borton@net1.ucsd.edu (Chris Borton) (03/09/88)
Well, Mike came through today at work and figured that virus out completely. This is a very quick description of what it does and how to stop the spread; a comprehensive report describing all of its workings will follow in a day or two. If anyone has strong feelings about publishing this information (anti-virus could be doubly reverse-engineered) please mail me ASAP. For ResEdit hackers: Quick-fix to halt spread: open INIT 32 in your System File with ResEdit. Select all hex code and delete. Enter in two bytes -- 4E 75 -- which merely puts an RTS there. Then go into each nVIR resource and delete all information in them. Don't delete those resources! The virus checks for their existence (only); if they are there, then it assumes they're OK. With the changes above, they are harmless and won't spread the virus further. The virus depends upon INIT 32 and nVIR 0-7 resources in the System file. What it does to each application is modify the CODE #0 resource, altering 8 bytes in the jump table to execute the code in CODE #256, which it also installs. The nVIR resources hold copies of important info -- #2 has the 8 original bytes from the applications CODE 0 resource. #6 is a copy of INIT 32, and so on... The 8 bytes are the first 8 on the third line in ResEdit. There is a 1 in 16 chance upon running an infected application that it will say "Don't panic" if you have MacinTalk installed, SysBeep elsewise. An interesting side note to all this: applications done with Lightspeed C are NOT affected. They will have nVIR resources and CODE 256, but no patch. Why? LS C automatically sets the ResProtect bit on CODE 0, so the patch is never written out. MPW code is NOT protected. Anyone care to comment on the significance of this all? Mike is writing two things tonight that should help the situation: one is a patch for GetResource that, if nVIR is detected, warns the user that the current application is infected. The other is a vaccination program that reverse-patches infected programs. Hopefully these will be ready and posted soon. Again, this is a touchy issue in some places. Please contribute any knowledge you have; I agree in principle with the German fellow on getting this out in the open, but am deeply chagrined that someone would actually implement this and spread it. -cbb Chris "Johann" Borton, UC San Diego ...!sdcsvax!borton borton@ucsd.edu or BORTON@UCSD.BITNET Letztes Jahr in Deutschland, nog een jaar hier, en dan naar Amsterdam! "H = F cubed. Happiness = Food, Fun, & Friends." --Steve Wozniak
hallett@hamlet.steinmetz (Jeff A. Hallett) (03/10/88)
There was mention in MacWeek about someone at CE Software producing an
INIT called Vaccine that protected Systems from infestation by such
beasties. Does anyone know of its whereabouts? It was supposed to be
released on Compuserve and Genie at the end of last week.
If someone runs across it, run, don't walk and post it. I don't think
anyone would object to it even being posted here to get it to people
as fast as possible.
Jeffrey A. Hallett | ARPA: hallett@ge-crd.arpa
Software Technology Program | UUCP: desdemona!hallett@steinmetz.uucp
GE Corporate Research and Development | (518) 387-5654
+--------------------------------------+--------------------------------------+
| Credo Quia Absurdum Est |
+-----------------------------------------------------------------------------+spector@vx2.GBA.NYU.EDU (David HM Spector) (03/10/88)
Vaccine is written by Don Brown of CE Software and is not yet out of beta test.
I an E-Mail chat with Don over the last few days, I learned that he has been
working on other CE software products and has not had a chance to work much
on Vaccine.
Don't think that Vaccine will be the end of viruses... vaccine will be a
solution for a certain limited nnumber of viruses... but there will be more.
We need to have a few heads on pikes to show people that violation of other
peoples computers and data is a bad thing....
David
-------------------------------------------------------------------------------
David HM Spector New York University
Senior Systems Programmer Graduate School of Business
Arpa: SPECTOR@GBA.NYU.EDU Academic Computing Center
UUCP:...!{allegra,rocky,harvard}!cmcl2!spector 90 Trinity Place, Rm C-4
MCIMail: DSpector New York, New York 10006
AppleLink: D1161 CompuServe: 71260,1410 (212) 285-6080macak@lakesys.UUCP (Jim Macak) (03/12/88)
In article <650008@vx2.GBA.NYU.EDU> spector@vx2.GBA.NYU.EDU (David HM Spector) writes: > >Vaccine is written by Don Brown of CE Software and is not yet out of beta test. > > (More on this deleted...) > >Don't think that Vaccine will be the end of viruses... vaccine will be a >solution for a certain limited nnumber of viruses... but there will be more. >We need to have a few heads on pikes to show people that violation of other >peoples computers and data is a bad thing.... > > > David > >------------------------------------------------------------------------------- >David HM Spector New York University > I read an interesting message just today on my local FidoNet node in the EchoMac section. It went like this: db From: David Beecher db db To: Chuck Maddox Msg #470, 09-Mar-88 12:03pm db Subject: Re: Mac Mag's Peace Message Virus db db It would be easier to contact the territory's authorities and notify db them of illegal modification of your computer equipment. The FBI in db our country looks as "virus'" or "bombs" as illegal entry (breaking & db entering) with attempt to destroy. They like to nail these people and db make examples of them. Surely there are similar authorities in db Canada. This is one way to get even. . Just a thought, -Dave db db --- * Origin: BMM - Boulder Mac Maniacs (303)-530-9544 (Opus db 1:104/49) Personally, I think this is a pretty darn good idea. I'd like to see our MacMag friend hanged from the rafters. An example or two of rough treatment of these jerks that produce and propagate viruses just might do the job to rub them out. I'd much prefer to see a virus attacked at its source rather than when it is already trying to corrupt my System file! -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< Jim --> macak@lakesys.UUCP (Jim Macak) {Standard disclaimer, nothin' fancy!} >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
icm@eleazar.Dartmouth.EDU (Ioannis C. Mangos) (03/23/88)
Can someone post a list of programs that produce those viruses? Are the viruses some new kind of copy protection, a very nasty one?