Virus
Volume Number: 4
Issue Number: 5
Column Tag: Advanced Mac'ing
A Vaccine for the 'nVIR' Virus 
By Mike™ Scanlin, Contributing Editor
Unless you are going to Africa or Indochina, viruses and vaccinations are not
something that most of us need to worry about. However, even if you’re not planning on
travelling, there is one virus you need to be aware of. It is a computer virus that is
infecting Macintoshes everywhere. [Note: The virus described in this article is
apparently only one of at least three viruses that are going around as reported in the
press. This article discusses what we shall name the ‘nVIR’ virus. The other two are
the infamous ‘peace message’ virus and the ‘scrapbook’ virus reported in this month’s
mousehole column, and in a recent MacWeek article. -Ed]
Are you infected?
Use ResEdit to open your system file and look for ‘nVIR’ resources. If you have
them, then your system has been infected and chances are that at least some (if not
most or all) of your applications are infected. Don’t panic. This particular virus is
relatively harmless. There is an application at the end of this article that will allow
you to remove the virus from your infected applications. There is also an ‘INIT’
resource you can put in your System Folder that will warn you if this virus ever
shows up on your system. [Note that this vaccine and virus warning init applies only to
this particular ‘nVIR’ virus. New vaccines will be necessary for the other two once it
is known how they operate. -Ed]
Fig. 1 Vaccination Alert tells Application status
How I found it
Until last week, I had had no experience with computer viruses. I had heard
rumors about the existence of Mac viruses, but didn’t really believe them. I do not
know when this virus first got into my system. It must have come from some program
I downloaded off of a network, but I do not know which one. By the time I figured out
what was going on, the virus had modified s eventeen of the applications on my hard disk
and my System file.
Virus Symptoms
Sometime near the beginning of last week, I started hearing a beep when
launching programs. It didn’t happen every time, only once in a while and with no
discernable pattern. Using TMON, I trapped SysBeep() and discovered that something
was modifying ‘CODE’ 0 and installing several ‘nVIR’ resources into every application
I launched. I looked in my System file and, in addition to several ‘nVIR’ resources,
found an ‘INIT’ 32 resource that I didn’t put there. I compared the standard ‘INIT’s
from an original system disk and none of them matched the ‘INIT’ 32 I had found. What
really clued me in to the idea of a virus was that if I took the ‘INIT’ 32 resource out of
my System file, quit ResEdit, and then relaunched ResEdit, the ‘INIT’ 32 resource
would be back in there. After disassembling ‘INIT’ 32, I learned how it worked and how
to make my system immune to it. I am sharing this information so that other Mac users
can protect themselves as well. [Note that this virus exhibits the ability to re-install
itself after being patched out with ResEdit! -Ed]
How to make your System file immune
Use ResEdit to open your System file. Create an ‘INIT’ 32 resource that consists
of these 2 hex bytes: 4E 75 (which is an RTS instruction). If ‘INIT’ 32 already exists
and has a size of 366 bytes, then you can be pretty sure it is the virus’ ‘INIT’. Replace
the existing ‘INIT’ 32 with the 2 byte version (4E 75). Now create 8 resources of the
type ‘nVIR’; the case of the resource type is important -- do not use ‘NVIR’ or ‘nvir’.
Their IDs should be 0 through 7, with size zero bytes. If they already exist, then delete
them and create 8 new empty ones (with IDs 0-7).
That’s it. Your system is now immune to this particular virus (but not all
possible viruses). If you now run an infected application, the virus will think that it
is already installed in your system file, since it sees the ‘INIT’ and ‘nVIR’ resources it
expects, and will leave it alone.
If your System file was infected before you immunized it, you should reboot the
system before using the procedure below to remove the virus from your applications.
This guarantees that the effects of ‘INIT’ 32 are removed from memory.
Removing the virus from infected applications
If an application has been infected, it will have several ‘nVIR’ resources, a
‘CODE’ 256 resource, and a possibly modified ‘CODE’ 0 resource. Here are
instructions on how to restore an infected application (note: this is only useful if you
are certain that your System file is not infected. Otherwise, the applications will
become infected again. Also, you should practice on a copy of an infected application):
1) Open the application with ResEdit. If ‘CODE’ 256 exists, use GetInfo on it to check
its size. If it is 372 bytes, then remove it. The reason we check for the size is
because some applications, such as ReadySetGo, already have a ‘CODE’ 256
resource of their own and we don’t want to remove part of the application’s code.
2) Open ‘CODE’ 0 and look at the 3rd line of 8 hex bytes (bytes 16-23). If it is
“0000 3F3C 0100 A9F0” then you need to replace that line of hex numbers
with the 8 bytes contained in the ‘nVIR’ 2 resource. If the third line does not look
like the above 8 bytes, then the ‘CODE’ resource is probably protected and did not
get modified -- see below for an explanation. In this case leave it alone.
3) Remove all ‘nVIR’ resources. Make sure you have completed step 2 before
removing ‘nVIR’ 2. You cannot restore the application without it.
Because this procedure is so automatic, I have written a program that does it for
you. The application Vaccination displays the SFGetFile dialog and allows you to choose
an application to vaccinate. A message is displayed that tells you the result of the
vaccination and the SFGetFile dialog is displayed again. If your system has been
infected, you should vaccinate every application on your hard drive. You will only see
files of type ‘APPL’, ‘FNDR’ (for the Finder), and ‘dahd’ (for the DA handler) in the
SFGetFile dialog so you might want to do a manual tree walk of your hard drive to be
sure you vaccinate all of your applications. There is no harm in vaccinating an
uninfected application or in vaccinating the same application more than once. This
program does not make applications immune to this virus, it only removes this virus
from them. But if your System file is immune, then there is no way this particular
virus can spread to your applications. Note: you cannot use the Vaccination program to
make your System file immune. You will have to do that manually using the procedure
above.
How this virus works
This particular virus modifies the ‘CODE’ 0 resource of an application in such a
way that when you launch that application the first thing to execute is a piece of virus
installation code. That installation code looks for the virus’ presence in the System file
you are launching from. If it does not find evidence of the virus, it then installs itself
(as ‘INIT’ 32 and several ‘nVIR’ resources) into your System file and then executes
the application you had originally launched. Once your System file is infected, every
application launched from that system will become infected. The whole infection
process only takes a second or two, so there is little chance you will notice it. If the
virus detects that it is already in the System file and in the application you are
launching (meaning that no installation of itself is necessary on this launch), then
there is about a 6% chance (1 in 16) that you will hear a short beep. This is the beep
that first got my attention. According to a friend of mine, Chris Borton, whose
computer was also infected, if you have MacinTalk in your System Folder, then the
virus speaks the words “Don’t Panic” instead of beeping.
This virus does not check if the ‘CODE’ 0 resource of the application it is trying
to infect is protected or not. Consequently, applications that have ‘CODE’ 0 resources
with the resProtected bit set are still infected, but are not contagious, i.e. they have
the ‘CODE’ 256 resource and the ‘nVIR’ resources added to them, but they can not pass
the virus on to a clean System file. I learned this by noticing that QUED/M and
PageMaker were infected, but were not contagious. I couldn’t figure out why some
programs had protected ‘CODE’ resources and others didn’t. Then one of the people I
work with, Victor Romano, put it together. He told me that Lightspeed C ( which
QUED/M and PageMaker were written in) automatically sets the resProtected bit of the
‘CODE’ resources it generates. MPW does not. So, protecting the ‘CODE’ resources
(which can be done with ResEdit) is another simple way of pr eventing this virus from
affecting an application.
To be forewarned
I don’t know how far this virus has already spread, or how far it will spread. As a
partial defense, however, I have written a piece of code that can be installed as an
‘INIT’ file in your System Folder that will warn you if it detects something that looks
like this particular virus. VirusWarnINIT is a patch on 2 routines that this virus
relies on: GetResource() and ChangedResource(). The patch to GetResource() makes a
beep if theType == ‘nVIR’. The patch to ChangedResource() makes a beep if
theResource is a handle to a ‘CODE’ 0 resource. I wouldn’t suggest installing this ‘INIT’
in a system known to be infected -- the number of beeps is sure to annoy you. I would
have used something like an alert window instead of a beep as a warning, but I can’t be
sure that the Window Manager has been initialized at the time the virus is detected. If
you install this ‘INIT’ in a clean system and then launch a contagious application, you
will hear about 5 or 6 beeps in a row as the virus tries to install itself in your System
file.
Note that this ‘INIT’ is only a warning, not a vaccination. The virus will still
install itself. The advantage is that you will know about it right away and can stop it
before it spreads very far.
Now that my Mac has been vaccinated, it’s my turn. After Typhoid, Yellow Fever,
Cholera and Meningococcal vaccinations, I’m off to Africa and Indochina. I wonder if I
can get David Smith to send MacTutor to Serengeti National Park? Or do they already
get it there? I’ll let you know
/* Vaccination.c
* by Mike™ Scanlin 12 March 88
*
* Removes the ‘nVIR’ virus from an
* application chosen by the user.
*/
#include “QuickDraw.h”
#include “ResourceMgr.h”
#include “StdFilePkg.h”
#include “FileMgr.h”
#define NIL 0L
#define reg register
#define REPORT_STATUS_ALERT 129
#define nVIR_CODE_256_SIZE 372
#define nVIR2Bad -10
#define nVIR2NotFound -11
void RemoveResourceFromFile(long theType, int theID, int
refNum);
int Innoculate(Str255 *fileName, int vRef);
void pStrCpy(char *p2, char *p1);
Boolean ChooseFile(Str255 *fn, int *vRef);
void main(void);
static SFReply reply;
static int applResFile;
/* RemoveResourceFromFile(theType, theID, refNum)
*
* This will remove the resource of type theType
* and ID theID from the open resource file
* whose refNum is refNum.
*/
void RemoveResourceFromFile(theType, theID, refNum)
long theType;
int theID;
int refNum;
{
reg Handle theResource;
if ((theResource = GetResource(theType, theID)) &&
(HomeResFile(theResource) == refNum))
RmveResource(theResource);
}
/* Innoculate(fileName, vRef)
Referenced by (25):
- B Topics (MacTech Index)
- C Authors (MacTech Index)
- H Authors (MacTech Index)
- P Authors (MacTech Index)
- S Authors (MacTech Index)
- S Topics (MacTech Index)
- V Topics (MacTech Index)
- Vol 4 Issues (MacTech Index)
- Vol 5 Issues (MacTech Index)
- Vol 6 Issues (MacTech Index)
- Vol 7 Issues (MacTech Index)
- Vol 8 Issues (MacTech Index)
- Jun 88 Mousehole (MacTech Vol 04-1988)
- Dec 89 Letters (MacTech Vol 05-1989)
- Mar 89 Letters (MacTech Vol 05-1989)
- Virus Patrol (MacTech Vol 05-1989)
- Apr 90 Mousehole (MacTech Vol 06-1990)
- Diagnose Viruses (MacTech Vol 06-1990)
- Jul 90 Letters (MacTech Vol 06-1990)
- Oct 90 Letters (MacTech Vol 06-1990)
- Slider FKEY (MacTech Vol 06-1990)
- Virus Scout (MacTech Vol 07-1991)
- One App Patches (MacTech Vol 08-1992)
- Virus Detection (MacTech Vol 08-1992)
- Virus Protection (MacTech Vol 08-1992)