Path: utzoo!utgpu!watmath!att!chinet!henry
From: henry@chinet.chi.il.us (Henry C. Schmitt)
Newsgroups: comp.sys.mac
Subject: Re: Questions about nVIR
Summary: A few answers
Keywords: nVIR B Mac Interferon Disinfectant
Message-ID: <9759@chinet.chi.il.us>
Date: 6 Oct 89 19:18:06 GMT
References: <3797@deimos.cis.ksu.edu> <827@tuminfo1.lan.informatik.tu-muenchen.dbp.de>
Reply-To: henry@chinet.chi.il.us (Henry C. Schmitt)
Organization: Chinet - Public Access Unix
Lines: 60

In article <827@tuminfo1.lan.informatik.tu-muenchen.dbp.de> zimmerma@lan.informatik.tu-muenchen.dbp.de (Kai Zimmermann) writes:
>Hello,
>Interferon detected the following resources in one program on my
>harddisk one day after I copied some files from a floppy onto the harddisk:
>Type	ID	Size
>CODE	256	422
>nVIR	1 	428
>nVIR	2	8
>nVir	3	416
>nVIR	6	66
>nVIR	7	2106

These numbers indicate you have nVIR strain B.

>I then removed these resources instantly. What surprises me is
>the fact that the infected application was used after it was
>infected. But it seems that the virus didn't spread because 
>neither Interferon nor I can find any nVir-resources on the disk.

Look for the following in your System file:
Type   ID   Size B
----  ----  ------
INIT   32     416
nVIR    0       2
nVIR    1     428
nVIR    4     422
nVIR    5       8
nVIR    6      66
nVIR    7    2106

>My questions are:
>1. Is this behavior common (e.g. is there a threshold (time, nr. of
>program starts) that prevented the virus from spreading)?
>2. Did the virus really not spread or did it just hide itself (maybe
>in the normal code resources of other programs)?
>
Good questions, to the best of my knowledge nVIR spreads to the
System as soon as the first infected application is run, then after
reboot spreads to any application run.  Were you using any sort of
virus blocking INIT (eg. Vaccine, GateKeeper)?

>Any help would be appreciated, Kai
>
>=========================================================================
>|   Kai Zimmermann      zimmerma@lan.informatik.tu-muenchen.dbp.de	|
>|                       ...!uunet!unido!tumult!zimmerma                 |
>=========================================================================

My best advice is to pick up a copy of Disinfectant (available many
places) which is a free virus detector/remover written by John
Norstad of Northwestern University here in Chicago.

				Henry C. Schmitt
				Author of Virus Encyclopedia
				Latest Version dated 6/9/89
				Watch for an update, coming soon!
-- 
  H3nry C. Schmitt     | CompuServe: 72275,1456  (Rarely)
                       | GEnie: H.Schmitt  (Occasionally)
 Royal Inn of Yoruba   | UUCP: Henry@chinet.chi.il.us  (Best Bet)