Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!bloom-beacon!oberon!sm.unisys.com!randvax!florman
From: florman@randvax.UUCP (Bruce Florman)
Newsgroups: comp.sys.mac.programmer
Subject: Re: INIT 29
Keywords: damage control
Message-ID: <1871@randvax.UUCP>
Date: 31 Jan 89 01:40:21 GMT
References: <1869@randvax.UUCP>
Reply-To: florman@rand-unix.UUCP (Bruce Florman)
Organization: Rand Corp., Santa Monica, Ca.
Lines: 71

In article <1869@randvax.UUCP> florman@randvax.UUCP I write:

>    I just got a phone call from my Dad, complaining about his Mac II 
>misbehaving.  He described some symptoms, and I talked him through 
>some diagnostics, and we finally traced the problems the new INIT 29 
>virus (For a good description of INIT 29, see Joel Levin's article 
>of 1/18).

    [blah, blah, blah]

>    If anybody knows of a program which will repair the CODE 0 damage 
>caused by INIT 29, I'd really like to hear about it.

Over the weekend I disassembled the INIT29 virus, and figured out that 
repairing applications is relatively easy with ResEdit.  I'll pass along 
the fix in case anybody else out there needs to do it (and doesn't feel 
like spending a half day mucking about with MacNosy and interpreting 
assembly code).

1) Using ResEdit, open CODE resource 0 of the infected application.  
   This contains the application's jump table.

2) Sixteen bytes from the start of the resource (ie. the third line) 
   you will see something that looks like:

		005C 3F3C nnnn A9F0

   The nnnn is the id number of the virus' CODE resource.  Make note 
   of it.  This number will be greater than one.  If it isn't, then 
   the application is not infected with INIT29 (at least not the same 
   strain that I looked at).

3) Select the virus' CODE resource (the one with id = nnnn) and choose 
   "Get Info" from the file menu.  The size of this resource should be 
   712 bytes.  If it isn't, the application is not infected with INIT29.

4) Close the "Get Info" box and open the resource itself.

5) Thirty bytes from the start of it, you will see something like:

		xxxx 3F3C yyyy A9F0

   This is the original jump table entry for the application.  Note the 
   values of xxxx and yyyy.

6) Close the CODE nnnn window and go back to the CODE 0 window.

7) Replace "005C 3F3C nnnn A9F0" with "xxxx 3F3C yyyy A9F0" and then 
   close the CODE 0 window.

8) Select the virus' CODE resource again and choose "Clear" from the 
   edit menu.

9) Close the application's window and click OK when ResEdit asks you if 
   you want to save the changes.

The application is now sanitary again.  Be more careful next time. :-)

    For non-applications that have become infected (eg. the System file 
or the Desktop file) the cure even easier.  Simply remove the INIT 29 
resource with ResEdit.

*** DISCLAIMER !!! ***

    These procedures have worked for me, but I make ABSOLUTELY NO  
GUARANTEES about them to you.  If you follow these procedures and 
your Mac bursts into flame, or has any other problem at all, it's 
YOUR problem, not mine, and not my employers'.

Have a nice day,
    Bruce Florman