Path: utzoo!attcan!uunet!mcvax!unido!fauern!faui44!msurlich
From: msurlich@faui44.informatik.uni-erlangen.de ( scheme)
Newsgroups: comp.sys.mac
Subject: Re: Virii at the U of I
Message-ID: <648@faui10.informatik.uni-erlangen.de>
Date: 3 Oct 88 14:47:26 GMT
References: <20200005@uxh.cso.uiuc.edu> <6725@dasys1.UUCP>
Reply-To: m_urlichs@msn.rmi.de (Matthias Urlichs)
Organization: CSD., University of Erlangen, W - Germany
Lines: 30

In article <6725@dasys1.UUCP> alexis@dasys1.UUCP (Alexis Rosen) writes:
>
>As far as nVIR goes, there may or may not be a new version of it going
>around. One of the things that nVIR does is patch itself into your apps.
>One side effect of this is the creation of a CODE 256 resource in each
>infected resource file. The "harmless" nVIR creates CODE 256s which are
>372 bytes long. I was recently infected by an nVIR of unknown malignance
>which created CODE 256s which were 422 bytes long. I strongly suggest
>reporting on the net if you discover any CODE 256s other than 372 bytes
>long.
>

There actually are three versions of nVIR.
One beeps, one says "Don't Panic" instead, and one kills an arbitrary
file in the System folder. This last probably never made it out of
Europe because the "Don't Panic" version is more aggressive and able to
install itself over existing versions.

This is the reason why the oft-mentioned procedure of "install INIT32
and nVIR 0..7 in your System" is dangerous.
All three versions, however, check for a nVIR 10 resource and
do nothing when it is present.

As far as I know, nVIR is currently the only virus for which an automatic
removal program is available (my "KillVirus" INIT).
-- 
-- 
Matthias Urlichs -- Rainwiesenweg 9 -- 8501 Schwaig 2 -- West Germany
CI$: 72437,1357  -- Delphi: URLICHS -- Phone: ++49+911+574180
NetMail: m_urlichs@msn.rmi.de       -- or: (reply and (h)ope