borton@net1.ucsd.edu (Chris Borton) (03/08/88)
This is a warning and plea for more information, if anyone has any. We just discovered a virus in some of our systems (not all) at work today, and it has permeated my system at home as well. The symptoms are simple: INIT 32 in System File nVIR resources in various applications and the System File. This sucker is tricky -- it is getting itself loaded before any INITs do (we believe the INIT 32 is just a teaser), like PTCHs do, but it isn't in PTCH. Our two best programmers spent today tracing through it and still haven't found a real solution other than offloading and re-initializing. To our knowledge it is non-malicious (yet). The nVIR resources are usually small, sometimes 8 bytes, sometimes ~360. If you remove them from both System and ResEdit, the virus won't let you run ResEdit because it is looking for those resources and can't find them. It occasionally beeps when running a program. We have no idea what installed this. We are fairly certain it originated from one of the many small programs that come over the net. Many of these would be perfect 'carriers' -- little demo program that's an "aww, that cute, now let's trash it." I'm not putting down these programs, just pointing out what I feel is obvious. I don't believe this is any cause for panic -- it hasn't done any known harm yet. I would, however, like to get to the bottom of this! If it's a joke, I don't find it very funny. (unless it de-installs itself completely after April Fool's Day :-)). If it is someone's graduate thesis, you get an A-. But enough is enough! -cbb Chris "Johann" Borton, UC San Diego ...!sdcsvax!borton borton@ucsd.edu or BORTON@UCSD.BITNET Letztes Jahr in Deutschland, nog een jaar hier, en dan naar Amsterdam! "H = F cubed. Happiness = Food, Fun, & Friends." --Steve Wozniak
spector@vx2.GBA.NYU.EDU (David HM Spector) (03/08/88)
It seems you have been bitten by a virus whose sources were uploaded to Compu-
serve sevral months ago... The author, a fellow in West Germany, thought it
would be educational to distribute these example viruses in source form to
encourage people to write defenses against them. His stated intent in writing
a virus in the first place was to keep people from running possibly virus ridden
program on their production Macintoshes which had been previously hit by
viruses.... its signature, in the orignal sources, was a resource type of
nVir... its a simple yet potent virus and very easily modified to do bad
things.
... unfortunately the only way around most of these viruses is to
replace your system folder. (Make sure you do this from a WRITE-LOCKED
copy of the Apple System installer... or else you'll end up back where you
started, with an infected system.... there is another problems, that being
that the virus that was on CompuServe knows how to infect APPLICATIONS, as
well as the system itself. Pretty depressing....
For more info on this virus, take a look at Risks Digest volume 6, Nos. 7,
22,23,24, 27 (a few of the articles are ones I wrote regarding this and other
Macintosh viruses...)
Good Luck....
David
PS: If anyone else out there has seen Macintosh viruses, besides the "DR" (
Richard Brandow/MacMag virus), I would appreciate hearing about it.. I am
trying to work up some stats on the spread and possible strategies for
combating thses things...
-------------------------------------------------------------------------------
David HM Spector New York University
Senior Systems Programmer Graduate School of Business
Arpa: SPECTOR@GBA.NYU.EDU Academic Computing Center
UUCP:...!{allegra,rocky,harvard}!cmcl2!spector 90 Trinity Place, Rm C-4
MCIMail: DSpector New York, New York 10006
AppleLink: D1161 CompuServe: 71260,1410 (212) 285-6080geb@cadre.dsl.PITTSBURGH.EDU (Gordon E. Banks) (03/09/88)
I think we should make a concerted effort to find the perpetrators of these viruses and punish them using all possible (legal) means.
msurlich@faui44.UUCP (Matthias Urlichs ) (03/14/88)
In article <4731@sdcsvax.UCSD.EDU> borton@net1.UUCP (Chris Borton) writes: > The symptoms are simple: > > INIT 32 in System File > > nVIR resources in various applications and the System File. > I have written a small INIT called "KillVirus" that deinstalls this particular virus from the startup System file and any program you are booting. Anyone who needs it may get it from CompuServe (MacDev) or from me (send a disk and $5); feel free to post it elsewhere. I am the poster of the virus "example" on CompuServe. This example is incomplete and was derived from the existing "nVir" virus we are all experiencing. It cost me considerable time to dissect the beast and I thought it a good idea to post a watered-down version of it so that someone might find some means of defeating future examples of this behavior. I fully agree that viruses (even non-malignant ones) are far from funny. I did not think that anyone would recompile the beast since to derive the missing pieces is about as hard as starting from scratch; I assume the original has travelled to the US. I will delete the "example" if there is a consensus that it will do more bad than good. The "nVir" virus installs itself in the System file using an INIT 32, and into any program you start by patching itself into the "CODE 0" resource. This is accomplished by patching the TEInit trap. The programmer built a defeat mechanism into the virus: it will do nothing if there is a resource "nVIR", ID 10, present in your System file. To deinstall the virus from your System, simply delete all "nVIR" resources and the infamous INIT 32, and create a (empty) "nVIR" 10 resource to prevent further problems. Getting it out of programs is more difficult. The old entry from the CODE 0 is stored in nVIR ID 2. Open that resource, copy the eight bytes, open CODE 0, select the third line, and paste. Then delete all nVIRs, and CODE 256 (this does belong to the virus). You might have to use ResEdit 1.2 for some programs which have a CODE 0 too large for ResEdit 1.1 to handle. The original of this virus came in three flavors. The first simply beeps when you start a program (not always). The second opened MacinTalk and tried to say "Don't Panic" instead. The third selected a random file in your System folder and killed it. Fortunately the former two are more agressive and do overwrite the third one if they see it. All three variants sometimes crash programs when you try to start them. This does not seem to cause any further problems. I hope this information helps. Please do not mail to me if possible because I have to pay $1 per kByte if it gets too much. -- Matthias Urlichs CompuServe: 72437,1357 Delphi: URLICHS Rainwiesenweg 9 8501 Schwaig 2 "Violence is the last refuge West Germany of the incompetent." -- Salvor Hardin
edwards@bgsuvax.UUCP (Bruce Edwards) (03/16/88)
In article <1058@cadre.dsl.PITTSBURGH.EDU>, geb@cadre.dsl.PITTSBURGH.EDU (Gordon E. Banks) writes: > I think we should make a concerted effort to find the perpetrators > of these viruses and punish them using all possible (legal) means. Good luck....the US intelligence agencies can seem to find out who bombed the Marines barracks in Lebenon with the sophistication at their disposal .....come to think of it maybe it's the same guys! Where are you Prof. Moriarty?!!!