Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!ames!lll-winken!uunet!mcvax!hp4nl!nikhefk!keeshu From: keeshu@nikhefk.UUCP (Kees Huyser) Newsgroups: comp.sys.mac Subject: ** VIRUS WARNING ** Keywords: AIDS virus, a strain of nVir Message-ID: <529@nikhefk.UUCP> Date: 16 Mar 89 16:59:14 GMT Reply-To: keeshu@nikhefk.UUCP (Kees Huyser) Organization: National Institute for Nuclear Physics; Netherlands Lines: 163 +---------------+ | VIRUS WARNING | +---------------+ A few days ago, we found a new virus at our institute here in Amsterdam. It seems to be a mutation of the nVIR type B virus, similar to the Hpat strain that came out last December. That strain is bothersome but not harmful; once a system is completely infected it may beep when a program is launched. A particularly poor joke, the builder of this new virus named it "AIDS". As far as we know it has not yet spread to other parts of the world than Europe. One way to discover if your Mac is infected is to run the new VirusRx 1.4a2. This will warn you that a known virus has infected your system, due to the occurence of an INIT 32 in the System file. Another good way to detect it is to add the line "AIDS Any" to the list of search strings in Virus Detective (we used version 2.1.1). Of course, you can always run ResEdit to look for the tell-tale resources in applications and the System file. We also ran some other anti-viral programs to see if they could find anything. The results of this exercise are an indication if those programs are smart enough to recognize an up-to-now unknown virus. The results:... Antipan: found "unknown Virus" Interferon: anomaly 005 - CodeResource ID 0 jumps to last CodeResource with gap Assasin: removed INIT 32 from the System file but did not find anything else Ferret 1.0: doesn't find anything Vaccination1.1: doesn't find anything KillScores: doesn't find anything The best way then to find a new virus is to look with VirusRx 1.4a2, and if anything unusual is found, take a closer look with ResEdit to see which resources are affected. Then look through all your disks with a updated version of VirusDetective. Now back to the AIDS virus; below you will find the sizes of the resources in the infected files. * Application: Resource Type: AIDS Resource ID: 1 Resource Size: 428 Resource ID: 2 Resource Size: 8 Resource ID: 3 Resource Size: 416 Resource ID: 6 Resource Size: 66 Resource Type: CODE Resource ID: 256 Resource Size: 422 * System: Resource Type: AIDS Resource ID: 0 Resource Size: 2 Resource ID: 1 Resource Size: 428 Resource ID: 4 Resource Size: 422 Resource ID: 5 Resource Size: 8 Resource ID: 6 Resource Size: 66 Resource ID: 7 Resource Size: 2106 Resource Type: INIT Resource ID: 32 Resource Size: 416 One way do disinfect your Mac immediately is to patch Mike Scanlin's "Vaccination 1.1" with FEdit or a similar tool. Look for all occurances of "nVir" and change to "AIDS". This will give you a temporary solution to your problem, until other and wiser heads than mine have implemented the cure in their own anti-virus programs. Further information on the nVIR virus may be found in the May 1988 issue of MacTutor. If you are not familiar with the workings of programs like FEdit, a working and patched version of Vaccination 1.1 is attached to the bottom of this message as a BinHexed file. It has been renamed "Vaccination 1.2-AIDS" for clarity. Thanks to the authors of VirusRx, VirusDetective and Vaccination, without whom it would have taken much longer to find out what was happening. Good Luck, --Kees /* -------------------------------------------------------------------- */ /* keeshu@nikhefk.uucp or {..!uunet.uu.net}!mcvax!nikhefk!keeshu */ /* National Institute for Nuclear Physics and High-Energy Physics */ /* P.O.Box 4395, 1009 AJ Amsterdam, The Netherlands,phone:+31205920124 */ /* -------------------------------------------------------------------- */ ------------------------------------------------------ (This file must be converted with BinHex 4.0) :&&CKBf0TEQ&dD@pZ)$%Z-Le"5846!%&38%a@380$)3!!!!!!!!!-e`&X!!!!!!% !!!!,F3!!#R%!!!&Q!!!!Z`e0B@-J6'PLFQ&bD@9c!3!!!!!%!!!"8T[)kai39Q& MBfPZC5!a,M)Y38P%8d3#!!!!39"36&C"3d-K!!!!39"36&C"3d-K!!"N!!!!!%( h!!!!!!!!!!!!!!!!!!+HD!GU!!!!!!!!$0G849K85d&)6!%!!#J!@!!!!!!"f`! !!!!26!!!%!!!!!!!!!!!!!!!QU3j0j[IE)S!!!!!5AN!!!!!!!!!!!!!!!!!!!! !093!#!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"B!!!!!!(E!!!!!!p-!!!3!!! !!!!!!!!!!!#DT$Nh!!!!TMp5CA0[GA*MC5!R38P%8bFJ-L"TFb"ZEh3J1#"LHA4 PFb"XEfjR,L"'D@aP)'0KEQj[G#"LC5"bCA"KDA*PC#j)8Q9cEh9bBf8J*d&*4&- R)$)JEQpd)'C[G@jN,L"'D@aP)'Pc)'j[G#"TEQCPBh4PC#"[FL"MB@jZEh3JBQ8 JFQ9`B@PbC@3Z!"Y@DA*eFb"cG@0MCA0cCR9XE(NJFQ9YEhCPC#i!!!!#!4J!!!! '!!!!@J"5!!!!!!!!!Zk!83!"6PB!!#m-@Bm[,J!)2bi!$+QJ)&mS5#!)Ca*9Mbm -UD3`(l"Z!!jQ"#m-UDdSAdjH6R9548e29N9548j@rl")j`Fi+'i!#%(Zrl"`8&1 !3KK4b2rm2@i!$2r'9Bp)E[q`3QG1ZJ*d-"p9Mbm-UCF`(c`!@Bp)H8&*4&-r2!! #UD!JAbC))!KR!!#d9Bm[#kQN-"q`4QB!!+CCMbm,6VS#*L!I$)!!!!!)C`CkpQ! !!*!!@Bp)H8024%9#CkQJ)&mN5#!)Cb"9Mbm+UD3`(l"'CK3L5b*4)%SJ80$m!"! Jf5#4,`UTURi!B")r"Mm(5(P"58466VVr$NF-4`!(EqKCMdKj3dp%46mm!3# TS#"I*%JJ#'FL@Bm[#Nkk!DJJ(`b!!!!"G'B39Bm[#UQN-"q`4QB%,`UTVAS!B!* kpEaYrrTR"$m'UCS`"8cI(1"1ANje58j16d096%&19J!!51F"'#KZ!!JQEJ!-3G4 5M%268SX3%4#!5)!q!'!+3G45M%268SX3N90(5NGXm%cI')"1ANje8&088N03@5" 19[r`,Aa"8&"-rr!YI%C14&,rp#emC'&SC2ri,bhrr%+R3UFr2!!$5'lrm%+R5'h rX%kk!1"+,Iq`CaT)EIqk,bi!#%kkrhK3Mb"Z!!``VIqfF!&J!R!!6Pj1G80)6dp 648C*6PEqrMYi#PVrqNKYrkbSEUMqU4+T-%+RUAZS8'!!!&ir,[lq5'lr!%kkrK" FMdkY!$VrpIrf!#S!&J!#5'lr!%Kj!!!!!%+R3UHTLf!L5'lr!%Kj!!!!3%+R3UH TLf!35'lr!%Kj!!!!LN+R3UHTLe@22c`!J8+RUB8`(dKZr[j)E[m!6VVr&P#25J" QNNjH6R9038P1)#!J)#!I3IS!%*!!51*))Pmr!#m*VHTKl'(UBHKKjQ(NF!![#6( !!L"1GA!!B2BLAb"IS#8ZJ'S'3TG1q[rQ6[Vri#*I%"mJAfB%SK9J!UB92S"1d3! !!!B#4`*C!QX!!!3)!!!!#J!!!!!!!!"b3RJ+5Th1,$a69&*66VS$+N(krqBJM%k k!*K1ZJ+D3QG)H3!!rrp)E`!%5&Fr2!!")MVrbNke%!"1qJ"`51Irq$i[!$a3q!T H@Bm[2%024%8r"kQJ)"pR1LC!*&-)+J!!!!&R*%S5DL"1ZJ0ZS#PCMbmm3e*&6$m (UD"1ZJ0Z)"pR%#"!6VS!GJ*5Irj-harr6R9`$kR*,`K1ZJ*-)&qTmLm)6VS#3L" IUI01ZJ)kUI4CMbmm@N956d*RUD!N9eQ2,ca%394"3QHTS#"A)&!LH!N)*&*J$M, BCJSb'Q!#3KP4bIrmZmPQlUQMUD0CMbmm4&*&6%*RUD!JAb40S#8[##"3iN"J%L3 0-KJ)J3!!C`3N1[lQeE)3!&()rqbTSdje)&mb'$3BX&KAbIrk5N*RrNl`)2`JAc) B0"L`Q&I*rrT+3QIq6[!JqL"I-KJd',"#EJU3!%&Y"Y"!3I!!!M!3Crj1m!!!)#m !"#p"!!3L,`!),em!"%MR2!!N!#B"5%,%`bJ!+J&)4FM&e%4)3N*#`-(3JNcI!$` L(dje)#m!"#p"!!3L,`!),em!"%MR-3"1ZJ#F60m!M#)I6R8J,`!%,d%!"#)[!!J [A`!%51Fa!%kk!(`J!8cI!)`L(dje)#m!"#p"!!3L,`!),em!"%MR-3"1ZJ!X60m !M#)I6R8J,`!%,d%!"#)[!!J[A`!%51Fa!%kk!!`J!8cI!)`L(dje5S"U(%U"DJa %J%5"6VS!)%5"6R9%J%kk!"C%J%5"6R9+J@S+4)&1ZJ!'4)"1G5im!!$rrl+!B`B L!(!!6R@`Kf)-J-&)3$)!3N")3%jeXSGL'Li!3N")3)$"5%")4ci!5%H1`6!(5%F b"dje*!!Q!H+)iSQbKf,iJ-(!Kc)$`X!Z!dK(cX")4p+(C3L5JQ)%4)&1G90!B13 b2+R`3rVpJ%kk!%Sb2+Rb3rVpcNkk!$ib2+Rc3rVpc%kk!$)b2+Rd3rVpbNlk!#C 1ZJ$J-MbTm%kk!$Bb2+Rb6VS!,M)mUI01ZJ!Q-MbTp%lk!"i`!D&'*%K`$+8H-!' J4c$m6VNJb6$m6[NJbNje-!'K4L*S!!LJ(c!")%QJ4dje3MJ+APQ2,`C#CkQJ*Pp CMbm,UD8Q(b",+!-q2!#"B")'K!!!IrjCMbm'2`G54kQJ)&p9Mbm)UDB`(`J!!!9 Qi&$i#PiJ"+%H+%J[#kQL)%XJ!cS(2M`!JCT(B"*CMbm'2`G54kQJ)&mJ2!!!Iri [##"3)NcC`+!ZUD04cIrJQF41G3!!!!""q[rk)+m!"%je3IVrm#!3CJ*1G8+3!#" !6Y!J5dTi!SjU""B66R@JD4B!6R9+H!+1DJ3@Jdje)%X3!k"U6R8!!!"S!!!!H!! !!4i!!!"B!!!!)!!)2c`!!DR`!5Jr2!!"UI!"2$mm!!'Tm!&32c`!!DR`!@`r2!! "UI!"SMmm!!'Tm!(#2c`!!DR`!H3r2!!"UI!#"$mm!!'Tm!2'2c`!!DR`!J!r2!! #UI!!!!!+!!!!!J!!!!)!!!!!!!S!!!!#!!!!!J!!!!!!(&C"3d-!!!!"5801)`! !!!!!J%C548B!!!!!!)!!!!!(39"36!!!!!!!!3!J!!!!3!!!!+J!!!!8!!!!)J! !!"%!!!!)J!!!"%!!!!)J!!!")!!!!1!!!!!3!!!!#!!!!!!!!!!(rm!!#!!J!!R r)!!+!+!!#N5J!!S!S!!+1+!!#N5J!!S!S!!*rb!!#!!J!!J!)!!*$b!!#!!J!!J !)!!+UU!!#!!J!!rri#!!!!"!!!!!U!!!!"`!!!!q!!!!(`!!!!q!!!!(`!!!!q! !!!(J!!!!i!!!!"!!!!!)!!!!!!!!!!Ir`!!2rq!!$rrJ!!rri!!2rq!!$rrJ!!r ri!!2rq!!$rrJ!!rri!!2rq!!$rrJ!!rri!!2rq!!$rrJ!!rri!!2rq!!$rrJ!!! !4!!#!!!!!!"1!"3!BJ"3"!*25`!!!!!!#J!J!#S!3+!#!!!!!!!!!!S!EJ"`!AD )%dCTE'8k)&i`$90dBA4eFcSJAM&Z!!!!$!"3!%!![!(!!)&%4!!!!#!G9Q&MBfP ZBA4TEfiJBRNJ6@PVCDSJ8f0KEQaTELiJ)!!!!%i"!3!!!!!)-5ib,8&*4&-qF(* [Ch*KE5"LH5"0D@YP)&0MB@jXD@iX)("KG'0SC@3JCQpb)%&*4&-JGQPbGA-JBRN J5f9PFb")GAPcCA)!!!!L!!!!!!!!#$%Z-LeKD@4c%N&*4&-JGQPbGA-JFQ9YEhC PFJ!!!3!!!!Ya!!!+F3!!!@B!&k@X"H)!!!!F!@B!$9088P-!!!"b@N956`!!!(j %394"!!!!LN4548`!!!#@3dp%43!#!+*$8N9-!!!!aP0*@N8!!3$59N&$3`!!!1T #6N4-!!!!pNC548B!!!%#5801)`!!!3j%594-!!!"'N&-8P3!!!%QGQ9bF`!"!6) !!2rr#!!!!!!!!!!!!2rr#!!!UJ!!!!!!!2rr+!!!X!!!!!!!!2rr+!!!ZJ!!!!! !![rr1!!![J!!!!!!!Irr(!!$ZJ!!!!!!!2rr+!!(aJ!!!!!!![rr+!!$X!!!!!! !!2rr!!!)-J!!!!$rrrrr!!!)3!!!!!!!!2rr!!!*e3!!!!!!J2rr!!!)6J!!!!! !J2rr!!!)EJ!!!!!!J2rr!!!)H3!!!!!!JIrr!!!*I3!!!!!!JIrr!!!*a3!!!!! !!Irr!!!*q3!B,*B!![rr!!!+5`!B,*SNNJ: ------------------------------------------------------ /* -------------------------------------------------------------------- */ /* keeshu@nikhefk.uucp or {..!uunet.uu.net}!mcvax!nikhefk!keeshu */ /* National Institute for Nuclear Physics and High-Energy Physics */ /* P.O.Box 4395, 1009 AJ Amsterdam, The Netherlands,phone:+31205920124 */ /* -------------------------------------------------------------------- */