florman@randvax.UUCP (Bruce Florman) (01/28/89)
I just got a phone call from my Dad, complaining about his Mac II
misbehaving. He described some symptoms, and I talked him through
some diagnostics, and we finally traced the problems the new INIT 29
virus (For a good description of INIT 29, see Joel Levin's article
of 1/18).
The chain of events was roughly this: Three days ago, my step
brother came home from the computer store where he works with a disk
full of new PD software. He installed it on the Mac II's 80 meg disk
and then shut it down for the evening. The next day, it wouldn't boot
from the hard disk. They booted from a floppy, and replaced the system
file on the hard disk, and that seemed to fix it, except that it would
no longer issue any sound for a SysBeep. They then trashed an INIT
file called BeepInit, and everything seemed to be okay. Then it started
rejecting some floppy disks, saying that they needed "minor repair."
That's when Dad called me.
It turned out that there was an ominous pattern in the floppys that
it wanted to repair. It was only complaining about floppys whose write
protect tab was open. A quick check with ResEdit turned up a 712 byte
INIT resource with id number 29 and a garbage name in the system file.
INIT 29 tail patches the OpenResFile trap to copy itself into any
resource fork that gets opened. When the finder tries to mount a locked
floppy, it opens the resource fork of that floppy's Desktop file by
calling OpenResFile. The ROM code successfully opens the resource fork,
but then the virus tries unsuccessfully to write itself to the locked
disk, which leaves an error code a low memory global. Control then
returns to the Finder, which thinks that the last attempted operation
was OpenResFile, and upon finding the error code it assumes that the
Desktop file has some problem. The Finder cheerfully offers to rebuild
the Desktop file, and if you accept the offer, it will spit out the
disk and tell you to unlock it. Unlock the disk, put it back in, and
*PRESTO* it's infected.
Naturally, much of Dad's 80 meg disk is not backed up anywhere. It
looks as if he'll just have to reformat the disk, restore as much as he
can from floppys that he's sure haven't been in the machine for the last
few days, and just do without those applications which haven't been
backed up. I believe that we can sanitize the important documents by
removing the INIT 29 resources in them, but applications are more
difficult, since the virus munges the jump table in their CODE 0 resource.
If anybody knows of a program which will repair the CODE 0 damage
caused by INIT 29, I'd really like to hear about it. Also recommenda-
tions for, and experiences with anti-viral software (Vaccine, Gatekeeper,
etc.) would be appreciated. And let's all be careful out there.
-Bruce Flormanmax@claris.com (Max Rochlin) (01/31/89)
From article <1869@randvax.UUCP>, by florman@randvax.UUCP (Bruce Florman): > If anybody knows of a program which will repair the CODE 0 damage > caused by INIT 29, I'd really like to hear about it. Also recommenda- > tions for, and experiences with anti-viral software (Vaccine, Gatekeeper, > etc.) would be appreciated. And let's all be careful out there. There is a program called Virex ( current version 1.2) by: HJC Software PO BOX 51816 Durham, NC 27717 It will remove infections from applications. I was recently infected by a disk with nVIR on it and Virex seemed to disinfect it just fine. Good Luck! /------------------------------------------------------\ |UUCP: sun!saxony!madmax!max | Applelink: Rochlin1 | {ames,apple,portal,sun}!claris!madmax!max | | CI$: 70436,345 | MacNet :MaxRochlin \------------------------------------------------------/
florman@randvax.UUCP (Bruce Florman) (01/31/89)
In article <1869@randvax.UUCP> florman@randvax.UUCP I write: > I just got a phone call from my Dad, complaining about his Mac II >misbehaving. He described some symptoms, and I talked him through >some diagnostics, and we finally traced the problems the new INIT 29 >virus (For a good description of INIT 29, see Joel Levin's article >of 1/18). [blah, blah, blah] > If anybody knows of a program which will repair the CODE 0 damage >caused by INIT 29, I'd really like to hear about it. Over the weekend I disassembled the INIT29 virus, and figured out that repairing applications is relatively easy with ResEdit. I'll pass along the fix in case anybody else out there needs to do it (and doesn't feel like spending a half day mucking about with MacNosy and interpreting assembly code). 1) Using ResEdit, open CODE resource 0 of the infected application. This contains the application's jump table. 2) Sixteen bytes from the start of the resource (ie. the third line) you will see something that looks like: 005C 3F3C nnnn A9F0 The nnnn is the id number of the virus' CODE resource. Make note of it. This number will be greater than one. If it isn't, then the application is not infected with INIT29 (at least not the same strain that I looked at). 3) Select the virus' CODE resource (the one with id = nnnn) and choose "Get Info" from the file menu. The size of this resource should be 712 bytes. If it isn't, the application is not infected with INIT29. 4) Close the "Get Info" box and open the resource itself. 5) Thirty bytes from the start of it, you will see something like: xxxx 3F3C yyyy A9F0 This is the original jump table entry for the application. Note the values of xxxx and yyyy. 6) Close the CODE nnnn window and go back to the CODE 0 window. 7) Replace "005C 3F3C nnnn A9F0" with "xxxx 3F3C yyyy A9F0" and then close the CODE 0 window. 8) Select the virus' CODE resource again and choose "Clear" from the edit menu. 9) Close the application's window and click OK when ResEdit asks you if you want to save the changes. The application is now sanitary again. Be more careful next time. :-) For non-applications that have become infected (eg. the System file or the Desktop file) the cure even easier. Simply remove the INIT 29 resource with ResEdit. *** DISCLAIMER !!! *** These procedures have worked for me, but I make ABSOLUTELY NO GUARANTEES about them to you. If you follow these procedures and your Mac bursts into flame, or has any other problem at all, it's YOUR problem, not mine, and not my employers'. Have a nice day, Bruce Florman
iron@imag.imag.fr (Francois Menneteau) (02/06/89)
In article <1871@randvax.UUCP>, florman@randvax.UUCP (Bruce Florman) writes: > > Over the weekend I disassembled the INIT29 virus, and figured out that > repairing applications is relatively easy with ResEdit.... > > 005C 3F3C nnnn A9F0 > > The nnnn is the id number of the virus' CODE resource. Make note > of it. This number will be greater than one. If it isn't, then > the application is not infected with INIT29 (at least not the same > strain that I looked at). > BE CAREFUL : some applications have the first entry of their JUMP TABLE, with a CODE segment id different from one (protection against hacker for example), and it doesn't necessary mean they are infected... And I think checking only for code size to say you are infected by INIT29 is very dangerous (perhaps sequence of code [OpenResFile patch?] will be more efficient). It's only my impressions... -- \\\\\\\\\\\\\\\\\\\\\\\\\\ "... I had their lives in my hands \ iron@imag.imag.fr \ their fate their fortune in my visions / uunet.uu.net!imag!iron / No one believed in my true prophecy ////////////////////////// And now it's too late."