Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!ames!pasteur!ucbvax!hplabs!sm.unisys.com!randvax!florman From: florman@randvax.UUCP (Bruce Florman) Newsgroups: comp.sys.mac.programmer Subject: INIT 29 Keywords: damage control Message-ID: <1869@randvax.UUCP> Date: 28 Jan 89 01:42:07 GMT Organization: Rand Corp., Santa Monica, Ca. Lines: 47 I just got a phone call from my Dad, complaining about his Mac II misbehaving. He described some symptoms, and I talked him through some diagnostics, and we finally traced the problems the new INIT 29 virus (For a good description of INIT 29, see Joel Levin's article of 1/18). The chain of events was roughly this: Three days ago, my step brother came home from the computer store where he works with a disk full of new PD software. He installed it on the Mac II's 80 meg disk and then shut it down for the evening. The next day, it wouldn't boot from the hard disk. They booted from a floppy, and replaced the system file on the hard disk, and that seemed to fix it, except that it would no longer issue any sound for a SysBeep. They then trashed an INIT file called BeepInit, and everything seemed to be okay. Then it started rejecting some floppy disks, saying that they needed "minor repair." That's when Dad called me. It turned out that there was an ominous pattern in the floppys that it wanted to repair. It was only complaining about floppys whose write protect tab was open. A quick check with ResEdit turned up a 712 byte INIT resource with id number 29 and a garbage name in the system file. INIT 29 tail patches the OpenResFile trap to copy itself into any resource fork that gets opened. When the finder tries to mount a locked floppy, it opens the resource fork of that floppy's Desktop file by calling OpenResFile. The ROM code successfully opens the resource fork, but then the virus tries unsuccessfully to write itself to the locked disk, which leaves an error code a low memory global. Control then returns to the Finder, which thinks that the last attempted operation was OpenResFile, and upon finding the error code it assumes that the Desktop file has some problem. The Finder cheerfully offers to rebuild the Desktop file, and if you accept the offer, it will spit out the disk and tell you to unlock it. Unlock the disk, put it back in, and *PRESTO* it's infected. Naturally, much of Dad's 80 meg disk is not backed up anywhere. It looks as if he'll just have to reformat the disk, restore as much as he can from floppys that he's sure haven't been in the machine for the last few days, and just do without those applications which haven't been backed up. I believe that we can sanitize the important documents by removing the INIT 29 resources in them, but applications are more difficult, since the virus munges the jump table in their CODE 0 resource. If anybody knows of a program which will repair the CODE 0 damage caused by INIT 29, I'd really like to hear about it. Also recommenda- tions for, and experiences with anti-viral software (Vaccine, Gatekeeper, etc.) would be appreciated. And let's all be careful out there. -Bruce Florman