======================================================================== == Computer Virus Catalog (Version 1.2) == == *** 10 Macintosh Viruses/Clones *** == ======================================================================== == Status: July 20, 1990 == == Classified: 10 Macintosh-Viruses (MACVIR.790): July 20,1990 == ======================================================================== == List of Macintosh Viruses: =Doc= == -------------------------- =---= == + 1) AIDS Clone (nVIR B Strain)=790= == + 2) Aladin Virus (Frankie Strain)=790= == + 3) Frankie Virus (Frankie Strain)=790= == + 4) fuck Clone (nVIR B Strain)=790= == + 5) Hpat Clone (nVIR B Strain)=790= == + 6) Jude Clone (nVIR B Strain)=790= == + 7) MEV# Clone (nVIR B Strain)=790= == + 8) nFLU Clone (nVIR B Strain)=790= == + 9) nVIR A Virus (nVIR Strain)=790= == + 10) nVIR B Virus (nVIR B Strain)=790= == == == The following Macintosh viruses are presently being classified: == == ANTI,Dukakis,INIT 29,MacMag=Peace,MDEF,Scores,WDEF A&B, ZUC virus. == == == == == These are the first, yet experimental Macintosh virus entries. == == Classification has been done by David Ferbrache (Edinburgh), == == Zbigniew FiedorowicZ (Ohio) and Christian Markus (VTC Hamburg). == == For future entries, we strongly appreciate any comment. Moreover, == == we have only a limited access to MacViruses, so we ask for aid. == == But it is the Virus Test Center's ethical rule, that we distribute == == virus code only to institutions and persons in which we fully trust.= ======================================================================== ======= Computer Virus Catalog 1.2: "AIDS" Virus (20-July-1990) ====== Clone...............: "AIDS" Virus Alias(es)...........: --- Virus Strain........: nVIR (B) Virus Strain Virus detected when.: March 1989 where.: Netherlands Classification......: Application and system file infector Length of Virus.....: Resource fork extension 3550 bytes (application), 3568 bytes (System file) --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: All Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Variation...........: All details are as for nVIR B except that all references to nVIR resources should be read as AIDS resources; for all other details: see nVIR B (MACVIR.790) --------------------- Acknowledgement -------------------------------- Location............: Heriot-Watt University, Edinburgh (UK) Classification by...: David Ferbrache Documentation by....: David Ferbrache Date................: 12-March-1990 Information Source..: --- ===================== End of "AIDS"-Virus ============================ ====== Computer Virus Catalog 1.2: "ALADIN" Virus (14-June-1990) ===== Entry...............: "ALADIN" Virus Alias(es)...........: --- Virus Strain........: "Aladin Emulator Viruses" Virus detected when.: December '87 where.: Hamburg, FRG The Aladin virus was deliberately created and distributed in a document transfer utility by Aladin producer Proficomp. The ostensible purpose of this virus was to attack a pirated version of Aladin. However since the virus is designed to attack all Macintosh emulators on the Atari other than Aladin, one may well question Proficomp's motives. Classification......: Program Virus Length of Virus.....: Varying from 3312 to 3822 Bytes in storage --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS Version/Release.....: Version 2.0 and higher Computer model(s)...: infection: all Apple MacIntosh series computers Aladin (MacIntosh-Emulator on Atari); other emulators not tested (probably, Spectre (Atari) will not be infected); all ROM versions damage: will only occur on ATARI ST computers running a MacIntosh Emulator other than the original ALADIN (Board equipped with ROMs and a PAL chip) --------------------- Attributes ------------------------------------ Easy Identification.: --- Type of infection...: - extending infected programs by virus size - modifying infected program's jump table - patching operating system calls in RAM - upon each launch, the programs "last modified" date entry is updated Infection Trigger...: - program files are infected when copied (when an infected "Finder" is running) - program files are infected when launched (when an infected "Finder" is running) - a running "Finder" is infected when it launches an infected program Storage media affected: all type of media which is not write-protected Interrupts hooked...: System traps OpenRF and SetFileInfo Damage..............: all printing functions are intercepted Damage Trigger......: value of infection counter Particularities.....: Probably, Spectre (MacIntosh emulator) will not be infected (similar to Frankie) as a bug in Spectre's bus error handler may deceive Aladin into thinking that it is not running on an Atari. Similarities........: --- --------------------- Agents ----------------------------------------- Countermeasures.....: Names of tested products of Category 1-5: Category 1: --- Category 2: Viruskiller (VTC) Category 3: Viruskiller, FrankieKiller (VTC) Category 4: --- Category 5: write protect media Category 6: --- Countermeasures successful: Applying Viruskiller application Standard means......: - check file size, file modification date - open file with ResEdit and check sequence of "CODE" resource entries: if the upper left icon has a higher resource number, be warned; - open "CODE 0" with ResEdit and check byte $15: if it equals the highest available resource number, be warned; - use the INIT "Vaccine" --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Christian Markus, VTC Documentation by....: Christian Markus/Zbigniew Fiedorowicz Date................: 14-June-90 Information Source..: --- ===================== End of "Aladin"-Virus ========================== ===== Computer Virus Catalog 1.2: "FRANKIE" Virus (14-June-1990) ===== Entry...............: "FRANKIE" Virus Alias(es)...........: --- Virus Strain........: "Aladin Emulator Viruses" Virus detected when.: December '87 where.: Hamburg, FRG The Frankie virus was deliberately created and distributed in a document transfer utility by Aladin producer Proficomp. The ostensible purpose of this virus was to attack a pirated version of Aladin. However since the virus is designed to attack all Macintosh emulators on the Atari other than Aladin, one may well question Proficomp's appeared.: France: January 1989 Classification......: Program Virus Length of Virus.....: Varying from 3312 to 3822 Bytes in storage --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS Version/Release.....: Version 2.0 and higher Computer model(s)...: Infection: all Apple MacIntosh series computers and Aladin (MacIntosh Emulator on Atari)); Spectre (Atari) and AMAX (AMIGA) emulators not infected, others not tested; all ROM versions Damage: will only occur on ATARI ST computers running illegal emulators other than the original ALADIN (Board equipped with ROMs and a PAL chip); on AMAX (AMIGA) and SPECTRE (Atari) emulators, Frankie is inactive. --------------------- Attributes ------------------------------------ Easy Identification.: --- Type of infection...: - extending affected programs by virus size; - modifying affected program's jump table; - patching operating system calls in RAM; - upon each launch, the programs "last modified" date entry is updated. Infection Trigger...: - program files are infected when copied (when an infected "Finder" is running); - program files are infected when launched (when an infected "Finder" is running); - a running "Finder" is infected when it launches an infected program. Storage media affected: All type of media which is not write-protected Interrupts hooked...: System traps OpenRF and SetFileInfo Damage..............: The menu bar is replaced with a 'bomb' icon and the message "Frankie says: no more piracy"; then, the system crashes. Damage Trigger......: Value of infection counter, random time period (taken from VBL). Particularities.....: Spectre (MacIntosh emulator) will not be in- fected as a bug in Spectre's bus error handler deceives Aladin into thinking that it is not running on an Atari. Similarities........: --- --------------------- Agents ------------------------------------------ Countermeasures.....: Names of tested products of Category 1-5: Category 1: --- Category 2: Viruskiller (VTC) Category 3: Viruskiller, FrankieKiller (VTC) Category 4: --- Category 5: write protect media Category 6: --- Moreover, many Macintosh antivirus programs such as Gatekeeper, SAM, Virex detect and eradicate Frankie, as Disfectant 2.0 will do. Countermeasures successful: Applying Viruskiller application Standard means......: - Check file size, file modification date; - open file with ResEdit and check sequence of "CODE" resource entries; if the upper left icon has a higher resource number, be alert; - open "CODE 0" with ResEdit and check byte $15; if it equals the highest available resource number, be warned. - Use the INIT "Vaccine" --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, FRG Classification by...: Christian Markus, VTC Documentation by....: Christian Markus/Zbigniew Fiedorowicz Date................: 14-June-90 Information Source..: Zbigniew Fiedorowicz, Ohio (USA) ===================== End of "Frankie" Virus ========================= ======= Computer Virus Catalog 1.2: "fuck" Virus (20-July-1990) ====== Clone...............: "fuck" Virus Alias(es)...........: --- Virus Strain........: nVIR Virus (B) Strain Virus detected when.: January 1990 where.: USA Classification......: Application and system file infector Length of Virus.....: Resource fork extension 3550 bytes (application), 3568 bytes (System file) --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: All Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Variation...........: All details are as for nVIR B except that all references to nVIR resources should be read as fuck resources; for all other details: see nVIR B (MACVIR.790) --------------------- Acknowledgement -------------------------------- Location............: Heriot-Watt University, Edinburgh (UK) Classification by...: David Ferbrache Documentation by....: David Ferbrache Date................: 12-March-1990 Information Source..: --- ===================== End of "fuck" Virus ============================ ====== Computer Virus Catalog 1.2: "Hpat" Virus (20-July-1990) ======= Clone...............: "Hpat" Virus Alias(es)...........: --- Virus Strain........: nVIR (B) Virus Strain Virus detected when.: December 1988 where.: Arizona, USA Classification......: Application and system file infector Length of Virus.....: Resource fork extension 3550 bytes (application), 3568 bytes (System file) --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: All Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Variation...........: All details are as for nVIR B except that all references to nVIR resources should be read as Hpat resources, and CODE 256 to be read as CODE 255; for other details: nVIR B (MAC.790) Easy identification.: 1. Characteristic Hpat auxiliary resources 2. CODE 0 Jump table entry 1 changed to 0000 3F3C 00FF A9F0 --------------------- Acknowledgement -------------------------------- Location............: Heriot-Watt University, Edinburgh (UK) Classification by...: David Ferbrache Documentation by....: David Ferbrache Date................: 12-March-1990 Information Source..: --- ===================== End of "Hpat" Virus ============================ ====== Computer Virus Catalog 1.2: "Hpat" Virus (20-July-1990) ======= Clone...............: "Hpat" Virus Alias(es)...........: --- Virus Strain........: nVIR (B) Virus Strain Virus detected when.: December 1988 where.: Arizona, USA Classification......: Application and system file infector Length of Virus.....: Resource fork extension 3550 bytes (application), 3568 bytes (System file) --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: All Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Variation...........: All details are as for nVIR B except that all references to nVIR resources should be read as Hpat resources, and CODE 256 to be read as CODE 255; for other details: nVIR B (MAC.790) Easy identification.: 1. Characteristic Hpat auxiliary resources 2. CODE 0 Jump table entry 1 changed to 0000 3F3C 00FF A9F0 --------------------- Acknowledgement -------------------------------- Location............: Heriot-Watt University, Edinburgh (UK) Classification by...: David Ferbrache Documentation by....: David Ferbrache Date................: 12-March-1990 Information Source..: --- ===================== End of "Hpat" Virus ============================ ====== Computer Virus Catalog 1.2: "MEV#" Virus (20-July-1990) ======= Clone...............: "MEV#" Virus Alias(es)...........: --- Virus Strain........: nVIR (B) Virus Strain Virus detected when.: April 1989 where.: Belgium Classification......: Application and system file infector Length of Virus.....: Resource fork extension 3550 bytes (application), 3568 bytes (System file) --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: All Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Variation...........: All details are as for nVIR B except that all references to nVIR resources should be read as MEV# resources; for all other details: see nVIR B (MACVIR.790) --------------------- Acknowledgement -------------------------------- Location............: Heriot-Watt University, Edinburgh (UK) Classification by...: David Ferbrache Documentation by....: David Ferbrache Date................: 12-March-1990 Information Source..: --- ===================== End of "MEV#" Virus ============================ ======= Computer Virus Catalog 1.2: "nFLU" Virus (20-July-1990) ====== Clone...............: "nFLU" Virus Alias(es)...........: --- Virus Strain........: nVIR (B) Virus Strain Virus detected when.: August 1989 where.: Minnesota, USA Classification......: Application and system file infector Length of Virus.....: Resource fork extension 3550 bytes (application), 3568 bytes (System file) --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: All Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Variation...........: All details are as for nVIR B except that all references to nVIR resources should be read as nFLU resources; for all other details: see nVIR B (MACVIR.790) --------------------- Acknowledgement -------------------------------- Location............: Heriot-Watt University, Edinburgh (UK) Classification by...: David Ferbrache Documentation by....: David Ferbrache Date................: 12-March-1990 Information Source..: --- ===================== End of "nFLU" Virus ============================ ======================================================================== == The Computer Virus Catalog may be copied free of charges provided == == that the source is properly mentioned at any time and location == == of reference. == == == == Editor: Virus Test Center, Faculty for Informatics == == University of Hamburg == == Schlueterstr. 70, D2000 Hamburg 13, FR Germany == == Prof. Dr. Klaus Brunnstein, Simone Fischer-Huebner == == Tel: (040) 4123-4158 (KB), -4175 (SFH), -4162(Secr.) == == Email (EAN/BITNET): Brunnstein@RZ.Informatik.Uni-Hamburg.dbp.de == ======================================================================== == Critical and constructive comments as well as additions are == == appreciated. Especially, descriptions of recently detected viruses = == will be of general interest. To receive the Virus Catalog Format, == == please contact the above address. == ======================================================================== ======================================================================== == End of MacVIR.790 document == == (376 Lines, 23 kBytes) == ========================================================================