======================================================================== == Computer Virus Catalog (Version 1.2) == == *** 20 Macintosh Viruses/Clones *** == ======================================================================== == Status: July 15, 1991 == == Classified: 10 Macintosh-Viruses (MACVIR.790): July 20,1990 == == ==NEW> + 9 Macintosh-Viruses (MACVIR.791): July 15,1991 == == + 1 Macintosh Trojan Horse ( " ) == ======================================================================== == List of Macintosh Viruses: =Doc= == -------------------------- =---= == 1) AIDS Clone (nVIR B Strain)=790= == 2) Aladin Virus (Frankie Strain)=790= == + 3) CDEF Virus =791= == 4) Frankie Virus (Frankie Strain)=790= == 5) fuck Clone (nVIR B Strain)=790= == 6) Hpat Clone (nVIR B Strain)=790= == + 7) INIT 29 Virus =791= == 8) Jude Clone (nVIR B Strain)=790= == + 9) MDEF A = Garfield Virus (MDEF Strain)=791= == + 10) MDEF B = Top Cat Virus (MDEF Strain)=791= == 11) MEV# Clone (nVIR B Strain)=790= == 12) nFLU Clone (nVIR B Strain)=790= == 13) nVIR A Virus (nVIR Strain)=790= == 14) nVIR B Virus (nVIR B Strain)=790= == + 15) nVir C Virus (nVir Strain)=791= == + 16) STEROID INIT Trojan =791= == + 17) WDEF Virus =791= == + 18) ZUC A Virus (ZUC Strain)=791= == + 19) ZUC B Virus (ZUC Strain)=791= == + 20) 2-Tunes (=HC=HyperCard) Virus =791= == == == == == Next edition will classify ANTI A, ANTI A Variant, ANTI B, MacMag, == == MDEF C, MDEF D, SCORES and WDEF B (planned: October 1991) == ======================================================================== ======= Computer Virus Catalog 1.2: "CDEF" Virus (15-July-1991) ====== Entry...............: "CDEF" Virus Alias(es)...........: --- Virus Strain........: --- Virus detected when.: August 1990 where.: New York Classification......: File infector (Desktop only) Length of Virus.....: Resource fork extension: 510 bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: All Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Easy Identification.: Additional CDEF 1 resource in Desktop file; Desktop shouldn't have one. Resource pattern....: Desktop File: CDEF 1 1836 Bytes Type of infection...: Virus copies itself to all Desktop files on first three connected volumes. Infection trigger...: Executing an infected Desktop file Applications affected:Desktop files only Traps intercepted...: --- Damage..............: --- Damage Trigger......: --- Peculiarities.......: --- Similarities........: WDEF --------------------- Agents ----------------------------------------- Countermeasures/direct: 1. Removal of CDEF 1 from all Desktop files: Copy Desktop to another file and cut off CDEF 1 resource, delete original Desktop file and rename cleaned copy to Desktop. The desktop file is always active, so copying and renaming must be done by special file utilities such as file tools DA. 2. Create new Desktop file by pressing Option and Command key when opening a volume. This method can be rather time consuming on a full harddisk, and information in the comment field of file information is lost. Countermeasures/software: 1. Use a commercial anti-viral product or public domain utility such as Virus Detective, VirusRx, Interferon or Disinfectant (can't remove it) to scan for CDEFs signature. 2. Use protection INIT called Eradicat'Em that prevents CDEF (and WDEF) infection. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 15-July-1991 Information Source..: --- ===================== End of "CDEF" Virus ============================ ===== Computer Virus Catalog 1.2: "INIT 29" Virus (15-July-1991) ===== Entry...............: "INIT 29" Virus Alias(es)...........: --- Virus Strain........: --- Virus detected when.: 1988 where.: USA Classification......: All files Length of Virus.....: Resource fork extension: 712 bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: All Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Easy Identification.: Additional INIT 29 resource in System file; garbage may appear as resource name, or resource name ""; in both cases (CODE,INIT) Resource pattern....: System File: INIT ID 29 712 Bytes Applicaton: CODE 712 Bytes ID is first free ID number starting from 1 Files without CODE resources get an INIT 29 resource Type of infection...: File and Application infector (not DESKTOP) Infection trigger...: Executing an infected file Applications affected:All Traps intercepted...: OpenResFile Damage..............: Overwrites an existing INIT 29 resource Damage Trigger......: --- Peculiarities.......: --- Similarities........: --- --------------------- Agents ----------------------------------------- Countermeasures/direct: --- Countermeasures/software: Use of a commercial anti-viral product or a public domain utility such as Virus Detective, VirusRx, Interferon or Disinfectant to scan for virus signature. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 15-July-1991 Information Source..: --- ===================== End of "INIT 29" Virus ========================== ====== Computer Virus Catalog 1.2: "MDEF A" Virus (15-July-1991) ===== Entry...............: "MDEF" A Virus Alias(es)...........: "Garfield" Virus Virus Strain........: MDEF Virus Strain Virus detected when.: May 1990 where.: New York, USA Classification......: Link virus Length of Virus.....: 314 Bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: System 4.1 or greater Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------- Easy Identification.: MDEF Resource with ID 3842 in System file MDEF Resource named "Garfield" Resource pattern....: MDEF Resource named "Garfield" Type of infection...: Adding (and renaming) a MDEF resource Infection trigger...: Executing an infected file. Applications affected:All + System Traps intercepted...: --- Damage..............: --- Damage Trigger......: --- Peculiarities.......: If SAM Intercept is present, it will allow changing the ID of MDEF 0 to 3842 but will prevent the addition of the MDEF "Garfield" resource; this causes the computer to hang if a menu item is clicked. Similarities........: MDEF variants --------------------- Agents ----------------------------------------- Countermeasures/direct:1) System: Removal of MDEF resource named "Garfield" and changing the ID of MDEF 3842 back to 0 with ResEdit. 2) Applications: Remove MDEF 0 "Garfield" resource. Countermeasures/software: Use a commercial anti-viral product or a public domain utility such as Virus detective, VirusRx, Interferon or Disinfectant to scan for virus signatures. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 15-July-1991 Information Source..: --- ===================== End of "MDEF A" Virus ========================== ====== Computer Virus Catalog 1.2: "MDEF B" Virus (15-July-1991) ===== Entry...............: "MDEF" B Virus Alias(es)...........: "Top Cat" Virus Virus Strain........: MDEF Virus Strain Virus detected when.: May 1990 where.: New York, USA Classification......: Link virus Length of Virus.....: 532 Bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: System 4.1 or greater Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------- Easy Identification.: MDEF Resource with ID 8573 in System file MDEF Resource named "Top Cat" Resource pattern....: MDEF Resource named "Top Cat" Type of infection...: Adding (and renaming) a MDEF resource Infection trigger...: Executing an infected file. Applications affected:All + Documents used by current application Traps intercepted...: --- Damage..............: --- Damage Trigger......: --- Peculiarities.......: If SAM Intercept is present it will allow changing the ID of MDEF 0 to 8573 but will prevent the adding of the MDEF "Top Cat" resource; this causes the computer to hang if a menu item is clicked. The virus searchs in the memory locations 2 to 200,000 for the string "MDEF"+$67+$26+$0C; when found, virus changes "MDEF" to "WDEF". Similarities........: MDEF variants --------------------- Agents ----------------------------------------- Countermeasures/direct:1)System: Remove MDEF resource named "Top Cat" and change the ID of MDEF 8573 back to 0 with ResEdit. 2) Applications and documents: Remove MDEF 0 "Top Cat" resource. Countermeasures/software:Use a commercial anti-viral product or a public domain utility such as Virus detective, VirusRx, Interferon or Disinfectant to scan for virus signatures. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 15-July-1991 Information Source..: --- ===================== End of "MDEF B" Virus ========================== ====== Computer Virus Catalog 1.2: "nVIR C" Virus (15-July-1991) ===== Entry...............: "nVIR C" Virus Alias(es)...........: --- Virus Strain........: nVIR Virus Strain Virus detected when.: July 1991 where.: USA Classification......: Application and System file infector Length of Virus.....: Resource fork extension: 3916 bytes (Application) 3934 bytes (System file) --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: All Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------- Easy Identification.: 1. Characteristic nVIR auxiliary resources 2. CODE 0 Jump table entry 1 changed to 0000 3F3C 0100 A9F0 Resource pattern....: System File Application Common to both INIT 32 416b CODE 256 788b nVIR 1 428b nVIR 0 2b nVIR 2 8b nVIR 6 66b nVIR 4 788b nVIR 3 416b nVIR 7 2106b nVIR 5 8b Type of infection...: 1. Infected application copies viral resources to the system file, adding nVIR 3 as an INIT 32 resource; an nVIR 0 counter resource is added and set to 1000; a dummy jump table entry for an infected application is added as nVIR 5. 2. On reboot, the INIT 32 resource is executed causing the TEInit trap to be patched. 3. Any application launched subsequently which calls this trap will be infected by the addi- tion of viral nVIR resources and a CODE 256 resource. 4. The application entry point in the CODE 0 jump table is saved as nVIR 2; the original entry is replaced by the stored nVIR 5 entry. Launching the application will then cause the viral CODE 256 resource to be executed, fol- lowing which the viral code will invoke the host application via the stored jump table entry. Infection trigger...: All applications calling the TEInit trap will cause attempted infection. Applications affected:All applications with a non-readonly resource fork and an unprotected CODE 0 resource will be infected. Traps intercepted...: TEInit Damage..............: Permanent damage: --- Transient damage: Virus occasionally beeps. Damage Trigger......: The counter nVIR 0 resource is set to 1000 on first infection of the system; this counter is decremented by 1 on system reboot, and by 2 each time when an infected application is run; when counter= 0, the virus will beep 1 in 8 reboots, and one in 4 infected appli- cation launches. Peculiarities.......: 1. An nVIR 10 resource in the system file will prevent infection by this virus. 2. Applications calling OpenResFile prior to TEInit will be damaged. 3. The virus will hybridise with other variants of the nVIR strain. Similarities........: The code of all resources is identical to nVIR B except the nVIR 4 resource in system file and the CODE 256 resource in applications. --------------------- Agents ----------------------------------------- Countermeasures/direct:1.Removal of INIT 32 from the system file will disinfect system. 2. Copying saved jump entry from nVIR 2 to first entry in CODE 0 jump table entry will dis- infect an application. Countermeasures/software: 1. Use a commercial anti-viral product or a public domain utility such as Virus Detective, VirusRx, Interferon or Disinfectant to scan for virus' signature. 2. Use a protection INIT such as vaccine or gatekeeper to trap resource manager calls. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 15-July-1991 Information Source..: --- ===================== End of "nVIR C" Virus ========================== == Computer Virus Catalog 1.2: "Steroid INIT" Trojan (15-July-1991) == Entry...............: "Steroid INIT" Trojan horse Alias(es)...........: --- Virus Strain........: --- Virus detected when.: where.: Classification......: Trojan horse Length of Trojan....: 78 bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: All Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Easy Identification.: --- Type of infection...: Starting Mac with Steroid INIT installed Infection trigger...: see above Media affected : First 32768 volumes connected Traps intercepted...: --- Damage..............: Renaming all volumes to "Untitled" and initiali- sing bootsector; all files and directories are lost. Damage Trigger......: Year>1989 and month>6 Peculiarities.......: --- Similarities........: --- --------------------- Agents ----------------------------------------- Countermeasures/direct: Delete all copiess of Steroid INIT Countermeasures/software: --- --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 15-July-1991 Information Source..: --- ===================== End of "Steroid" Trojan ======================== ======= Computer Virus Catalog 1.2: "WDEF" Virus (15-July-1991) ====== Entry...............: "WDEF" A Virus Alias(es)...........: --- Virus Strain........: WDEF Virus Strain Virus detected when.: March 1991 where.: Hannover,Germany Classification......: File infector: Desktop only Length of Virus.....: Resource fork extension: 1836 bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: System 4.1 or greater Computer model(s)...: Apple Macintosh: all models with ROM < 512K --------------------- Attributes ------------------------------------ Easy Identification.: Additional WDEF 0 resource in Desktop file; Desktop shouldn't have one. Resource pattern....: Desktop File: WDEF 0 1836 Bytes Type of infection...: Virus copies itself to all Desktop files on all connected volumes. Infection trigger...: Executing an infected Desktop file and a random algorithm produces the value 1 long and the availability of SysEnvirons-Trap; the random value is calculated using the RandomSeed system variable. Applications affected:Desktop files only Traps intercepted...: Only during infection: Write,AddResource, ChangedResource,WriteResource,UpdateResFile Damage..............: Permanent damage: --- Transient damage: Only when running under Multi Finder. Only first launched application: if the application has a menu that displays font-size-information using the system, available font sizes are no longer displayed outlined; all sizes are displayed in normal style. Switching between applications doesn't change the first application's behavior. Damage Trigger......: Running an infected Desktop file. Peculiarities.......: No infection on systems without SysEnvirons Similarities........: CDEF --------------------- Agents ----------------------------------------- Countermeasures/direct: 1. Removal of WDEF 0 from all Desktop files: Copy Desktop to another file and cut off WDEF 0 resource, delete original Desktop file and rename cleaned copy to Desktop. The desktop file is always active, so copying and renaming must be done with special file utilities such as the file tools DA. 2. Create a new Desktop file by pressing Option and Command keys when opening a volume. This can be very time consuming on a full harddisk, and information in the comment field of file information is lost. Countermeasures/software: 1. Use of a commercial anti-viral product or a public domain utility such as Virus Detective, VirusRx, Interferon or Disinfectant (can't remove it) to scan for virus signature. 2. Use a protection INIT called Eradicat'Em that prevents WDEF (and CDEF) infection. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 15-July-1991 Information Source..: --- ===================== End of "WDEF" Virus ============================ ====== Computer Virus Catalog 1.2: "ZUC A" Virus (15-July-1991) ====== Entry...............: "ZUC A" Virus Alias(es)...........: --- Virus Strain........: ZUC Virus Strain Virus detected when.: March 1990 where.: Italy Classification......: Link virus (most files of type "APPL") Length of Virus.....: Resource fork extension: 1256 bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: System 4.1 or greater Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Easy Identification.: The last 4 bytes of CODE ID 1 are "CODE" Resource pattern....: The size of an existing CODE 1 resource is in- creased by 1256 bytes. Type of infection...: Extending existing CODE 1 resource and change of Jump table to point to virus. Infection trigger...: Executing an infected file, between November 1, 1989 at 16:18:44 and last infection date stored in virus. This virus has two different infection strategies: 1. With a probabilty of 15/16, virus searches for an unifected application by scanning all accessible Desktop files for resources of type "APPL" and infects first one found. 2. With a probability of 1/16, virus uses a recursive search to find an uninfected application on all connected volumes (such as AppleShare). Strategy #2 is choosen if the value of the system variable time is a multiple of 16. Applications affected:All files of type "APPL" with a CODE 1 resource >32 Bytes and CODE 1+Virus<32,768 Bytes and a creator different from the following ones: SpDo,XPRS,DFCT,VGDt,VIRy,OMEG Traps intercepted...: Values of traps changed by antivirus programs are noticed by the virus and the traps are patched back to original routines: SetFileInfo, ChangedResource, SetResAttr. After infection period: VBL. Damage..............: Permanent damage: Changing desktop pattern in some cases (see: Pecularities) Transient damage: VBL-routine to bounce cursor whenever the mouse button is pressed. Damage Trigger......: Running an infected file after last infection date stored in the virus. Peculiarities.......: Virus changes bit 7 of SpMisc2 in parameter RAM; the computer will hang if there is no RAM for VBL-task in system heap. Similarities........: ZUC B,C --------------------- Agents ----------------------------------------- Countermeasures/direct: --- Countermeasures/software:Use a commercial anti-viral product or a public domain utility such as Virus Detective, VirusRx, Interferon or Disinfectant to scan for virus' signature. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 15-July-1991 Information Source..: --- ===================== End of "ZUC A" Virus ============================ ====== Computer Virus Catalog 1.2: "ZUC C" Virus (15-July-1991) ====== Entry...............: "ZUC C" Virus Alias(es)...........: --- Virus Strain........: ZUC Virus Strain Virus detected when.: June 1991 where.: Italy Classification......: Link virus (most files of type "APPL") Length of Virus.....: Resource fork extension: 1324 bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: System 4.1 or greater Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------- Easy Identification.: The last 4 bytes of CODE resource, which is 1st entry in the jump table, are "CO"+$BA+$BB with $BABB = "DE" exclusive or $FFFF. Resource pattern....: The size of the first CODE resource in jump table is increased by 1324 bytes. Type of infection...: Extending existing CODE resource and change of Jump table to point to virus. Infection trigger...: Executing an infected file between August 13, 1990 at 13:13:13 and last infection date stored in virus. This virus has two different infection strategies: 1. With a probabilty of 15/16, virus searches for an unifected application by scanning all accessible Desktop files for resources of type "APPL" and infects first one found. 2. With a proibability of 1/16, virus uses a recursive search to find an uninfected application on all connected volumes (such as AppleShare). Strategy #2 is choosen if the value of the system variable time is a multiple of 16. Applications affected:All files of type "APPL" with a CODE resource of type as described under Resource pattern, with size >32 Bytes and CODE-resource+Virus <32,768 Bytes and a creator different from the following ones: SpDo,XPRS,DFCT,VGDt,VIRy, OMEG,FEVr,PLUS,VICM. Traps intercepted...: Values of traps changed by antivirus programs are noticed by the virus and the traps are patched back to original routines: SetFileInfo, ChangedResource, SetResAttr. After infection peroid: VBL interrupt. Damage..............: Permanent damage: --- Transient damage: VBL-routine to bounce cursor whenever the mouse button is pressed. Damage Trigger......: Running an infected file after last infection date stored in virus. Peculiarities.......: The computer will hang if there is no RAM for VBL-task in system heap. Similarities........: ZUC A,B --------------------- Agents ----------------------------------------- Countermeasures/direct: --- Countermeasures/software: 1. Use a commercial anti-viral product or a public domain utility such as Virus Detective, VirusRx, Interferon or Disinfectant (>=2.5) to scan for virus' signature. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 15-July-1991 Information Source..: --- ===================== End of "ZUC A" Virus ============================ ===== Computer Virus Catalog 1.2: "2-Tunes" Virus (15-July-1991) ===== Entry...............: 2-Tunes Virus Alias(es)...........: (= HC = HyperCard Virus) Virus Strain........: --- Virus detected when.: 28 March 1991 where.: MacClub Benelux Bšllingen (Belgium) Classification......: Hypercard stacks infector (written in Hypertalk) Length of Virus.....: 3359 Bytes (in Hypertalk) --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary and Hypercard Version/Release.....: All Computer model(s)...: Apple Macintosh: all models with 128 KByte ROM --------------------- Attributes ------------------------------------ Easy Identification.: 1) Text (messages) messages in the virus: "Hey what are you doing?", "Don't panic" 2) Name of damage routine: "eleven". Resource pattern....: --- Type of infection...: Virus infects hypercard stack scripts. Infection trigger...: Virus will infect other stack scripts any time but in a German system not between November 11th and November 30th, and not from December 11th to December 31st. On English systems, this virus infects at any time. Applications affected: All Hypercard stacks Traps intercepted...: --- Damage..............: Transient damage: the following visual/acoustic effects appear: 1)If the damage routine is active, the message "Hey, what are you doing ?" appears 17 seconds after start. 2)After 2 minutes, the tune "Muž I denn ..", a German folksong popularized by Elvis Pres- ley is played; this is repeated every 4 minutes. 3)4 minutes after activation, the song "Behind the blue mountains" is played; the system may shut down after this tune. 4)1 minute later, the virus displays Hypercards popup menus 'toolbox' and 'pattern'. If a user closes these menues, they will be reopened every minute. 5)15 Minutes after activation, the message "Don't panic" will appear. Permanent damage: --- Damage Trigger......: Virus damage is active in systems with German calendar if date is between November 11th and 30th, or between December 11th and 31th, both in years between 1991 and 1999; no damage will appear on systems with English calendar. Damage starts 17 seconds after activating an infected stack. Peculiarities.......: --- Similarities........: --- --------------------- Agents ----------------------------------------- Countermeasures/direct: Manual search and deleting the virus by hand Countermeasures/software: --- --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Thomas Piehl, Ralf Stegen Documentation by....: Ralf Stegen Date................: 15-July-1991 Information Source..: --- ===================== End of "2-Tunes" Virus ========================= ======================================================================== == The Computer Virus Catalog may be copied free of charges provided == == that the source is properly mentioned at any time and location == == of reference. == == == == Editor: Virus Test Center, Faculty for Informatics == == University of Hamburg == == Schlueterstr. 70, D2000 Hamburg 13, FR Germany == == Prof. Dr. Klaus Brunnstein, Wolf-Dieter Jahn == == Tel: (040) 4123-4158 (KB), -4133 (WDJ), -4162(Secr.) == == Email (EAN/BITNET): Brunnstein@RZ.Informatik.Uni-Hamburg.dbp.de == ======================================================================== == Critical and constructive comments as well as additions are == == appreciated. Especially, descriptions of recently detected viruses = == will be of general interest. To receive the Virus Catalog Format, == == please contact the above address. == ======================================================================== ======================================================================== == End of MacVIR.791 document == == (641 Lines, 37 kBytes) == ========================================================================