Date: Wed, 16 Mar 88 01:02:40 CST From: kraut@emx.utexas.edu (Werner Uhrig) Subject: Virus articles Forwarded messages: -------------------- Date: 15 Mar 88 17:57:58 GMT From: dplatt@coherent.com (Dave Platt) Newsgroups: comp.sys.mac Subject: MacMag virus infects commercial software According to an article in this morning's San Jose Mercury News, the "DREW" INIT-virus has been found to have infected a commercial software product. The virus, which was a "benign" time-bomb designed to display a message of world peace on March 2nd, is present on disks containing Aldus FreeHand. The virus was inadvertently passed to Aldus by Marc Canter, president of MacroMind Inc., which makes training disks for Aldus. Canter visited Canada some time ago, and was given a disk containing a program called "Mr. Potato Head", which lets users play with a computerized version of the toy character. Canter ran the program only once, and his machine was apparently infected by the virus at this time. Subsequently, the virus infected a disk of training software that Canter then delivered to Aldus; at Aldus, the virus infected disks that were then sold to customers. Although this virus was believed to be harmless, Canter reports that it forced his Macintosh II computer to shut down and caused him to lose some computer information. "My system crashed," Canter said, "I was really angry." (( Not all that surprising... quite a few popular but nonstandard programming tricks used on the classic Mac don't work on the Mac II due to its different video card/monitor architecture... many games, etc. don't run on the II for this reason and can cause some very impressive system crashes... dcp )) Canter fears that more of his customers may have been infected by the virus. MacroMind's clients include Microsoft Corp., Lotus Development Corp., Apple Computer Inc. and Ashton-Tate. Microsoft has determined that none of its software has been infected, a company spokeswoman said. Apple and Lotus could not be reached for comment. Ashton-Tate declined to comment. Aldus would not comment on how many copies of FreeHand are infected, but admits that a disk-duplicating machine copied the infected disk for three days. Half of the infected disks have been distributed to retail outlets; the other half are in Aldus' warehouse. Aldus will replace the infected disks with new, uninfected copies to any FreeHand buyer who requests it, according to Aldus spokeswoman Laury Bryant. The company will also replace the infected disks in its warehouse. (( As I recall, the DREW virus infects the System file on affected disks, but doesn't affect applications directly. I suppose that Aldus could salvage the damaged disks by replacing the System folders with copies from a locked, uninfected disk... but it'll probably be faster for them to simply erase and reduplicate. I have no idea what Canadian liability laws are like these days... but I rather suspect that if MacMag were a United States company rather than a Canadian one, its publisher would now be extremely vulnerable to a liability-and-damages suit of some sort. This escapade will probably cost Aldus a pretty piece of change in damage-control expenses and perhaps loss-of-sales or injury-to- reputation. Kids, don't try this sort of thing at home! --- dcp )) -- Dave Platt UUCP: ...!{ames,sun,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@sun.com, ...@uunet.uu.net Date: 15 Mar 88 18:40:01 GMT From: borton@net1.ucsd.edu (Chris Borton) Newsgroups: comp.sys.mac Subject: Vaccination for nVIR virus (long) Here is the article Mike Scanlin wrote for MacTutor describing the effects and inner workings of the nVIR virus lately discussed. This is reprinted by special permission of David Smith of Mactutor P.O. Box 400 Placentia, CA 92670 (714) 630-3730 Many thanks to David for encouraging the rapid spread of information on this subject. The program and INIT to combat this virus described in the article have been posted to comp.binaries.mac. -cbb ---- Vaccination by Mike Scanlin Reprinted by special permission of David Smith from MacTutor P.O. Box 400 Placentia, CA 92670 (714) 630-3730 Unless you are going to Africa or Indochina, viruses and vaccinations are not something that most of us need to worry about. However, even if you're not planning on travelling, there is one virus you need to be aware of. It is a computer virus that is infecting Macintoshes everywhere. Are you infected? Use ResEdit to open your system file and look for 'nVIR' resources. If you have them, then your system has been infected and chances are that at least some (if not most or all) of your applications are infected. Don't panic. This particular virus is relatively harmless. There is an application at the end of this article that will allow you to remove the virus from your infected applications. There is also an 'INIT' resource you can put in your System Folder that will warn you if this virus ever shows up on your system. How I found it Until last week, I had had no experience with computer viruses. I had heard rumors about the existence of Mac viruses, but didn't really believe them. I do not know when this virus first got into my system. It must have come from some program I downloaded off of a network, but I do not know which one. By the time I figured out what was going on, the virus had modified seventeen of the applications on my hard disk and my System file. Sometime near the beginning of last week, I started hearing a beep when launching programs. It didn't happen every time, only once in a while and with no discernable pattern. Using TMON, I trapped SysBeep() and discovered that something was modifying 'CODE' 0 and installing several 'nVIR' resources into every application I launched. I looked in my System file and, in addition to several 'nVIR' resources, found an 'INIT' 32 resource that I didn't put there. I compared the standard 'INIT's from an original system disk and none of them matched the 'INIT' 32 I had found. What really clued me in to the idea of a virus was that if I took the 'INIT' 32 resource out of my System file, quit ResEdit, and then relaunched ResEdit, the 'INIT' 32 resource would be back in there. After disassembling 'INIT' 32, I learned how it worked and how to make my system immune to it. I am sharing this information so that other Mac users can protect themselves as well. How to make your System file immune Use ResEdit to open your System file. Create an 'INIT' 32 resource that consists of these 2 hex bytes: 4E 75 (which is an RTS instruction). If 'INIT' 32 already exists and has a size of 366 bytes, then you can be pretty sure it is the virus' 'INIT'. Replace the existing 'INIT' 32 with the 2 byte version (4E 75). Now create 8 resources of the type 'nVIR'; the case of the resource type is important Q do not use 'NVIR' or 'nvir'. Their IDs should be 0 through 7, with size zero bytes. If they already exist, then delete them and create 8 new empty ones (with IDs 0-7). That's it. Your system is now immune to this particular virus (but not all possible viruses). If you now run an infected application, the virus will think that it is already installed in your system file, since it sees the 'INIT' and 'nVIR' resources it expects, and will leave it alone. If your System file was infected before you immunized it, you should reboot the system before using the procedure below to remove the virus from your applications. This guarantees that the effects of 'INIT' 32 are removed from memory. Removing the virus from infected applications If an application has been infected, it will have several 'nVIR' resources, a 'CODE' 256 resource, and a possibly modified 'CODE' 0 resource. Here are instructions on how to restore an infected application (note: this is only useful if you are certain that your System file is not infected. Otherwise, the applications will become infected again. Also, you should practice on a copy of an infected application): 1) Open the application with ResEdit. If 'CODE' 256 exists, use GetInfo on it to check its size. If it is 372 bytes, then remove it. The reason we check for the size is because some applications, such as ReadySetGo, already have a 'CODE' 256 resource of their own and we don't want to remove part of the application's code. 2) Open 'CODE' 0 and look at the 3rd line of 8 hex bytes (bytes 16-23). If it is "0000 3F3C 0100 A9F0" then you need to replace that line of hex numbers with the 8 bytes contained in the 'nVIR' 2 resource. If the third line does not look like the above 8 bytes, then the 'CODE' resource is probably protected and did not get modified Q see below for an explanation. In this case leave it alone. 3) Remove all 'nVIR' resources. Make sure you have completed step 2 before removing 'nVIR' 2. You cannot restore the application without it. Because this procedure is so automatic, I have written a program that does it for you. The application Vaccination displays the SFGetFile dialog and allows you to choose an application to vaccinate. A message is displayed that tells you the result of the vaccination and the SFGetFile dialog is displayed again. If your system has been infected, you should vaccinate every application on your hard drive. You will only see files of type 'APPL' in the SFGetFile dialog so you might want to do a manual tree walk of your hard drive to be sure you vaccinate all of your applications. There is no harm in vaccinating an uninfected application or in vaccinating the same application more than once. This program does not make applications immune to this virus, it only removes this virus from them. But if your System file is immune, then there is no way this particular virus can spread to your applications. Note: you cannot use the Vaccination program to make your System file immune. You will have to do that manually using the procedure above. How this virus works This particular virus modifies the 'CODE' 0 resource of an application in such a way that when you launch that application the first thing to execute is a piece of virus installation code. That installation code looks for the virus' presence in the System file you are launching from. If it does not find evidence of the virus, it then installs itself (as 'INIT' 32 and several 'nVIR' resources) into your System file and then executes the application you had originally launched. Once your System file is infected, every application launched from that system will become infected. The whole infection process only takes a second or two, so there is little chance you will notice it. If the virus detects that it is already in the System file and in the application you are launching (meaning that no installation of itself is necessary on this launch), then there is about a 6% chance (1 in 16) that you will hear a short beep. This is the beep that first got my attention. According to a friend of mine, Chris Borton, whose computer was also infected, if you have MacinTalk in your System Folder, then the virus speaks the words "Don't Panic" instead of beeping. This virus does not check if the 'CODE' 0 resource of the application it is trying to infect is protected or not. Consequently, applications that have 'CODE' 0 resources with the resProtected bit set are still infected, but are not contagious, i.e. they have the 'CODE' 256 resource and the 'nVIR' resources added to them, but they can not pass the virus on to a clean System file. I learned this by noticing that QUED/M and PageMaker were infected, but were not contagious. I couldn't figure out why some programs had protected 'CODE' resources and others didn't. Then one of the people I work with, Victor Romano, put it together. He told me that Lightspeed C (which QUED/M and PageMaker were written in) automatically sets the resProtected bit of the 'CODE' resources it generates. MPW does not. So, protecting the 'CODE' resources (which can be done with ResEdit) is another simple way of preventing this virus from affecting an application. To be forewarned I don't know how far this virus has already spread, or how far it will spread. As a partial defense, however, I have written a piece of code that can be installed as an 'INIT' file in your System Folder that will warn you if it detects something that looks like this particular virus. VirusWarnINIT is a patch on 2 routines that this virus relies on: GetResource() and ChangedResource(). The patch to GetResource() makes a beep if theType == 'nVIR'. The patch to ChangedResource() makes a beep if theResource is a handle to a 'CODE' 0 resource. I wouldn't suggest installing this 'INIT' in a system known to be infected Q the number of beeps is sure to annoy you. I would have used something like an alert window instead of a beep as a warning, but I can't be sure that the Window Manager has been initialized at the time the virus is detected. If you install this 'INIT' in a clean system and then launch a contagious application, you will hear about 5 or 6 beeps in a row as the virus tries to install itself in your System file. Note that this 'INIT' is only a warning, not a vaccination. The virus will still install itself. The advantage is that you will know about it right away and can stop it before it spreads very far. Now that my Mac has been vaccinated, it's my turn. After Typhoid, Yellow Fever, Cholera and Meningococcal vaccinations, I'm off to Africa and Indochina. I wonder if I can get David Smith to send MacTutor to Serengeti National Park? Or do they already get it there? I'll let you know... Chris "Johann" Borton, UC San Diego ...!sdcsvax!borton borton@ucsd.edu or BORTON@UCSD.BITNET Letztes Jahr in Deutschland, nog een jaar hier, en dan naar Amsterdam! "H = F cubed. Happiness = Food, Fun, & Friends." --Steve Wozniak Date: 14 Mar 88 15:32:22 GMT From: msurlich@faui44.UUCP (Matthias Urlichs ) Newsgroups: comp.sys.mac Subject: Re: I've got a virus and I don't like it In article <4731@sdcsvax.UCSD.EDU> borton@net1.UUCP (Chris Borton) writes: > The symptoms are simple: > > INIT 32 in System File > > nVIR resources in various applications and the System File. > I have written a small INIT called "KillVirus" that deinstalls this particular virus from the startup System file and any program you are booting. Anyone who needs it may get it from CompuServe (MacDev) or from me (send a disk and $5); feel free to post it elsewhere. I am the poster of the virus "example" on CompuServe. This example is incomplete and was derived from the existing "nVir" virus we are all experiencing. It cost me considerable time to dissect the beast and I thought it a good idea to post a watered-down version of it so that someone might find some means of defeating future examples of this behavior. I fully agree that viruses (even non-malignant ones) are far from funny. I did not think that anyone would recompile the beast since to derive the missing pieces is about as hard as starting from scratch; I assume the original has travelled to the US. I will delete the "example" if there is a consensus that it will do more bad than good. The "nVir" virus installs itself in the System file using an INIT 32, and into any program you start by patching itself into the "CODE 0" resource. This is accomplished by patching the TEInit trap. The programmer built a defeat mechanism into the virus: it will do nothing if there is a resource "nVIR", ID 10, present in your System file. To deinstall the virus from your System, simply delete all "nVIR" resources and the infamous INIT 32, and create a (empty) "nVIR" 10 resource to prevent further problems. Getting it out of programs is more difficult. The old entry from the CODE 0 is stored in nVIR ID 2. Open that resource, copy the eight bytes, open CODE 0, select the third line, and paste. Then delete all nVIRs, and CODE 256 (this does belong to the virus). You might have to use ResEdit 1.2 for some programs which have a CODE 0 too large for ResEdit 1.1 to handle. The original of this virus came in three flavors. The first simply beeps when you start a program (not always). The second opened MacinTalk and tried to say "Don't Panic" instead. The third selected a random file in your System folder and killed it. Fortunately the former two are more agressive and do overwrite the third one if they see it. All three variants sometimes crash programs when you try to start them. This does not seem to cause any further problems. I hope this information helps. Please do not mail to me if possible because I have to pay $1 per kByte if it gets too much. -- Matthias Urlichs CompuServe: 72437,1357 Delphi: URLICHS Rainwiesenweg 9 8501 Schwaig 2 "Violence is the last refuge West Germany of the incompetent." -- Salvor Hardin 17-Mar-89 2:28:00-GMT,3504;000000000001 Return-Path: Received: from accuvax.nwu.edu by sumex-aim.stanford.edu (4.0/inc-1.0) id AA20404; Thu, 16 Mar 89 18:28:00 PST Date: Thu, 16 Mar 89 18:28:00 PST Received: from [129.105.49.142] by accuvax.nwu.edu id ac12267; 16 Mar 89 20:25 CST From: jln@accuvax.nwu.edu To: info-mac@sumex-aim.stanford.edu Cc: jln@accuvax.nwu.edu Subject: nVIR A and B Message-Id: <8903162025.ac12267@accuvax.nwu.edu> There has been some confusion over exactly what the nVIR A and nVIR B viruses actually do. In fact, I don't believe the details have ever been published. I just finished spending a few days researching the two nVIR viruses. This report presents my findings. As with all viruses, nVIR A and B replicate. When you run an infected application on a clean system the infection spreads from the application to the system file. After rebooting the infection in turn spreads from the system to other applications, as they are run. At first nVIR A and B only replicate. When the system file is first infected a counter is initialized to 1000. The counter is decremented by 1 each time the system is booted, and it is decremented by 2 each time an infected application is run. When the counter reaches 0 nVIR A will sometimes either say "Don't Panic" (if MacinTalk is installed in the system folder) or beep (if MacinTalk is not installed in the system folder). This will happen on a system boot with a probablity of 1/16. It will also happen when an infected application is launched with a probability of 31/256. In addition, when an infected application is launched nVIR A may say "Don't Panic" twice or beep twice, with a probability of 1/256. When the counter reaches 0 nVIR B will sometimes beep. nVIR B does not call MacinTalk. The beep will happen on a system boot with a probability of 1/8. A single beep will happen when an infected application is launched with a probability of 15/64. A double beep will happen when an infected application is launched with a probability of 1/64. I've discovered that it is possible for nVIR A and nVIR B to mate and sexually reproduce, resulting in new viruses combining parts of their parents. For example, if a system is infected with nVIR A, and if an application infected with nVIR B is run on that system, part of the nVIR B infection in the application is replaced by part of the nVIR A infection from the system. The resulting offspring contains parts from each of its parents, and behaves like nVIR A. Similarly, if a system is infected with nVIR B, and if an application infected with nVIR A is run on that system, part of the nVIR A infection in the application is replaced by part of the nVIR B infection from the system. The resulting offspring is very similar to its sibling described in the previous paragraph, except that it has the opposite "sex" - each part is from the opposite parent. It behaves like nVIR B. These offspring are new viruses. If they are taken to a clean system they will infect that system, which will in turn infect other applications. The descendents are identical to the original offspring. I've also investigated some of the possible incestual matings of these two kinds of children with each other and with their parents. Again, the result is infections that contain various combinations of parts from their parents. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@acns.nwu.edu Applelink: a0173