sdy@ssc-vax.UUCP (Sea Lance) (03/10/88)
whoops -- guess if i read the afternoon news before posting I'd see that mandelbrot don't run on a plus or se. On that nVIR virus I don't quite understand how it manages to subvert ResEdit -- if you can't run ResEdit what do you do then? -- especially when it ( as claimed) installs itself in applications as well as in system folders. Maybe you could get a clean system by using a locked installer but how do you then clean your applications? now being supremely paranoid I'm going to have to go home and look at my files. steve. -- Steven D. Yee >>> my employer does not share my opinions <<< uw-beaver!ssc-vax!sdy >>> (that's because I'm always right! ;-) <<< (chant) We want more! We want more! We want more lines than four!!!!!!!
spector@vx2.GBA.NYU.EDU (David HM Spector) (03/11/88)
Regarding nVir virus resources...
Well, any resources that are in use by the system, such as viruses that
are installed as "replacements" for system traps, will not be editable
with ResEdit, they're locked. Under MultiFiner resources currently in use
by the system or some program will not even show up in (current versions) of
resEdit.
_David
-------------------------------------------------------------------------------
David HM Spector New York University
Senior Systems Programmer Graduate School of Business
Arpa: SPECTOR@GBA.NYU.EDU Academic Computing Center
UUCP:...!{allegra,rocky,harvard}!cmcl2!spector 90 Trinity Place, Rm C-4
MCIMail: DSpector New York, New York 10006
AppleLink: D1161 CompuServe: 71260,1410 (212) 285-6080
"SJM 25, 'real nice guy' seeks SJF... What? This ISN'T The Voice personals?!"borton@net1.ucsd.edu (Chris Borton) (03/11/88)
In article <650009@vx2.GBA.NYU.EDU> spector@vx2.GBA.NYU.EDU (David HM Spector) writes: > >Regarding nVir virus resources... > >Well, any resources that are in use by the system, such as viruses that >are installed as "replacements" for system traps, will not be editable >with ResEdit, they're locked. Under MultiFiner resources currently in use >by the system or some program will not even show up in (current versions) of >resEdit. This isn't what is going on here. The nVIR virus patches CODE 0 of an application to execute CODE 256, which checks the System file for the existence of INIT 32 and nVIR 0-7. If it does not find them there, it attempts to install them using nVIR 0-7 from the application; nVIR 3 (I think) is a copy of INIT 32. In this way it spreads from application-->System. It also works the opposite way: a System with INIT 32 checks each program on launch to see if nVIR and CODE 256 are there. If not, then it installs them and patches CODE 0 to jump to CODE 256; the original jump is stored in nVIR 2. If INIT 32 was run and it tries to infect an application, but fails to find nVIR in the System, it fails and returns. This is the refusal to run the application. It tries both directions, too. However, it only checks for the *existence* of INIT 32 and nVIR, not the sizes, so it can easily be halted by making the nVIR resources 0 length and the INIT 32 just a '4E75' (RTS). Innoculation is a real pain! Solving just the System file won't do -- you have to fix every application that has been infected. It does alter the modification date, so this is one method of checking. What my friend Mike is working up is an INIT for the system folder, specific for this virus, that checks if it is trying to infect further. When it detects this, the user is informed and offered the choice of automatically patching and vaccinating the infected program. If the system is infected, it is fixed and the user is requested to reboot first. :-) the terminology here often amuses me, but unfortunately the parallels are all too real :-(. I agree with David: we must make a concerted effort to locate the perpetrator of this and take action as we can in order to avoid as much as possible repeats of possibly much more malicious types. -cbb Chris "Johann" Borton, UC San Diego ...!sdcsvax!borton borton@ucsd.edu or BORTON@UCSD.BITNET Letztes Jahr in Deutschland, nog een jaar hier, en dan naar Amsterdam! "H = F cubed. Happiness = Food, Fun, & Friends." --Steve Wozniak