LBA002%PRIME-A.TEES-POLY.AC.UK@IBM1.CC.Lehigh.Edu (08/30/89)
I spotted this in the August issue of Apple2000 (a UK Mac user group magazine.) It first appeared on the Infomac network and the author is John Norstad of Academic Computing & Network Services, Northwestern University (hope it's OK with you to reproduce this John?) It may be old-hast to all the virus experts but I found it interesting & informative. nVIR A & B There has been some confusion over exactly what the nVIR A & nVIR B viruses actually do. In fact, I don't believe the details have ever been published. I just finished spending a few days researching the two nVIR viruses. This report presents my findings. As with all viruses, nVIR A & B replicate. When you run an infected application on a clean system the infection spreads from the application to the system file. After rebooting the infection in turn spreads from the system to other applications, as they are run. At first nVIR A & B only replicate. When the system file is first infected a counter is initialized to 1000. The counter is decremented by 1 each time the system is booted, and it is decremented by 2 each time an infected application is run. When the counter reaches 0 nVIR A will sometimes either say "Don't Panic" (if MacinTalk is installed in the system folder) or beep (if MacinTalk is not installed in the system folder.) This will happen on a system boot with a probability of 1/16. It will also happen when an infected application is launched with a probability of 31/256. In addition when an infected application is launched nVIR A may say "Don't Panic" twice or beep twice with a probability of 1/256. When the counter reaches 0 nVIR B will sometimes beep. nVIR B does not call MacinTalk. The beep will happen on a system boot with a probability of 1/8. A single beep will happen when an infected application is launched with a probability of 15/64. A double beep will happen when an application is launched with a probability of 1/64. I've discovered that it is possible for nVIRA and nVIRB to mate and sexually reproduce, resulting in new viruses combining parts of their parents. For example if a system is infected with nVIRA and if an application infected with nVIRB is tun on that system, part of the nVIRB infection is replaced by part of the nVIRA infection from the system. The resulting offspring contains parts from each of its parents, and behaves like nVIRA. Similarly if a system is infected with nVIRB and if an application infected with nVIRA is run on that system, part of the nVIRA infection in the application is replaced by part of the nVIRB infection from the system. The resulting offspring is very similar to its sibling described in the previous paragraph except that it has the opposite "sex" - each part is from the opposite parent. it behaves like nVIRB. These offspring are new viruses. if they are taken to a clean system they will infect that system, which will in turn infect other applications. The descendents are identical to the original offspring. I've also investigated some of the possibly incestual matings of these two kinds of children with each other and with their parents. Again the result is infections that contain various combinations of parts from their parents. (Hot stuff!) Rgds, Iain Noble