Xref: utzoo comp.sys.mac:23507 comp.sys.mac.programmer:3349
Path: utzoo!attcan!uunet!mcvax!hp4nl!uva!borton
From: borton@uva.UUCP (Chris Borton)
Newsgroups: comp.sys.mac,comp.sys.mac.programmer
Subject: Re: nVIR virus found in "Kill Virus"
Message-ID: <579@uva.UUCP>
Date: 1 Dec 88 15:07:31 GMT
References:  <223@sunset.MATH.UCLA.EDU>
Reply-To: borton@uva.UUCP (Chris Borton)
Organization: Faculteit Wiskunde & Informatica, Universiteit van Amsterdam
Lines: 85

In article <223@sunset.MATH.UCLA.EDU> hgw@math.ucla.edu (Harold Wong) writes:
>In article  ll12+@andrew.cmu.edu (Laura Ann Lemay) writes:
>>
>>Kill Virus is equipped with a foil for the nVIR virus, which will keep it
>>from getting infected.  However, since the resource is called "nVIR",
>>it trips up interferon and other such programs.
>>
>>Kill virus is currently the best program for getting rid of nVIR.  THE
>>PROGRAM IS ***NOT*** infected!!!!
>>
>Does KillVirus protect all applications or just those who were infected?
>With applications (pd and others) going through and being copied onto my
>drive how will I know if the real (the bad one) nVIR shows up?  It might start
>infecting other applications that did not get KillVirus protection.
>
>It seems to me that KillVirus will add confusion to this virus problem

There seems to be plenty of confusion around about nVIR, which is
understandable.  I'll summarize this as I know it; please add corrections
if necessary (but only if you REALLY know--discuss it otherwise) and spread
this information around as widely as possible to avoid this confusion.

nVIR has a built-in inhibitor, probably so that the originator wouldn't
infect his whole system as well.  The virus checks for the existence of the
resource 'nVIR 10' in the System file, and if it's there then it doesn't infect
anything.

The KillVirus INIT from Matthias Urlichs is an INIT that installs this
probitor resource into the System file.  [Programmer note: given the confusion 
this now causes, it might have been more appropriate to build that resource on 
the fly].  Hence, with the KillVirus INIT your system will be immune to
attacks of nVIR and further spreading of nVIR.

To my knowledge, KillVirus does NOT do anything to applications at all.  Hence, 
if you have an infected application, it will be benign on your KillVirus-
protected system, but if you give it to your friend who is not protected, then 
he will become infected.

The best solution I know of:
	
	1) boot from locked positively-healthy system
	2) Run "Vaccination" on ALL programs you have.  This will remove the
	   virus if it exists, preventing further spread.
	3) Replace all Systems with a known good System.  If this is too
	   painful, it can be done with ResEdit hacking, but you'd better
	   know what you're doing.  Just remove all 7 nVIR resources and
	   INIT 32.
	4) Replace the Finder and DA Handler, as the original version of
	   Vaccination did not recognize these and they infect.
	5) Keep KillVirus, VirusWarningINIT, and/or Vaccine in your system
	   folder.  The differences:

KillVirus: defends attacks, will not allow spread.  Installs benign nVIR 10
	   resource in System file.  Does not, I believe, alert you when an
	   attack has occurred.

VirusWarningINIT: 
	   emits a series of beeps when an attack (attempt at infection) has
	   occurred.  Does NOT prevent the infection, but you will know about
	   it and hence can immediately kill it.

Vaccine:
	   will cause system bomb when nVIR attacks.  This is because it is
	   trying to use a dialog/menubar at a time when that isn't allowed.
	   Thus, if you have a consistent bomb under MultiFinder with a
	   program you know works, immediately check it for nVIR.

I hope this clarifies a few things.  There are plenty of items that might
have been done much more clearly (the naming of these things, for one) but
they usually originate in a crisis under duress and time pressure.  The best
prevention overall is user education -- a little bit can go a long way.

[Personal note: unfortunately the media could use some as well in order to
 prevent wild rumors, spreading false information and blind fear.]

[[Oh a sample?  CNN during the InterNet Worm crisis: 
  4:12 reporter: "...but the virus apparently does not do any damage to data." 
  4:25 anchorperson: "stay tuned, in 10 minutes another report on the
	data-devouring virus attacking computers all over the country."
]]

-cbb
-- 
Chris Borton	borton%uva@mcvax.{nl,bitnet,uucp} 
Rotary Scholar, University of Amsterdam CS