florman@randvax.UUCP (Bruce Florman) (01/28/89)
I just got a phone call from my Dad, complaining about his Mac II misbehaving. He described some symptoms, and I talked him through some diagnostics, and we finally traced the problems the new INIT 29 virus (For a good description of INIT 29, see Joel Levin's article of 1/18). The chain of events was roughly this: Three days ago, my step brother came home from the computer store where he works with a disk full of new PD software. He installed it on the Mac II's 80 meg disk and then shut it down for the evening. The next day, it wouldn't boot from the hard disk. They booted from a floppy, and replaced the system file on the hard disk, and that seemed to fix it, except that it would no longer issue any sound for a SysBeep. They then trashed an INIT file called BeepInit, and everything seemed to be okay. Then it started rejecting some floppy disks, saying that they needed "minor repair." That's when Dad called me. It turned out that there was an ominous pattern in the floppys that it wanted to repair. It was only complaining about floppys whose write protect tab was open. A quick check with ResEdit turned up a 712 byte INIT resource with id number 29 and a garbage name in the system file. INIT 29 tail patches the OpenResFile trap to copy itself into any resource fork that gets opened. When the finder tries to mount a locked floppy, it opens the resource fork of that floppy's Desktop file by calling OpenResFile. The ROM code successfully opens the resource fork, but then the virus tries unsuccessfully to write itself to the locked disk, which leaves an error code a low memory global. Control then returns to the Finder, which thinks that the last attempted operation was OpenResFile, and upon finding the error code it assumes that the Desktop file has some problem. The Finder cheerfully offers to rebuild the Desktop file, and if you accept the offer, it will spit out the disk and tell you to unlock it. Unlock the disk, put it back in, and *PRESTO* it's infected. Naturally, much of Dad's 80 meg disk is not backed up anywhere. It looks as if he'll just have to reformat the disk, restore as much as he can from floppys that he's sure haven't been in the machine for the last few days, and just do without those applications which haven't been backed up. I believe that we can sanitize the important documents by removing the INIT 29 resources in them, but applications are more difficult, since the virus munges the jump table in their CODE 0 resource. If anybody knows of a program which will repair the CODE 0 damage caused by INIT 29, I'd really like to hear about it. Also recommenda- tions for, and experiences with anti-viral software (Vaccine, Gatekeeper, etc.) would be appreciated. And let's all be careful out there. -Bruce Florman
max@claris.com (Max Rochlin) (01/31/89)
From article <1869@randvax.UUCP>, by florman@randvax.UUCP (Bruce Florman): > If anybody knows of a program which will repair the CODE 0 damage > caused by INIT 29, I'd really like to hear about it. Also recommenda- > tions for, and experiences with anti-viral software (Vaccine, Gatekeeper, > etc.) would be appreciated. And let's all be careful out there. There is a program called Virex ( current version 1.2) by: HJC Software PO BOX 51816 Durham, NC 27717 It will remove infections from applications. I was recently infected by a disk with nVIR on it and Virex seemed to disinfect it just fine. Good Luck! /------------------------------------------------------\ |UUCP: sun!saxony!madmax!max | Applelink: Rochlin1 | {ames,apple,portal,sun}!claris!madmax!max | | CI$: 70436,345 | MacNet :MaxRochlin \------------------------------------------------------/
florman@randvax.UUCP (Bruce Florman) (01/31/89)
In article <1869@randvax.UUCP> florman@randvax.UUCP I write: > I just got a phone call from my Dad, complaining about his Mac II >misbehaving. He described some symptoms, and I talked him through >some diagnostics, and we finally traced the problems the new INIT 29 >virus (For a good description of INIT 29, see Joel Levin's article >of 1/18). [blah, blah, blah] > If anybody knows of a program which will repair the CODE 0 damage >caused by INIT 29, I'd really like to hear about it. Over the weekend I disassembled the INIT29 virus, and figured out that repairing applications is relatively easy with ResEdit. I'll pass along the fix in case anybody else out there needs to do it (and doesn't feel like spending a half day mucking about with MacNosy and interpreting assembly code). 1) Using ResEdit, open CODE resource 0 of the infected application. This contains the application's jump table. 2) Sixteen bytes from the start of the resource (ie. the third line) you will see something that looks like: 005C 3F3C nnnn A9F0 The nnnn is the id number of the virus' CODE resource. Make note of it. This number will be greater than one. If it isn't, then the application is not infected with INIT29 (at least not the same strain that I looked at). 3) Select the virus' CODE resource (the one with id = nnnn) and choose "Get Info" from the file menu. The size of this resource should be 712 bytes. If it isn't, the application is not infected with INIT29. 4) Close the "Get Info" box and open the resource itself. 5) Thirty bytes from the start of it, you will see something like: xxxx 3F3C yyyy A9F0 This is the original jump table entry for the application. Note the values of xxxx and yyyy. 6) Close the CODE nnnn window and go back to the CODE 0 window. 7) Replace "005C 3F3C nnnn A9F0" with "xxxx 3F3C yyyy A9F0" and then close the CODE 0 window. 8) Select the virus' CODE resource again and choose "Clear" from the edit menu. 9) Close the application's window and click OK when ResEdit asks you if you want to save the changes. The application is now sanitary again. Be more careful next time. :-) For non-applications that have become infected (eg. the System file or the Desktop file) the cure even easier. Simply remove the INIT 29 resource with ResEdit. *** DISCLAIMER !!! *** These procedures have worked for me, but I make ABSOLUTELY NO GUARANTEES about them to you. If you follow these procedures and your Mac bursts into flame, or has any other problem at all, it's YOUR problem, not mine, and not my employers'. Have a nice day, Bruce Florman
iron@imag.imag.fr (Francois Menneteau) (02/06/89)
In article <1871@randvax.UUCP>, florman@randvax.UUCP (Bruce Florman) writes: > > Over the weekend I disassembled the INIT29 virus, and figured out that > repairing applications is relatively easy with ResEdit.... > > 005C 3F3C nnnn A9F0 > > The nnnn is the id number of the virus' CODE resource. Make note > of it. This number will be greater than one. If it isn't, then > the application is not infected with INIT29 (at least not the same > strain that I looked at). > BE CAREFUL : some applications have the first entry of their JUMP TABLE, with a CODE segment id different from one (protection against hacker for example), and it doesn't necessary mean they are infected... And I think checking only for code size to say you are infected by INIT29 is very dangerous (perhaps sequence of code [OpenResFile patch?] will be more efficient). It's only my impressions... -- \\\\\\\\\\\\\\\\\\\\\\\\\\ "... I had their lives in my hands \ iron@imag.imag.fr \ their fate their fortune in my visions / uunet.uu.net!imag!iron / No one believed in my true prophecy ////////////////////////// And now it's too late."