Jun 88 Mousehole
Volume Number: 4
Issue Number: 6
Column Tag: Mousehole Report
Scores Virus 
By Rusty Hodge, SysOp , MouseHole BBS
Changes at the Mousehole: Rusty Hodge, Sys Op
MouseHole is now runing on an AT&T 3B1 Unix machine. It supports up to 8
simultaneous users, a mostly unlimited number of accounts, and access to the Unix
UUCP and UseNet networks. What does this mean to you? No longer will new users get
the annoying message, “Sorry, the system is full. Please try registering again in a
few weeks.” Additionally, the system will be much easier to get through to at peak
hours. Registration is a little bit different. When you call (714) 921-2252, you
may have to hit return once or twice in order for the system to recognize the speed at
which you are calling. When you get the login: prompt, type “hole”. At this point, you
will get the BBS Login: prompt to which you should answer “none”. Follow the
prompts and you will be assigned a login identifier. Hope to see you soon.
From: ericj (Eric Johansen)
Subject: Tops and Mac II
It’s not that the Tops Spooler doesn’t work with the II. It does. It just doesn’t work
with the current version of Apple’s Laser driver, Ver.5.0. If you want the spooler to
work, use the same system and finder that you’re using but use Ver. 4.0 of the
Laserwriter driver and Laser prep file. They work fine with System 4.2 and Finder
6.0. How well these older drivers work with Multifinder I don’t know. Also, according
to the Tops tech support people, a large number of 3rd party spoolers aren’t working
with Apple’s Laserwriter 5.0. Supposedly both Tops and Apple are working to resolve
the problem. We’ll see.
From: jvsossian (James Von Schmacht)
Subject: Re: Current Laserwriter version
Current version is 5.1 (for LaserWriter II’s) and reportedly has some of the spool
problems fixed. Driver is available on MHDL.
From: adail (Alan Dail)
Subject: MicroSoft
Did anyone notice that Bill Gates said in the April issue of Byte that MicroSoft is
planning to add Object Oriented Programming extensions to their languages. He goes on
to claim that this is a MicroSoft innovation that is necesary to develop today’s complex
applications and that the Macintosh people have yet to discover Object Oriented
Programming. I guess he has never heard of MPW with Object Assembly Language and
Object Pascal and MacApp. It’s no wonder MicroSoft is being sued by Apple. Next thing
you know, MicroSoft will add AppleTalk to OS/2 and claim that they invented it.
From: adail (Alan Dail)
Subject: Scores Virus Got Me!
I have aquired a virus on my system that seems to replicate itself on all of my
applications. It creates files called Desktop and Score in the system folder. It causes
MPW to not find the Worksheet file and may do other things. Has anyone come across
this virus and does anyone know how to get rid of it?
From: lnedry (Larry Nedry)
Subject: Scores virus Effects
This virus creates an invisible file call Scores. This is an RDEV resource which
executes at boot time similar to an INIT resource. Another file is created called Desktop
which is an INIT resource. The Scores virus also attaches itself to the Scrapbook File
and Note Pad File. If they don’t exist they are created. These files need to be deleted.
Also the virus attaches itself into the System file and every application that you run.
The best way to get rid of this virus is to throw away the System Folder and replace it
with a new one. The Vaccine INIT by Don Brown of CE software will notify you when
this virus trys to add CODE resources to your applications. You can also use the Aask
INIT to prevent the INITs from being executed while you are trying to rid your disks of
this virus. I am writing an application this weekend to hopefully terminate this virus
from your system. When it is completed I will post info about it here and upload it to
MouseHole Download. [This virus has been well reported in the press in MacWeek and
Macintosh Today as the ‘Scores’ virus. It is dangerous so watch out. It was originally
written to attack two internal programs at EDS in Texas and is said to be rampant in
the Dallas area. Larry was quoted in the April 26th edition of MacWeek extensively
about this virus and his Ferret program which detects it. -Ed]
From: maxr (Max Rochlin)
Subject: Scores Virus Symptoms
The presence of the virus in the Macintosh memory does causes several symptoms,
which have caused losses of data. These symptoms include difficulty running MacDraw,
difficulty printing from any applications (e specially MacDraw), difficulty using the
“Set Startup” option, difficulty running Excel, corruption of Excel files, and frequent
crashes when starting applications. This virus has existed since at last February,
1988, and may have been around as early as September, 1987.
It is possible to determine if this virus has infected your Macintosh with the following
procedure:
1) Open the System Folder of the Macintosh and locate the “Note Pad File” and
“Scrapbook File”.
2) Examine the icons used on these files and check that they resemble the small
Macintoshes seen on the “System” and Finder” icons. If they do not, and instead
resemble the standard Macintosh document icon (an upright piece of paper with
the upper right corner folded forward), you are probably infected.
3) To verify infection, execute ResEdit or some other utility which can see
“invisible” files. Examine the System Folder.
4) If the System Folder contains two invisible files named “Desktop” and “Scores”,
you are definitely infected.
The virus transmits itself from Macintosh to Macintosh by invading a standard
executable application file on a contaminated Macintosh. When this contaminated
application is copied to a “sterile” Macintosh, the virus attacks the new system by
making these changes to the System Folder:
• Three INIT resources are added to the “System” file. If the files “Note Pad File”
and “Scrapbook File” do not exist in the System Folder, they are created. The
type and creator fields of the “Note Pad File” are changed from “ZSYS” and
“MACS” to “INIT” and “ZSYS”, respectively, and an INIT resource is added to the
file. The type and creator fields of the “Scrapbook File” are changed from
“ZSYS” and “MACS” to “RDEV” and “ZSYS”, respectively, and an INIT resource
is added to the file.
• Two new invisible files are added to the system folder named “Desktop” and
“Scores”, each with an atpl, DATA and INIT resource.
Note that, unlike the MacMag virus, no “nVIR” resources are used anywhere. The
modified files, “Note Pad” and “Scrapbook”, still appear to function normally with
the Note Pad and Scrapbook Desk Accessories, and any existing contents of the file’s
Data Fork are not disturbed.
As each application is attacked, the virus installs a new CODE resource into the
application. The identification of this new resource is variable, depending upon the
existing resources within the application. The virus looks for the first available CODE
resource slot, then places the new resource one position above that. For example,
HyperCard contains CODE resources 0 through 20, leaving an ID of 21 as the first
available resource ID. The virus placed the new CODE resource in the application as
CODE ID=22.
The second step of the infection of the application is the modification of the CODE ID=0
resource of the application. The virus modifies the el eventh word of this resource,
which is the start of the application’s jump table. Where the application would
normally jump to the CODE ID=1 segment, the virus modifies this pointer to refer to
the new CODE resource that has just been installed.
Note that the el eventh word has been changed from “0001” to “0016”, which points
to the new CODE ID=22 resource (hex 16 = decimal 22). Also note that during our
examination of suspected applications, we found that at least one compiler - LightSpeed
C, I think - normally places non-”0001" values in the el eventh word of the CODE
ID=0 resource. To verify infection if the el eventh word is not “0001”, check to see
that the tenth word is NOT “4EED” and that the el eventh word points to another CODE
resource. If both of these are true, then the application is infected.
The new CODE resource is a copy of the virus code, is of size 7026, and is executed
when the infected application is invoked. When the virus completes execution, it
returns to the invoked application, which appears to proceed normally. The first
sixteen words of the virus are:
0000 0001 xxxx 3F3C 0001 A9F0 4EBA 002E 204D D0FC 0020 43FA FFEC
20D9 2091 204D ...
The third word of the virus code is variable, and appears to be based on the return
address used when the execution of the virus is completed. The virus further modifies
the code of the application in a manner which has not been fully deciphered.
If your Macintosh is infected, the contaminated system files and applications must be
completely removed from the Macintosh, and new ORIGINAL copies should be installed.
When removing the virus from the Macintosh system files, you cannot just go in with
ResEdit and delete the offensive INIT resources - this virus is apparently intelligent
enough to recognize this attempt, and modifies it’s resource identification and memory
location when probed by resource utilities. ResEdit “thinks” that the virus resources
have been deleted, but they have been renamed and will return when the Macintosh is
restarted. The system must be sterilized by:
1) Examine EVERY application (including any in the System Folder, and on EVERY
diskette you may have) you have with ResEdit, and check if a new CODE resource
has been added and if the CODE ID=0 resource has been modified to refer to the
new CODE. This is the most tedious part of the process, and will probably take
quite a bit of time.
2) Using ResEdit, open the infected System Folder and locate the “Desktop” file.
Select the file and use the “Get Info” option on the “File” menu. When the file
information window opens, turn off the “Invisible” bit, then close the window
and save the file information. Do the same for the “Scores” file.
3) Locate a sterile system diskette (preferably one of the “System Tools” diskettes
from Apple), LOCK IT, and boot from it.
4) Throw away the following files from the infected System Folder: “System”,
“Finder”, “MultiFinder”, “Desktop”, “Scores”, “Scrapbook File”, and “Note
Pad File”. Once these files are in the Trash Can, EMPTY THE TRASH
IMMEDIATELY! Note: this is the minimum required to remove the System portion
of the virus - my personal preference is to delete the ENTIRE System Folder, not
just the suspect files in it.
5) Locate all of the applications which you listed in Step 1. Throw them away, and
empty the Trash Can.
6) Shut down the Macintosh, and turn the power off. Wait at least 30 seconds for
memory to clear before rebooting again from the sterile diskette (this may not
really be necessary, but better safe than sorry).
7) Reinstall the Macintosh operating system from the System Tools diskette to your
Macintosh.
8) Locate your original copies of the deleted applications software. Before
reinstalling the applications, examine each one with ResEdit to be sure that it is
sterile. If there is no problem, reinstall the application.
A word of warning:
The Vaccine CDEV which is currently appearing on bulletin boards is only marginally
useful in fighting this virus - if your system is already infected when you install
Vaccine, you will not get any warning from Vaccine that the virus exists. If you have
Vaccine installed on a sterile system, and this virus is introduced at a later time,
Vaccine will only warn you of the virus attack, but will not prevent infection.
From: lnedry (Larry Nedry)
Subject: Scores virus Update
The previous description of the Scores virus is not entirely accurate. There are also a
‘DATA’ resource -4000 and a ‘atpl’ resource 128 that need to be removed. If you
attempt to remove the virus and are unsuccessful it will modify itself and the previous
instructions will no longer work.
From: isoemac (Devin King)
Subject: System 6.0b2
I have encountered a problem with RamDisk+ 2.05 and the new beta System 6.0b.
Simply put, it doesn’t work. I receive an error stating that there was an “Unexpected
Error”. I will have to wait for the release to report it to the programmer of
RamDisk+. I have been using RamDisk+ because it works beautifully with
MultiFinder. [Apple announced at the recent Developer Conference that a new system