S4S[5!!%6[S!'L*I)&qJ'dlk!!i LAb!IS%`ZJ%jaF!![#6(!!L"1GA!!B2BLAb!IS5)ZL%lkrqSLAb"IS#P1q[rJ)Pm `(k&',SK1d5*I-"mJAk"(6Y%!!!$UB!3!!!!!)(VrqNk3!%lk!!*19[rb51F$'"m m!!'TQd+R,cS!a$mm!!+TS#iI3UF[1J#b3QHTS#KI5SGA`#)-9m'!!@F5)!aR"#m -UD0+KfF%,`HTSf"k)%FJ8#*83qN!%#,B)YJ[$+QU3QHTVdTI9X"+!'F@,`"#CkQ [-KmJ(`a"rcT@`F!"C`*J4N*RUCY#4Q!@3UF[1J"32`DTS#CI)!YR"#m,UDe54R! *X%CXj%+R,cS!-$mm!3#TS#CI)!YR"#m,UDdI2!!"UCY#CkQ8UCP-haM!6Pj1GF0 269"$)#!J!!K$6d4&EPC*8J!!!3!!!!0m!!!#I!!!!&F!*Gld$fi!!!!F!%B!!8P 1593!!!!5EPC*8J!!!"i!!3!!)!!!!!!!!!!!!3!&)!!"MJ!PhM!%6@&TEJY*ER0 dB@aX9(*KF%I6: -- Matthias Urlichs CompuServe: 72437,1357 Delphi: URLICHS Rainwiesenweg 9 8501 Schwaig 2 "Violence is the last refuge West Germany of the incompetent." -- Salvor Hardin
dkovar@bbn.com (David C. Kovar) (03/16/88)
Not to be overly paranoid, but has anyone checked this program to make sure *it* is not another virus? If someone has done so, please let the rest of us know. (Then again, you could be in league with the poster and ... :-) ) -David Kovar DKovar@BBN.COM
spector@vx2.GBA.NYU.EDU (David HM Spector) (03/17/88)
I just disassembled it, and it appears to be what it says it is...
David
-------------------------------------------------------------------------------
David HM Spector New York University
Senior Systems Programmer Graduate School of Business
Arpa: SPECTOR@GBA.NYU.EDU Academic Computing Center
UUCP:...!{allegra,rocky,harvard}!cmcl2!spector 90 Trinity Place, Rm C-4
MCIMail: DSpector New York, New York 10006
AppleLink: D1161 CompuServe: 71260,1410 (212) 285-6080
"SJM 25, 'real nice guy' seeks SJF... What? This ISN'T The Voice personals?!"borton@net1.ucsd.edu (Chris Borton) (03/17/88)
In article <238@faui10.UUCP> msurlich@faui10.UUCP (Matthias Urlichs) writes: >Place this short INIT into your active System folder and reboot. >From now on, the virus will be removed automatically from every program >you start. >Your System will also be virus-free. The INIT installs a "nVIR" 10 resource >in the System to prevent the virus from doing anything. >(This is a feature the virus author has thoughtfully put in - didn't want to >get problems with his own Mac, I suppose.) I'm glad David Spector checked out this INIT and verified it. What I find funny, though, is that the nVIR we have has NO call to GetResource() or ChangedResource() for nVIR with ID 10. I told Mike about the nVIR 10 and he told me later that he couldn't find any such call in there (luckily he has time to follow these things, being a real person now, versus me studying for finals :-)). More curiosities... -cbb Chris "Johann" Borton, UC San Diego ...!sdcsvax!borton borton@ucsd.edu or BORTON@UCSD.BITNET Letztes Jahr in Deutschland, nog een jaar hier, en dan naar Amsterdam! "H = F cubed. Happiness = Food, Fun, & Friends." --Steve Wozniak
spector@vx2.GBA.NYU.EDU (David HM Spector) (03/17/88)
I assume Mr. Urlichs meant that his new INIT will install a resource
("nVIR", ID=10) that will watch for the original virus (via an OS trap)
and remove it..
...this _appears_ to be what the main part of the INIT does... I haven't tried
it though, as I don't really want to (re)infect my system [I just finished
with the lysol after March 2nd :-(] to try it out. But it certainly
doesn't look like its gernating viruses.. [if all this sounds vague..it is..
'cause 1) I am reading assembly output from MPW's dumpcode tool and 2) I'm
too spaced fom prgramming all night to analyze every byte of it.. :-) ]
But it looks kool to me...
cheers,
David
-------------------------------------------------------------------------------
David HM Spector New York University
Senior Systems Programmer Graduate School of Business
Arpa: SPECTOR@GBA.NYU.EDU Academic Computing Center
UUCP:...!{allegra,rocky,harvard}!cmcl2!spector 90 Trinity Place, Rm C-4
MCIMail: DSpector New York, New York 10006
AppleLink: D1161 CompuServe: 71260,1410 (212) 285-6080
"SJM 25, 'real nice guy' seeks SJF... What? This ISN'T The Voice personals?!"woody@tybalt.caltech.edu (William Edward Woody) (03/17/88)
I took the anti-virus init apart with Nosy. The lil' bugger is very kosher.
It (1) wipes out any nVIR resources from 0 through 9 in the system folder,
(2) sets nVIR resource 10 to a very empty handle, (3) installs a bit of code
in the system heap which gets called every time TEInit() gets called.
The bit of code in TEInit() then calls the real TEInit(), and then searches
the current resource file (assumed to be the application's resource file) and
fries all nVIR resources from 0 to 10.
It's a rather cute little critter, and it's entirely kosher. And if you
(briefly) look at the resources in it, you'll notice a nVIR resource of it's
own; this is where the application cleanup code is placed.
- William Edward Woody
woody@tybalt.caltech.edu (Mac>][n&&/|\)&&(MacII>AT)
Disclamer: I haven't the foggiest idea what I'm talking about...sarrel@tut.cis.ohio-state.edu (Marc Sarrel) (03/18/88)
If anyone is interested, I took the virus killer init and added an icon that looks like a syringe. I also put in the ShowInit resource, so that it shows up at boot time. If you want a copy, then send me mail. If there is enough response, maybe I could send it to comp.binaries.mac. Don't expect an answer until after the 28th, though. I'm about to leave for spring break. (My flight leaves in 2:50.) --Marc -- Marc Sarrel The Ohio State University 611 Harely Dr #1 Department of Computer and Information Science Columbus, OH 43202-1835 sarrel@tut.cis.ohio-state.edu Disclaimer: Hey, what do I know? I'm only a grad student.
pablo@polygen.uucp (Pablo Halpern) (03/20/88)
From article <238@faui10.UUCP>, by msurlich@faui44.UUCP (Matthias Urlichs ): > Place this short INIT into your active System folder and reboot. > From now on, the virus will be removed automatically from every program > you start. > Your System will also be virus-free. The INIT installs a "nVIR" 10 resource > in the System to prevent the virus from doing anything. > (This is a feature the virus author has thoughtfully put in - didn't want to > get problems with his own Mac, I suppose.) [ BinHex code follows ] Has anybody tried this and confirm that it works? The last thing I want to do is install a virus when I'm actually trying to vacinate against them. I don't want to insult Matthias but, never having met him, I have no way of knowing where he's been :-). Since I don't have a hard disk, I will try this vacine on an isolated disk. In fact, I recommend all public domain software be tried with your hard disk powered down (if you have an internal hard disk, let a friend try it first). Check sizes and mod dates on all files before and after installating and running a program you got from the net, including the size and mod date of the program itself. In fact, if there are any Mac programmers out there that would be willing to write this, we all could use a program that: 1. Produces a database of the mod dates, sizes, and several different types of checksum (straight add, CRC, etc.) for all files on a disk. 2. Checked the disk against to database to see what's changed. With a program like that you could check to see if anthing has changed that shouldn't have changed. For example, if the program doesn't install things into your system, the system file shouldn't change. Very few programs have a legitimate need to change an applications file. If something strange happens, a virus might be the cause. If you did this operation entirely on backup floppies, congratulations, you may have just prevented the spread of a virus. If you did this on a hard disk..., well early diagnosis gives you the best likelyhood of a cure :-). All this need for protection really bugs me. My car has a $300 security system just because people steal cars! Now I need to screen public domain software just because people write viruses! Yuk! One more thing. There are clubs that distribute public domain software. They usually charge just enough to cover costs. Maybe some of them will start doing virus checks on the software they distribute. It would be nice to have a "clean" source of PD programs. Pablo Halpern | mit-eddie \ Polygen Corp. | princeton \ !polygen!pablo (UUCP) 200 Fifth Ave. | bu-cs / Waltham, MA 02254 | stellar /
sys_ms@bmc1.uu.se (03/23/88)
In article <238@faui10.UUCP>, msurlich@faui44.UUCP (Matthias Urlichs ) writes: > Place this short INIT into your active System folder and reboot. > From now on, the virus will be removed automatically from every program > you start. > Your System will also be virus-free. The INIT installs a "nVIR" 10 resource > in the System to prevent the virus from doing anything. > (This is a feature the virus author has thoughtfully put in - didn't want to > get problems with his own Mac, I suppose.) > > I've decided to post it here because it's (a) faster and (b) needed by about > everyone. Take it as sort of vaccination... Is this one safe...? > -- > Matthias Urlichs CompuServe: 72437,1357 Delphi: URLICHS > Rainwiesenweg 9 > 8501 Schwaig 2 "Violence is the last refuge > West Germany of the incompetent." -- Salvor Hardin Mats Sundvall Biomedical Center University of Uppsala Sweden mats@bmc1.uu.se
sysop@stech.UUCP (Jan Harrington) (03/27/88)
in article <131@polygen.UUCP>, pablo@polygen.uucp (Pablo Halpern) says: > > One more thing. There are clubs that distribute public domain software. > They usually charge just enough to cover costs. Maybe some of them will > start doing virus checks on the software they distribute. It would be > nice to have a "clean" source of PD programs. > This issue raised itself at our meeting yesterday. Since we are about to start on a big campaign to get our PD/share collection out to educators, we are concerned that the collection be as virus-free as we can make it. For anyone who is considering ordering stuff from us, we will assure you that it has been tested to the best of our ability. However, hopefully no one distributing PD/shareware software will be foolish enough to "warranty" that the software is free from viruses. The lawsuits could be horrendous ... Jan Harrington, sysop Scholastech Telecommunications UUCP: ihnp4!husc6!amcad!stech!sysop or allegra!stech!sysop BITNET: JHARRY@BENTLEY ******************************************************************************** Miscellaneous profundity: "No matter where you go, there you are." Buckaroo Banzai ********************************************************************************