Path: utzoo!mnetor!uunet!husc6!cmcl2!nrl-cmf!ames!ucsd!sdcsvax!net1!borton From: borton@net1.ucsd.edu (Chris Borton) Newsgroups: comp.sys.mac Subject: Re: munged mandelbrot parts -- I need to read.., and viruses Message-ID: <4748@sdcsvax.UCSD.EDU> Date: 11 Mar 88 07:58:52 GMT References: <1018@ssc-bee.ssc-vax.UUCP> <650009@vx2.GBA.NYU.EDU> Sender: nobody@sdcsvax.UCSD.EDU Reply-To: borton@net1.UUCP (Chris Borton) Organization: UCSD Network Operations Group Lines: 47 In article <650009@vx2.GBA.NYU.EDU> spector@vx2.GBA.NYU.EDU (David HM Spector) writes: > >Regarding nVir virus resources... > >Well, any resources that are in use by the system, such as viruses that >are installed as "replacements" for system traps, will not be editable >with ResEdit, they're locked. Under MultiFiner resources currently in use >by the system or some program will not even show up in (current versions) of >resEdit. This isn't what is going on here. The nVIR virus patches CODE 0 of an application to execute CODE 256, which checks the System file for the existence of INIT 32 and nVIR 0-7. If it does not find them there, it attempts to install them using nVIR 0-7 from the application; nVIR 3 (I think) is a copy of INIT 32. In this way it spreads from application-->System. It also works the opposite way: a System with INIT 32 checks each program on launch to see if nVIR and CODE 256 are there. If not, then it installs them and patches CODE 0 to jump to CODE 256; the original jump is stored in nVIR 2. If INIT 32 was run and it tries to infect an application, but fails to find nVIR in the System, it fails and returns. This is the refusal to run the application. It tries both directions, too. However, it only checks for the *existence* of INIT 32 and nVIR, not the sizes, so it can easily be halted by making the nVIR resources 0 length and the INIT 32 just a '4E75' (RTS). Innoculation is a real pain! Solving just the System file won't do -- you have to fix every application that has been infected. It does alter the modification date, so this is one method of checking. What my friend Mike is working up is an INIT for the system folder, specific for this virus, that checks if it is trying to infect further. When it detects this, the user is informed and offered the choice of automatically patching and vaccinating the infected program. If the system is infected, it is fixed and the user is requested to reboot first. :-) the terminology here often amuses me, but unfortunately the parallels are all too real :-(. I agree with David: we must make a concerted effort to locate the perpetrator of this and take action as we can in order to avoid as much as possible repeats of possibly much more malicious types. -cbb Chris "Johann" Borton, UC San Diego ...!sdcsvax!borton borton@ucsd.edu or BORTON@UCSD.BITNET Letztes Jahr in Deutschland, nog een jaar hier, en dan naar Amsterdam! "H = F cubed. Happiness = Food, Fun, & Friends." --Steve Wozniak