Path: utzoo!mnetor!uunet!mcvax!unido!fauern!faui44!msurlich
From: msurlich@faui44.UUCP (Matthias Urlichs )
Newsgroups: comp.sys.mac
Subject: Re: I've got a virus and I don't like it
Message-ID: <235@faui10.UUCP>
Date: 14 Mar 88 15:32:22 GMT
References: <4731@sdcsvax.UCSD.EDU>
Reply-To: msurlich@faui10.UUCP (Matthias Urlichs)
Organization: CSD., University of Erlangen, W - Germany
Lines: 58
Keywords: virus
Summary: How to kill this virus

In article <4731@sdcsvax.UCSD.EDU> borton@net1.UUCP (Chris Borton) writes:
>   The symptoms are simple:
> 
> INIT 32 in System File
> 
> nVIR resources in various applications and the System File.
> 

I have written a small INIT called "KillVirus" that deinstalls this
particular virus from the startup System file and any program you are booting.
Anyone who needs it may get it from CompuServe (MacDev) or from me
(send a disk and $5); feel free to post it elsewhere.

I am the poster of the virus "example" on CompuServe. This example is
incomplete and was derived from the existing "nVir" virus we are all
experiencing. It cost me considerable time to dissect the beast and I thought
it a good idea to post a watered-down version of it so that someone
might find some means of defeating future examples of this behavior.

I fully agree that viruses (even non-malignant ones) are far from funny. I did
not think that anyone would recompile the beast since to derive the
missing pieces is about as hard as starting from scratch; I assume the
original has travelled to the US.
I will delete the "example" if there is a consensus that it will do more
bad than good.

The "nVir" virus installs itself in the System file using an INIT 32,
and into any program you start by patching itself into the "CODE 0"
resource. This is accomplished by patching the TEInit trap.

The programmer built a defeat mechanism into the virus: it will do nothing
if there is a resource "nVIR", ID 10, present in your System file.

To deinstall the virus from your System, simply delete all "nVIR" resources and
the infamous INIT 32, and create a (empty) "nVIR" 10 resource to prevent
further problems.
Getting it out of programs is more difficult. The old entry from the CODE 0
is stored in nVIR ID 2. Open that resource, copy the eight bytes,
open CODE 0, select the third line, and paste. Then delete all nVIRs, and CODE
256 (this does belong to the virus).  You might have to use ResEdit 1.2
for some programs which have a CODE 0 too large for ResEdit 1.1 to handle.

The original of this virus came in three flavors. The first simply beeps
when you start a program (not always). The second opened MacinTalk and tried
to say "Don't Panic" instead. The third selected a random file in your System
folder and killed it. Fortunately the former two are more agressive and
do overwrite the third one if they see it.
All three variants sometimes crash programs when you try to start them.
This does not seem to cause any further problems.

I hope this information helps. Please do not mail to me if possible because
I have to pay $1 per kByte if it gets too much.

-- 
Matthias Urlichs              CompuServe: 72437,1357  Delphi: URLICHS
Rainwiesenweg 9
8501 Schwaig 2                "Violence is the last refuge
West Germany                            of the incompetent." -- Salvor Hardin