The following is a message of warning and remedy about three new
viruses that may be coming towards us from Europe. I want to thank
Matthias Urlichs from West Germany who detected the viruses, disected
them and then came up with a remedy. I have not seen the program he
speaks about at this time.
Jerry Heyman
From: Jim Macak
To: All Msg #419, 15-Mar-88 10:13pm
Subject: nVIR Info
Another virus floating around in MacLand is often referred to as
"nVIR". Apparently there is an excellent article in MacTutor
about it and how to deal with it. In addition, I found the
following on USENET this evening:
From: msurlich@faui44.UUCP (Matthias Urlichs )
Subject: Re: I've got a virus and I don't like it
Summary: How to kill this virus
Keywords: virus
Date: 14 Mar 88 15:32:22 GMT
Reply-To: msurlich@faui10.UUCP (Matthias Urlichs)
Organization: CSD., University of Erlangen, W - Germany
In article <4731@sdcsvax.UCSD.EDU> borton@net1.UUCP (Chris Borton)
writes:
> The symptoms are simple:
>
> INIT 32 in System File
>
> nVIR resources in various applications and the System File.
>
I have written a small INIT called "KillVirus" that deinstalls this particular virus from the startup System file and any program you are booting. Anyone who needs it may get it from CompuServe (MacDev) or
from me (send a disk and $5); feel free to post it elsewhere.
I am the poster of the virus "example" on CompuServe. This example
is incomplete and was derived from the existing "nVir" virus we
are all experiencing. It cost me considerable time to dissect the
beast and I thought it a good idea to post a watered-down version
of it so that someone might find some means of defeating future
examples of this behavior.
I fully agree that viruses (even non-malignant ones) are far from
funny. I did not think that anyone would recompile the beast since
to derive the missing pieces is about as hard as starting from
scratch; I assume the original has travelled to the US. I will delete
the "example" if there is a consensus thatit will do more bad than
good.
The "nVir" virus installs itself in the System file using an INIT 32,
and into any program you start by patching itself into the "CODE 0"
resource. This is accomplished by patching the TEInit trap.
The programmer built a defeat mechanism into the virus: it will do
nothing if there is a resource "nVIR", ID 10, present in your System
file.
-more in next message-
---
* Origin: GENERIC: Metro-Milwaukee, Great Place on a Great Lake! (Opus
1:154/5)
From: Jim Macak
To: All Msg #420, 15-Mar-88 10:15pm
Subject: nVIR Info #2
More on nVIR from USENET:
To deinstall the virus from your System, simply delete all "nVIR"
resources and the infamous INIT 32, and create a (empty) "nVIR" 10
resource to prevent further problems.
Getting it out of programs is more difficult. The old entry from the
CODE 0 is stored in nVIR ID 2. Open that resource, copy the eight
bytes, open CODE 0, select the third line, and paste. Then delete all
nVIRs, and CODE 256 (this does belong to the virus). You might have
to use ResEdit 1.2 for some programs which have a CODE 0 too large for ResEdit 1.1 to handle.
The original of this virus came in three flavors. The first simply
beeps when you start a program (not always). The second opened
MacinTalk and tried to say "Don't Panic" instead. The third selected
a random file in your System folder and killed it. Fortunately the
former two are more agressive and do overwrite the third one if they
see it.
All three variants sometimes crash programs when you try to start
them. This does not seem to cause any further problems.
I hope this information helps. Please do not mail to me if possible
because I have to pay $1 per kByte if it gets too much.
