Path: utzoo!attcan!uunet!mcvax!inria!imag!iron
From: iron@imag.imag.fr (Francois Menneteau)
Newsgroups: comp.sys.mac.programmer
Subject: Re: INIT 29
Summary: ...
Keywords: damage control
Message-ID: <4380@imag.imag.fr>
Date: 6 Feb 89 12:44:31 GMT
References: <1869@randvax.UUCP> <1871@randvax.UUCP>
Organization: IMAG, University of Grenoble, France
Lines: 29

In article <1871@randvax.UUCP>, florman@randvax.UUCP (Bruce Florman) writes:
> 
> Over the weekend I disassembled the INIT29 virus, and figured out that 
> repairing applications is relatively easy with ResEdit....
> 
> 		005C 3F3C nnnn A9F0
> 
>    The nnnn is the id number of the virus' CODE resource.  Make note 
>    of it.  This number will be greater than one.  If it isn't, then 
>    the application is not infected with INIT29 (at least not the same 
>    strain that I looked at).
> 


	BE CAREFUL : some applications have the first entry of their JUMP
TABLE, with a CODE segment id different from one (protection against hacker
for example), and it doesn't necessary mean they are infected...

	And I think checking only for code size to say you are infected by
INIT29 is very dangerous (perhaps sequence of code [OpenResFile patch?] will
be more efficient).

	It's only my impressions...

-- 
\\\\\\\\\\\\\\\\\\\\\\\\\\  "... I had their lives in my hands
 \ iron@imag.imag.fr      \  their fate their fortune in my visions
 / uunet.uu.net!imag!iron /  No one believed in my true prophecy
//////////////////////////   And now it's too late."