Path: utzoo!mnetor!uunet!lll-winken!lll-tis!ames!ucsd!sdcsvax!net1!borton From: borton@net1.ucsd.edu (Chris Borton) Newsgroups: comp.sys.mac Subject: Re: I've got a virus -- fix to halt spread Message-ID: <4735@sdcsvax.UCSD.EDU> Date: 9 Mar 88 05:28:17 GMT References: <4731@sdcsvax.UCSD.EDU> <650007@vx2.GBA.NYU.EDU> Sender: nobody@sdcsvax.UCSD.EDU Reply-To: borton@net1.UUCP (Chris Borton) Organization: UCSD Network Operations Group Lines: 45 Well, Mike came through today at work and figured that virus out completely. This is a very quick description of what it does and how to stop the spread; a comprehensive report describing all of its workings will follow in a day or two. If anyone has strong feelings about publishing this information (anti-virus could be doubly reverse-engineered) please mail me ASAP. For ResEdit hackers: Quick-fix to halt spread: open INIT 32 in your System File with ResEdit. Select all hex code and delete. Enter in two bytes -- 4E 75 -- which merely puts an RTS there. Then go into each nVIR resource and delete all information in them. Don't delete those resources! The virus checks for their existence (only); if they are there, then it assumes they're OK. With the changes above, they are harmless and won't spread the virus further. The virus depends upon INIT 32 and nVIR 0-7 resources in the System file. What it does to each application is modify the CODE #0 resource, altering 8 bytes in the jump table to execute the code in CODE #256, which it also installs. The nVIR resources hold copies of important info -- #2 has the 8 original bytes from the applications CODE 0 resource. #6 is a copy of INIT 32, and so on... The 8 bytes are the first 8 on the third line in ResEdit. There is a 1 in 16 chance upon running an infected application that it will say "Don't panic" if you have MacinTalk installed, SysBeep elsewise. An interesting side note to all this: applications done with Lightspeed C are NOT affected. They will have nVIR resources and CODE 256, but no patch. Why? LS C automatically sets the ResProtect bit on CODE 0, so the patch is never written out. MPW code is NOT protected. Anyone care to comment on the significance of this all? Mike is writing two things tonight that should help the situation: one is a patch for GetResource that, if nVIR is detected, warns the user that the current application is infected. The other is a vaccination program that reverse-patches infected programs. Hopefully these will be ready and posted soon. Again, this is a touchy issue in some places. Please contribute any knowledge you have; I agree in principle with the German fellow on getting this out in the open, but am deeply chagrined that someone would actually implement this and spread it. -cbb Chris "Johann" Borton, UC San Diego ...!sdcsvax!borton borton@ucsd.edu or BORTON@UCSD.BITNET Letztes Jahr in Deutschland, nog een jaar hier, en dan naar Amsterdam! "H = F cubed. Happiness = Food, Fun, & Friends." --Steve Wozniak