TITLE
    Computer "Viruses" (1 of 2)
Article ID:
Created:
Modified:
2821
5/2/88
9/22/99

TOPIC

    This article discusses viruses along with how to detect and remove them.


DISCUSSION

    GENERAL ISSUES

    What is a virus?

    A virus is a program with two distinct functions:

    - It spreads itself from machine to machine (self-reproducing code). This includes the actual infection of other systems as well as the stashing away of code into as many "carriers" as possible.

    - It implements the "symptoms" planned by the perpetrator of the virus. This could be any number of things, up to and including erasing a disk on a specific date.

    A Bit of History
    Computer viruses have been around for almost as long as computers. John Van Neumann, the father of the modern computer, toyed with the idea of self-reproducing computer code as early as 1948. In the late 1970s, there was even a training ground for the writing of viruses. It was a program called Core Wars that implemented an artificial environment pitting two virus programs against each other.

    Viruses Are Not Unique to the Macintosh

    The Macintosh is not the only system to be plagued by viruses. Mainframe and minicomputers are also targets for virus programmers. One of the more recent mainframe incidents was the virus that invaded IBM's mail system and brought it to its knees for a couple of days. IBM PC users have been experiencing viruses for several years now. The most common method of attack is through the COMMAND.COM file. The Macintosh community has been lucky to have gone so long without virus programming becoming the thing to do.

    Not All Viruses Are Meant To Be Damaging, But...

    Viruses are not all meant to be damaging. The programmer may just want to prove he can do it and have the satisfaction of reading about it in magazines and on the BBS network. Sometimes, these viruses can cause difficulties anyway. For example, the virus that has prompted this series of articles was meant to be benign except in specific cases. However, it takes up memory and processing time and has caused random side effects such as printing issues and system crashes.

    Don't Panic; Don't Overreact

    If you think that you have a virus, it's important to not overreact. It is important to take a step back and evaluate the situation calmly. Once you know that you have a virus and what it has infected, it is a relatively easy thing to combat. This document contains enough information for you to deal with most viruses.

    Unix Viruses

    In all of this, there has not been much discussion of Unix viruses, but they do exist, and the spread of public domain software is almost as great in the Unix world as it is in the microcomputer world.

    THE GREAT VIRUS HUNT

    When Do You Suspect You Might Have a Virus?

    When your computer begins to do things out of the ordinary, or when it stops being able to do things it has always done in the past. The hard part of this is that corrupted system files can lead to similar symptoms even though a virus isn't involved. When difficulties occur, they are much more likely to be the result of non-virus difficulties. When you have ruled out the standard fault areas, you should look into the possibility that your system has been infected by a virus.

    What to Look For If You Think You Have a Virus

    Look for invisible files in your System folder that don't belong there. Unless you specifically have an application that creates invisible files in the System folder, every invisible file in the System folder should be suspect. Also, a general check of all the files in your System folder for resources that don't belong in those files is well worth the effort.

    Files and Resources a Virus Might Infect

    - Any and all applications

    - HyperCard Stacks (the MacMag virus was spread via a HyperCard stack)

    - Files in the System folder, including:
    System
    Finder
    Note Pad file
    Scrapbook file
    Clipboard file
    Easy Access
    Sound
    Mouse
    Startup Device
    Monitors
    Color
    General
    Keyboard
    LaserWriter
    ImageWriter
    AppleTalk ImageWriter
    ImageWriter LQ

    In other words, all system files.

    Files a Virus Might Damage Inadvertently

    - Any file on an infected volume or system, including system files, documents, applications, etc.

    Public Domain Issues

    Most viruses spread via public bulletin board systems and are hidden in public domain programs. "Sexy Ladies," a program distributed at a MacWorld Expo in San Francisco, erased whatever hard disk or floppy disk it was on when it was launched.

    Network Issues

    The use of networks can easily enhance the spread of a virus. Different scenarios are possible, with the simplest being a public domain folder on a server that everyone gets the latest neat stuff from. Also, shared applications residing on a server could become infected, which would then infect every machine that those applications were run on.


    TECHNICAL ISSUES

    How Viruses Propagate

    Viruses can propagate by a variety of methods. The most common way for a Macintosh virus to replicate itself is to have an INIT that installs a
    background (VBL) task that checks for specific occurrences, such as a disk insertion, and then copies itself somewhere to that disk.

    VBL Tasks

    The Macintosh has always had a limited form of background processing available to it through the use of the Vertical BLanking queue. Every time the screen on a Macintosh (except for a Macintosh II) is refreshed, any routines installed in the queue are executed. The Macintosh II has a dummy VBL queue for compatibility reasons since the advent of a variety of screens has led to different vertical retrace periods.

    VBL tasks can be installed in the queue by any program. The program has to load a routine into a section of memory and install the routine into the VBL queue by calling the Vinstall ROM routine. It is the responsibility of the installing program to make sure the segment of memory containing the routine remains available even after the program has exited. Each VBL task has a specified time period it should be left "asleep" before it is called. Every time the routine is executed, a counter is decremented for that routine. When that counter reaches zero, the routine is deleted from the queue unless the routine itself resets the counter.

    Lengthy VBL tasks such as the one that might be used to replicate a virus can interfere with the normal operation of the Macintosh by interrupting processes that shouldn't be interrupted. A perfect example of this is printing to a LaserWriter over an AppleTalk network. If a VBL task takes too long in its execution, the printing process could terminate abnormally and leave the machine's connection to the network in an unstable state.

    For the purposes of a virus, an INIT is most likely to be the culprit responsible for installing a VBL task.

    INITs

    INITs are routines that are run when the Macintosh is booted. For the most part, they have full access to all of the commands normally available to a standard Macintosh program. The major difference is that the low memory globals have not been set up yet, so any INIT needing access to structures normally stored in low memory must create its own.

    INITs in the System file:

    When a Macintosh boots, the INITs in the System file in the "blessed" folder are the first code to be executed. These INITs should generally be Apple INITs only -- any non-Apple INITs should be considered suspect.

    The INIT 31 mechanism:

    A special INIT in the System file, INIT 31, was created to allow for the execution of non-Apple INITs without having them installed in the System file itself. When all of the other INITs in the System file have been executed, INIT 31 walks through the System folder looking for files of types
    INIT, RDEV, cdev, and executes any INIT resources it finds in these files. The order in which the files get loaded is alphabetical. Needless to say, a simple way for hiding parts of a virus is to drop INITs into legitimate files already existing in the System folder with these file types.

    CDEVs

    The file type cdev indicates a file containing a Control Panel device. When the Control Panel is loaded, it walks through the directory of the System folder looking for any files of type 'cdev'. When it finds a file of this type, it loads the ICN# of that file (assuming it has one) into the list of icons shown on the left side of the Control Panel. When you click on the icon of the cdev in the Control Panel, the code in the cdev resource in the file of type 'cdev' is executed. A virus could easily use this mechanism as a way to infect a system, install a VBL task, etc.

    Many cdev files have INITs in them with the cdev controlling the settings that the INIT will use when it is installed. A good example of this is the settings for a screen blanker. The INIT actually installs the VBL task, but the cdev controls when dimming occurs. None of the standard Apple system cdev files have INITs in them, but there is nothing to prevent a virus installing an INIT in these files as a way of hiding its code.

    DRVRs

    DRVR resources typically can have one of two functions: they can be the code for a desk accessory, or the code for drivers necessary for the system to perform some function such as printing. Once again, the key word here is 'code'. Whenever code is involved, the potential arises for the perpetrator of a virus to take advantage of it.

    Just as with cdevs, when a DRVR gets opened, either by the choosing of a desk accessory or by the system, code is executed at that point. This is the stage at which a virus might fulfill its purpose.

    CODE Resources

    Each application has at least two CODE resources. The first of these CODE resources has an id of 0 and contains what is known as the jump table. This table provides the basic information necessary for various parts of a program to call routines in other CODE segments. The current rage in viruses is to modify the CODE ID = 0 resource of an application so that a CODE segment it installs in the application gets called before the application is actually run. This CODE segment could go out and check if the virus has infected the current system, and if it hasn't, install itself. All the perpetrator of a virus has to do at this point is upload a copy of an infected application to a BBS, and it spreads across the world.

    Applications that allow external procedures:

    Viruses could take advantage of the external procedures that are allowed by some applications. The perfect example of this is HyperCard, with its XCMDs and XFCNs. This is how the MacMag virus was transmitted.

    This article is continued in Computer "Viruses" (2 of 2)

Document Information
Product Area: Apple Software
Category: Virus Detection Software & Information
Sub Category: Computer Viruses

Copyright © 2000 Apple Computer, Inc. All rights reserved.