TITLE
    Computer "Viruses" (2 of 2)
Article ID:
Created:
Modified: 		2822
5/2/88
8/13/98
TOPIC

    This article, part 2 of 2, discusses viruses along with how to detect and remove them.

DISCUSSION

    Continued from Computer "Viruses" (1 of 2)

    KNOWN VIRUSES

    Hong Kong Virus (also known as Autostart Virus or Autostart Worm)
    This virus may affect the computer in a way that would look like a hard disk or logic board failure. Test the computer after starting up from a startup CD-ROM disc (since the virus cannot affect a CD-ROM). If the computer is functioning normally, run an anti-virus application that has been updated to detect and destroy this virus. Many public domain utilities are now available to detect this new virus.


    When I play audio tracks on enhanced CD (CD Plus or CD+) format CD-ROM discs, the music will stop playing when I access other applications from the Finder, or won't play at all. This does not happen with audio-only CDs.
    These symptoms can also occur with standard audio CD-ROM discs that are not multisession enhanced CDs if the Hong Kong Virus, aka Autostart Worm, has infected the computer's drives.


    Symptoms may include:
    • Intermittent crashing
    • Data on the disk being constantly corrupted
    • Large files becoming corrupted
    • System restarts when a floppy disk is inserted.
    • Audio tracks on enhanced CD (CD Plus or CD+) format CD-ROM discs stop playing when you access other applications from the Finder, or won't play at all. This does not happen with audio-only CDs.

    A quick way to look for this virus, if you have System 7.5 or later, is to choose Find from the File menu while the Finder is active and follow these steps:
      1. Press and hold the option key.
      2. Click name and choose visibility from the pop-up menu.
      3. Click More Choices.
      4. Click contains and choose doesn't contain from the pop-up menu.
      5. Type "icon" in the text field.
      6. Click More Choices.
      7. Click size and choose file type from the pop-up menu.
      8. In the text field enter the file types listed below, for example, (APPL or appe).
      9. Click Find.

    Look for invisible files with these names:
    • DB (file type APPL) [do not confuse with Desktop db]
    • Desktop Print Spooler (file type appe) [do not confuse with Desktop Printer Spooler]
    • BD (file type APPL) [present in a mutated form of the virus]

    Please be aware that as this virus spreads it can be "mutated" to change the file names of the hidden files.

    This virus attaches itself to any write enabled disk inserted in an affected computer and is activated by the Enable CD-ROM AutoPlay feature built into QuickTime. Deselecting the Enable CD-ROM AutoPlay checkbox in the QuickTime Settings control panel should stop the virus from spreading to other write enabled disks, however, this action does not remove the virus. When activated it creates an invisible extension that allows the virus to spread to other disks. The virus works slowly to corrupt data in the files on the hard disk, eventually destroying the files. It does not affect 680x0 computers since this virus is PowerPC processor code.

    For more information, use this URL: " http://www.macintouch.com/hkvirus.html "


    The Scores Virus
    You can be almost positive your system has been infected by the Scores virus if the icons of your Note Pad file and Scrapbook file look like document icons instead of system icons. Launch ResEdit and look in your System folder. If you see files called "Desktop" and "Scores" you can be 99% sure that you have the Scores virus.

    How Scores Spreads and What It Does

    The Scores virus is relatively harmless. The initial infection is caused by an application with a modified CODE ID = 0 resource, and an additional CODE resource (first unused ID number plus 1). When the 'carrier' application is launched, the CODE ID = 0 resource runs the virus installer code. This code checks for previous installation of the Scores virus. If the virus is not there, the virus files are installed. The virus consists of three INITs, one atpl, and one DATA resource found in the files listed below:
    FILE
    TYPE
    CREATOR
    RESOURCES
    SIZE
    Desktop (invisible)
    INIT
    FNDR
    		atpl: ID = 128
    DATA: ID = -4001
    INIT: ID = 10
    2410 bytes
    7026 bytes
    1020 bytes
    Note Pad File
    INIT
    ZSYS
    		INIT: ID = 6
    772 bytes
    Scores (invisible)
    RDEV
    ZSYS
    		atpl: ID = 128
    DATA: ID = -4001
    INIT: ID = 10
    2410 bytes
    7026 bytes
    1020 bytes
    Scrapbook File
    RDEV
    ZSYS
    		INIT: ID = 6
    INIT: ID = 17
    772 bytes
    480 bytes
    System File
    ZSYS
    MACS
    		atpl: ID = 128
    DATA: ID = -4001
    INIT: ID = 6
    INIT: ID = 10
    INIT: ID = 17
    2410 bytes
    7026 bytes
    772 bytes
    1020 bytes
    480 bytes

    If the Note Pad and Scrapbook files do not exist, they are created. If they exist, the type and creator of the files are altered to those listed above, and the corresponding resources are added to the files. The files still appear to function normally with the Note Pad and Scrapbook DAs, but their icons change to document icons. The Desktop and Scores files are invisible, and are created during the infection process.

    The next time the infected system is rebooted, the INITs are loaded into memory and are ready to infect other applications. The INITs install a VBL task that actually modifies and installs resources into an application. After an application has been launched, an internal timer is started. Somewhere between two and three minutes later, the open application is infected and becomes a carrier. A new CODE resource is added to the infected application, and the application's CODE ID = 0 resource is modified to execute the new CODE resource first, then continues with the application.

    To determine if an application is infected, examine the CODE ID = 0 resource. If the eleventh word of the resource (third word on the third line in the ResEdit listing) is NOT "0001", the application is suspect. If the third word is something other than "0001", convert the value to its decimal equivalent (the numbers are in hexadecimal). Then determine the resource number of the CODE resource at the top of the ResEdit resource list. If these numbers are the same, the application is probably infected, and should be replaced. Some applications will appear to be infected even though they are not. If the eleventh word of CODE ID = 0 is not 1, check the tenth word; if it is '4EED' the application is most likely not infected.

    How to Get Rid of the Scores Virus

    It is not hard to remove this virus from a system, but it may take some time. Follow the stetps below:
      1. Use Font/DA Mover to copy all fonts and DAs that you do not have backups of to font and DA suitcase files (this virus does not attach itself to DAs).
      2. Start the system from a locked, not infected, floppy disk.
      3. Throw away the System folder on the infected disk.
      4. Use ResEdit to identify all suspect applications on the infected disk.
      5. Make a list of all suspect applications.
      6. Throw all suspect applications in the trash, and empty the trash.
      7. Reinstall the system software from a known good System Tools installer disk.
      8. Using locked masters, recopy any applications that were deleted from the infected disk (it is important to verify that the master disks have not been infected).
      9. You're all done.


    The nVIR Virus
    How the nVIR Virus Spreads and What It Does

    The nVIR virus is similar to the Scores virus in many ways. It does not appear to have malicious intent and is relatively harmless. Initial infection of a system is also caused by an application with a modified CODE ID = 0 resource. When a nVir carrier application is launched, the virus' code segment is executed first. This code checks for its INIT in the System File, and if it doesn't find it, the code copies the INIT there. Along with the INIT resource, eight 'nVIR' resources (0-7) are added to the System file.

    The next time the system is restarted, the INIT ID = 32 is loaded into memory and tries to infect every application that is launched. The nVir virus adds a CODE ID = 256 resource and modifies the CODE ID = 0 so that the nVir code is executed first.

    Again, infection of an application is determined by examination of the CODE ID = 0 resource. If the eleventh word of the resource (third word on the third line in the ResEdit listing) is NOT "0001", the application is suspect. If the third word is something other than "0001", convert the value to its decimal equivalent (the numbers are in hexadecimal). Then determine the resource number of the CODE resource at the top of the ResEdit resource list. If these numbers are the same, the application is probably infected, and should be replaced. Some applications will appear to be infected even though they are not. If the eleventh word of CODE ID = 0 is not 1, check the tenth word; if it is '4EED' the application is most likely not infected. The tenth word normally contains '3F3C'.

    When launching an infected application, there is a one in sixteen chance that you will hear a short system beep. We have been told that if MacinTalk is installed you will hear the words "don't panic".

    How to Get Rid of the nVIR Virus

    Remove the nVIR virus the same way you remove the Scores virus except you do not need to throw away all of the files in the System Folder; just throw away the System file.


    The MacMag Virus
    We don't have much information regarding the MacMag virus. It was apparently uploaded to CompuServe, inside a HyperCard stack, in the form of an XCMD, and it installed an INIT ID = 6 with a name of 'RR'. Its sole purpose in life was to display a "universal message of peace" on your computer on March 2, 1988. The virus removed itself after displaying this message and should be of little concern now.


    SAFEGUARDING YOUR SYSTEMS

    What Makes Our System Susceptible to Viruses

    The various mechanisms described in part 2 of this article make our system easy to infiltrate by a virus. Remember that it is those same mechanisms that add to the flexibility and "look and feel" of the Macintosh. For instance, the INIT mechanism is used by mail systems to load their code in. AppleShare uses the INIT mechanism to mount network volumes at boot time.

    Why Vaccine Works in This Case, But Is Easy to Bypass

    Vaccine, a public domain INIT written to block viruses, does a good job of alerting you when the three known viruses are trying to infect your system. The problem with Vaccine: once a cure is found for one set of viruses, a new strain may appear that knows how to bypass the existing defenses.

    Some Suggestions
    • Lock your master floppy disks: Always keep original "Master" disks locked. This prevents a virus from spreading to your original disks. Our disk locking mechanism is hardware based -- viruses can't infect locked disks!
    • Protect your networks: Network administrators should not allow just anyone to put software on the server. Applications on a network server should come only from known good masters.
    • Be wary of public domain software: Public domain software should be checked quite thoroughly on a floppy-based system for any infections before being copied to a hard disk base system. This will also protect you from any "Trojan Horse" programs such as "Sexy Ladies."
    • Quarantine infected systems: If you identify a system as being infected with a virus, immediately isolate (quarantine) it from other systems. This means disconnecting it from any network and not allowing anyone to take any files from the exposed system to another system. Once the system has been 'disinfected', you can allow the files to be copied or moved.
    • Use ResEdit: ResEdit is a good tool to look for viruses on your disks. There is very little that can be hidden from ResEdit, so you can use it to remove troublemaking files and resources.

Document Information
Product Area: Apple Software
Category: Virus Detection Software & Information
Sub Category: Computer Viruses

Copyright © 2000 Apple Computer, Inc. All rights reserved.