Path: utzoo!mnetor!uunet!mcvax!unido!fauern!faui44!msurlich
From: msurlich@faui44.UUCP (Matthias Urlichs )
Newsgroups: comp.sys.mac
Subject: Re: Vaccination for nVIR virus (long)
Message-ID: <241@faui10.UUCP>
Date: 28 Mar 88 09:49:57 GMT
References: <4761@sdcsvax.UCSD.EDU>
Reply-To: msurlich@faui10.UUCP (Matthias Urlichs)
Organization: CSD., University of Erlangen, W - Germany
Lines: 49
Keywords: virus
Summary: Don't do it!

In article <4761@sdcsvax.UCSD.EDU> borton@net1.UUCP (Chris Borton) writes:
> Here is the article Mike Scanlin wrote for MacTutor describing the effects and
> inner workings of the nVIR virus lately discussed.  This is reprinted by
> special permission of David Smith of
> 
> Mactutor
> 
> 			      Vaccination
> 			    by Mike Scanlin
> 
> Use ResEdit to open your system file and look for 'nVIR' resources. If you

Do not try this under MultiFinder unless you have version 1.2.

> How to make your System file immune
> 
> Use ResEdit to open your System file. Create an 'INIT' 32 resource that
> consists of these 2 hex bytes: 4E 75 (which is an RTS instruction). If
> 'INIT' 32 already exists and has a size of 366 bytes, then you can be
> pretty sure it is the virus' 'INIT'. Replace the existing 'INIT' 32 with
> the 2 byte version (4E 75). Now create 8 resources of the type 'nVIR'; the
> case of the resource type is important Q do not use 'NVIR' or 'nvir'. Their
> IDs should be 0 through 7, with size zero bytes. If they already exist,
> then delete them and create 8 new empty ones (with IDs 0-7).

This will not always work because there's a version of the virus around which
replaces the one in your System file if the sizes of one of the
resources are different.

The correct way is simply to delete all of these resources and create
an empty "nVIR" resource, ID 10. This will render the virus completely
inactive. The above procedure will not stop it from beeping
(or possibly crashing) applications.
This is a method the "author" of the virus has thoughtfully put in,
likely to prevent his own Mac from getting infected.

My "KillVirus" INIT (which I posted a while ago) will do everything
mentioned in the above article, including taking the virus out of the
System file you start up with.

Please pass this information (as well as KillVirus) to anybody at all
(possibly including MacTutor) so that the "nVIR" thing can be stopped
before it creeps onto the next Apple System disk. (?)

-- 
Matthias Urlichs              CompuServe: 72437,1357  Delphi: URLICHS
Rainwiesenweg 9
8501 Schwaig 2                "Violence is the last refuge
West Germany                            of the incompetent." -- Salvor Hardin