nVIR
nVIR
Type File virus
Creator
Date Discovered 1987.12
Place of Origin USA
Source Language Assembly
Platform MacOS
File Type(s) .com
Infection Length 3,550 or 3,568 bytes*
Reported Costs

nVIR is a virus for the Macintosh appearing in 1987. It has a number of variants, which appear to be capable of sexual reproduction. nVIR sometimes plays with the system's sound, either making the system beep or, if certain software is installed, makes the system talk. The virus was particularly long-lived, infecting systems as late as 1995 and was virulent on two continents.

Behavior

When a file infected with nVIR is executed, the virus infects the system file. When the system is booted, it begins infecting applications as they are executed. The system file is increased by 3,568 bytes and other programs are increased by 3,550 bytes.

The virus has a counter that determines when it executes its payload. This counter is initially set to 1000 and triggers the payload when it reaches 0. The counter is decremented by 1 every time the system is rebooted and by 2 every time an infected file is executed.

If a program named MacinTalk is installed, they payload will be an electronic voice saying "Don't panic", otherwise the computer beeps once or twice. There is a 1 in 16 chance of this happening when the computer is rebooted. It will happen 31 in 256 times every time an infected application is launched. It will beep twice or say "Don't panic" twice when an infected application is launched 1 in every 256 times.

Variants

nVIR.B is very similar, but they payload does not use MacinTalk, only the beep. The payload executes 1 in 8 times on a reboot, 15 in 64 times on an application launch and the double beep occurs 1 in every 64 times.

nVIR.Aids, Fuck, Hpat, Jude, Mev# and Nflu are very similar to nVIR.B. They were discovered in 1989 and 1990.

Origin

nVIR likely originated in the United States, but its state and city are uncertain. There was some speculation that it was originally taken from a Compuserve "sample virus" that was turned into a real problem.

Effects

nVIR and its variants were particularly virulent in the US and Canada. By January of 1989, the virus was known to have made it to Britain when an infected beta of MS Word was discovered to have it there. By March of that year, nVIR made it to Norway and Switzerland.

Universites were particularly hard hit with the virus. University of Pittsburgh had several infections. All Macs at the University of New Mexico's Albuquerque campus were infected. Penn State and Rutgers had such a major infection that it required a pretty lengthy clean up effort. Humber College in Toronto dealt with nVIR and only a short time later the Wdef virus. It was found at the Universites of Oregon, Virginia Commonwealth, Calgary, Alaska, Connecticut and Teesside Polytechnic.

The virus came accidentally installed with vendor software. Late in 1988, Quantum Leap Technologies released it with a "QLTech MEGA-ROM". The University of Michigan sold some distribution disks in July of 1993 infected with the virus. On the fifth of May in 1994, the American Vacuum Society released the Journal of Vacuum Science & Technology A&B (Second Series Volume 12, 1994) CD-ROM, which had infected files on it. A book on the HyperTalk language shipped with a disk infected with the virus. A Mainstay software disk contained a copy of the virus in a .sit archive. itself was at one point was accused of accidentally distributing the virus, though no specific incident was ever found.

The Aldus Corporation was hit with this virus, though unlike their encounter with Macmag, they did not release the virus accidentally in any of their software. The US Navy's David Taylor Research Center was infected with nVIR along with Scores some time in 1989.

Other Facts

nVIR variants appear to be capable of sexual reproduction. If one variant is present on a system and a second variant is executed, files infected with both will behave like the original infector, but contain code from both variants.

Sources

John Norstad. National Computer Security Association. VIRUS REPORT, nVIR. ncsa100 1990.05.22

David Ferbrache. Heriot-Watt University, Edinburgh, Computer Virus Catalog (Version 1.2). macvir.790 1990.03.12

Attrition.org, Errata - Certified Pre-0wned.

Hervey Allen, University of Oregon Computer Center. Virus-L nVir2 on the Mac. virlv2.065 1989.03.14

Joe McMahon. Virus-L, Re: Openness; Viruses and Software Companies; Insurance. log8808d 1988.08.23

Shawn V. Hernan. University of Pittsburgh Academic Computing. Virus-L log8810b 1988.10.11

Ken van Wyk, Joe McMahon. Virus-L, Aldus gets hit again. log8810c 1988.10.21

Mark Crane, Portland State University. Virus-L, nVIR—can it lurk in Pram? virl8042.doc 1995.04.19

David D. Grisham, University of New Mexico. Virus-L, Apple (Mac) Virus on our Campus, virlv1.002 1988.11.09

"In search of the perfect Taco". Virus-L, MACINTOSH virus(es). virlv1.020 1988.11.23

Greg Lypowy, University of Calgary. Virus-L, nVIR Strikes Again (Macintosh). virlv1.036 1988.12.06

Bill Pottenger, University of Alaska. Virus-L, nVir at University of Alaska. virlv1.040 1988.12.09

Jeff Wasilko, David Riddle. Virus-L, nVIR in UK version of MS Word 4 beta (Mac). virl2.008 1989.01.09

Christopher Tate, Penn State. Virus-L, Dealing with nVIR on a large scale (Mac) virlv2.054 1989.02.22

Anders Christensen, Norwegian Institute of Technology. Virus-L, nVIR infection on MAC. virlv2.066 1989.03.17

Markus Mueller, Eidgenoessische Technische Hochschule. Virus-L nVir2 on the Mac. virlv2.067 1989.03.18

Brian Bechtel, Apple. Virus-L, Re: nVIR at Apple (Mac). virlv2.069 1989.03.21

Gregg TeHennepe, Academic Computing and User Services Connecticut College. Virus-L, nVIR infection, other problems (Mac). virlv2.120 1989.05.18

John Norstad. Virus-L, WARNING: New Mac virus (reposted from comp.sys.mac). virlv2.170 1989.08.08

H3nry C. Schmitt. Virus-L, nVIR A Found on Book's Disk. virlv2.191 1989.09.12

Rob Schaeffer. Virus-L, Demo Disk from Mainstay (Mac). virlv4.117 1991.07.03

Kevin Adams, Humber College. Virus-L, WDEF in Toronto. vlnl03.033 1990.02.06

Betty Harvey, US Navy David Taylor Research Center. Virus-L, Undetectable Virus. vlnl03.043 1990.02.14

Marshall D. Abrams. Virus-L, Virus Alert. vlnl03.147 1990.08.22

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License