Path: utzoo!mnetor!uunet!husc6!bloom-beacon!oberon!cit-vax!tybalt.caltech.edu!woody
From: woody@tybalt.caltech.edu (William Edward Woody)
Newsgroups: comp.sys.mac
Subject: Re: Virus killer
Message-ID: <5824@cit-vax.Caltech.Edu>
Date: 17 Mar 88 08:01:58 GMT
References: <238@faui10.UUCP> <650013@vx2.GBA.NYU.EDU>
Sender: news@cit-vax.Caltech.Edu
Reply-To: woody@tybalt.caltech.edu.UUCP (William Edward Woody)
Organization: California Institute of Technology
Lines: 15


I took the anti-virus init apart with Nosy.  The lil' bugger is very kosher.
It (1) wipes out any nVIR resources from 0 through 9 in the system folder,
(2) sets nVIR resource 10 to a very empty handle, (3) installs a bit of code
in the system heap which gets called every time TEInit() gets called.
The bit of code in TEInit() then calls the real TEInit(), and then searches
the current resource file (assumed to be the application's resource file) and
fries all nVIR resources from 0 to 10.

It's a rather cute little critter, and it's entirely kosher.  And if you
(briefly) look at the resources in it, you'll notice a nVIR resource of it's
own; this is where the application cleanup code is placed.
  -  William Edward Woody
     woody@tybalt.caltech.edu                   (Mac>][n&&/|\)&&(MacII>AT)
Disclamer:  I haven't the foggiest idea what I'm talking about...