Xref: utzoo comp.sys.mac:23507 comp.sys.mac.programmer:3349 Path: utzoo!attcan!uunet!mcvax!hp4nl!uva!borton From: borton@uva.UUCP (Chris Borton) Newsgroups: comp.sys.mac,comp.sys.mac.programmer Subject: Re: nVIR virus found in "Kill Virus" Message-ID: <579@uva.UUCP> Date: 1 Dec 88 15:07:31 GMT References:<223@sunset.MATH.UCLA.EDU> Reply-To: borton@uva.UUCP (Chris Borton) Organization: Faculteit Wiskunde & Informatica, Universiteit van Amsterdam Lines: 85 In article <223@sunset.MATH.UCLA.EDU> hgw@math.ucla.edu (Harold Wong) writes: >In article ll12+@andrew.cmu.edu (Laura Ann Lemay) writes: >> >>Kill Virus is equipped with a foil for the nVIR virus, which will keep it >>from getting infected. However, since the resource is called "nVIR", >>it trips up interferon and other such programs. >> >>Kill virus is currently the best program for getting rid of nVIR. THE >>PROGRAM IS ***NOT*** infected!!!! >> >Does KillVirus protect all applications or just those who were infected? >With applications (pd and others) going through and being copied onto my >drive how will I know if the real (the bad one) nVIR shows up? It might start >infecting other applications that did not get KillVirus protection. > >It seems to me that KillVirus will add confusion to this virus problem There seems to be plenty of confusion around about nVIR, which is understandable. I'll summarize this as I know it; please add corrections if necessary (but only if you REALLY know--discuss it otherwise) and spread this information around as widely as possible to avoid this confusion. nVIR has a built-in inhibitor, probably so that the originator wouldn't infect his whole system as well. The virus checks for the existence of the resource 'nVIR 10' in the System file, and if it's there then it doesn't infect anything. The KillVirus INIT from Matthias Urlichs is an INIT that installs this probitor resource into the System file. [Programmer note: given the confusion this now causes, it might have been more appropriate to build that resource on the fly]. Hence, with the KillVirus INIT your system will be immune to attacks of nVIR and further spreading of nVIR. To my knowledge, KillVirus does NOT do anything to applications at all. Hence, if you have an infected application, it will be benign on your KillVirus- protected system, but if you give it to your friend who is not protected, then he will become infected. The best solution I know of: 1) boot from locked positively-healthy system 2) Run "Vaccination" on ALL programs you have. This will remove the virus if it exists, preventing further spread. 3) Replace all Systems with a known good System. If this is too painful, it can be done with ResEdit hacking, but you'd better know what you're doing. Just remove all 7 nVIR resources and INIT 32. 4) Replace the Finder and DA Handler, as the original version of Vaccination did not recognize these and they infect. 5) Keep KillVirus, VirusWarningINIT, and/or Vaccine in your system folder. The differences: KillVirus: defends attacks, will not allow spread. Installs benign nVIR 10 resource in System file. Does not, I believe, alert you when an attack has occurred. VirusWarningINIT: emits a series of beeps when an attack (attempt at infection) has occurred. Does NOT prevent the infection, but you will know about it and hence can immediately kill it. Vaccine: will cause system bomb when nVIR attacks. This is because it is trying to use a dialog/menubar at a time when that isn't allowed. Thus, if you have a consistent bomb under MultiFinder with a program you know works, immediately check it for nVIR. I hope this clarifies a few things. There are plenty of items that might have been done much more clearly (the naming of these things, for one) but they usually originate in a crisis under duress and time pressure. The best prevention overall is user education -- a little bit can go a long way. [Personal note: unfortunately the media could use some as well in order to prevent wild rumors, spreading false information and blind fear.] [[Oh a sample? CNN during the InterNet Worm crisis: 4:12 reporter: "...but the virus apparently does not do any damage to data." 4:25 anchorperson: "stay tuned, in 10 minutes another report on the data-devouring virus attacking computers all over the country." ]] -cbb -- Chris Borton borton%uva@mcvax.{nl,bitnet,uucp} Rotary Scholar, University of Amsterdam CS