home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Viruses
/
MacVirusDefinitions.txt
< prev
next >
Wrap
Text File
|
1998-08-05
|
22KB
|
379 lines
========================================================================
== Computer Virus Catalog (Version 1.2) ==
== *** 10 Macintosh Viruses/Clones *** ==
========================================================================
== Status: July 20, 1990 ==
== Classified: 10 Macintosh-Viruses (MACVIR.790): July 20,1990 ==
========================================================================
== List of Macintosh Viruses: =Doc=
== -------------------------- =---=
== + 1) AIDS Clone (nVIR B Strain)=790=
== + 2) Aladin Virus (Frankie Strain)=790=
== + 3) Frankie Virus (Frankie Strain)=790=
== + 4) fuck Clone (nVIR B Strain)=790=
== + 5) Hpat Clone (nVIR B Strain)=790=
== + 6) Jude Clone (nVIR B Strain)=790=
== + 7) MEV# Clone (nVIR B Strain)=790=
== + 8) nFLU Clone (nVIR B Strain)=790=
== + 9) nVIR A Virus (nVIR Strain)=790=
== + 10) nVIR B Virus (nVIR B Strain)=790=
== ==
== The following Macintosh viruses are presently being classified: ==
== ANTI,Dukakis,INIT 29,MacMag=Peace,MDEF,Scores,WDEF A&B, ZUC virus. == ==
== ==
== These are the first, yet experimental Macintosh virus entries. ==
== Classification has been done by David Ferbrache (Edinburgh), ==
== Zbigniew FiedorowicZ (Ohio) and Christian Markus (VTC Hamburg). ==
== For future entries, we strongly appreciate any comment. Moreover, ==
== we have only a limited access to MacViruses, so we ask for aid. ==
== But it is the Virus Test Center's ethical rule, that we distribute ==
== virus code only to institutions and persons in which we fully trust.=
========================================================================
======= Computer Virus Catalog 1.2: "AIDS" Virus (20-July-1990) ======
Clone...............: "AIDS" Virus
Alias(es)...........: ---
Virus Strain........: nVIR (B) Virus Strain
Virus detected when.: March 1989
where.: Netherlands
Classification......: Application and system file infector
Length of Virus.....: Resource fork extension 3550 bytes (application),
3568 bytes (System file)
--------------------- Preconditions ----------------------------------
Operating System(s).: MacOS proprietary
Version/Release.....: All
Computer model(s)...: Apple Macintosh: all models
--------------------- Attributes ------------------------------------
Variation...........: All details are as for nVIR B except that all
references to nVIR resources should be read as
AIDS resources; for all other details: see
nVIR B (MACVIR.790)
--------------------- Acknowledgement --------------------------------
Location............: Heriot-Watt University, Edinburgh (UK)
Classification by...: David Ferbrache
Documentation by....: David Ferbrache
Date................: 12-March-1990
Information Source..: ---
===================== End of "AIDS"-Virus ============================
====== Computer Virus Catalog 1.2: "ALADIN" Virus (14-June-1990) =====
Entry...............: "ALADIN" Virus
Alias(es)...........: ---
Virus Strain........: "Aladin Emulator Viruses"
Virus detected when.: December '87
where.: Hamburg, FRG
The Aladin virus was deliberately created and
distributed in a document transfer utility by
Aladin producer Proficomp. The ostensible purpose
of this virus was to attack a pirated version of
Aladin. However since the virus is designed to
attack all Macintosh emulators on the Atari other
than Aladin, one may well question Proficomp's
motives.
Classification......: Program Virus
Length of Virus.....: Varying from 3312 to 3822 Bytes in storage
--------------------- Preconditions ----------------------------------
Operating System(s).: MacOS
Version/Release.....: Version 2.0 and higher
Computer model(s)...: infection: all Apple MacIntosh series computers
Aladin (MacIntosh-Emulator on Atari); other
emulators not tested (probably, Spectre (Atari)
will not be infected); all ROM versions
damage: will only occur on ATARI ST computers
running a MacIntosh Emulator other than the
original ALADIN (Board equipped with ROMs
and a PAL chip)
--------------------- Attributes ------------------------------------
Easy Identification.: ---
Type of infection...: - extending infected programs by virus size
- modifying infected program's jump table
- patching operating system calls in RAM
- upon each launch, the programs "last modified"
date entry is updated
Infection Trigger...: - program files are infected when copied (when
an infected "Finder" is running)
- program files are infected when launched
(when an infected "Finder" is running)
- a running "Finder" is infected when it
launches an infected program
Storage media affected: all type of media which is not write-protected
Interrupts hooked...: System traps OpenRF and SetFileInfo
Damage..............: all printing functions are intercepted
Damage Trigger......: value of infection counter
Particularities.....: Probably, Spectre (MacIntosh emulator) will not
be infected (similar to Frankie) as a bug in
Spectre's bus error handler may deceive
Aladin into thinking that it is not running
on an Atari.
Similarities........: ---
--------------------- Agents -----------------------------------------
Countermeasures.....: Names of tested products of Category 1-5:
Category 1: ---
Category 2: Viruskiller (VTC)
Category 3: Viruskiller, FrankieKiller (VTC)
Category 4: ---
Category 5: write protect media
Category 6: ---
Countermeasures successful: Applying Viruskiller application
Standard means......: - check file size, file modification date
- open file with ResEdit and check sequence of
"CODE" resource entries: if the upper left
icon has a higher resource number, be
warned;
- open "CODE 0" with ResEdit and check byte $15:
if it equals the highest available resource
number, be warned;
- use the INIT "Vaccine"
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Christian Markus, VTC
Documentation by....: Christian Markus/Zbigniew Fiedorowicz
Date................: 14-June-90
Information Source..: ---
===================== End of "Aladin"-Virus ==========================
===== Computer Virus Catalog 1.2: "FRANKIE" Virus (14-June-1990) =====
Entry...............: "FRANKIE" Virus
Alias(es)...........: ---
Virus Strain........: "Aladin Emulator Viruses"
Virus detected when.: December '87
where.: Hamburg, FRG
The Frankie virus was deliberately created and
distributed in a document transfer utility by
Aladin producer Proficomp. The ostensible purpose
of this virus was to attack a pirated version of
Aladin. However since the virus is designed to
attack all Macintosh emulators on the Atari other
than Aladin, one may well question Proficomp's
appeared.: France: January 1989
Classification......: Program Virus
Length of Virus.....: Varying from 3312 to 3822 Bytes in storage
--------------------- Preconditions ----------------------------------
Operating System(s).: MacOS
Version/Release.....: Version 2.0 and higher
Computer model(s)...: Infection: all Apple MacIntosh series computers
and Aladin (MacIntosh Emulator on Atari));
Spectre (Atari) and AMAX (AMIGA) emulators
not infected, others not tested;
all ROM versions
Damage: will only occur on ATARI ST computers
running illegal emulators other than the
original ALADIN (Board equipped with ROMs
and a PAL chip); on AMAX (AMIGA) and SPECTRE
(Atari) emulators, Frankie is inactive.
--------------------- Attributes ------------------------------------
Easy Identification.: ---
Type of infection...: - extending affected programs by virus size;
- modifying affected program's jump table;
- patching operating system calls in RAM;
- upon each launch, the programs "last
modified" date entry is updated.
Infection Trigger...: - program files are infected when copied (when
an infected "Finder" is running);
- program files are infected when launched
(when an infected "Finder" is running);
- a running "Finder" is infected when it
launches an infected program.
Storage media affected: All type of media which is not write-protected
Interrupts hooked...: System traps OpenRF and SetFileInfo
Damage..............: The menu bar is replaced with a 'bomb' icon and
the message "Frankie says: no more piracy";
then, the system crashes.
Damage Trigger......: Value of infection counter, random time period
(taken from VBL).
Particularities.....: Spectre (MacIntosh emulator) will not be in-
fected as a bug in Spectre's bus error
handler deceives Aladin into thinking that
it is not running on an Atari.
Similarities........: ---
--------------------- Agents ------------------------------------------
Countermeasures.....: Names of tested products of Category 1-5:
Category 1: ---
Category 2: Viruskiller (VTC)
Category 3: Viruskiller, FrankieKiller (VTC)
Category 4: ---
Category 5: write protect media
Category 6: ---
Moreover, many Macintosh antivirus programs
such as Gatekeeper, SAM, Virex detect and
eradicate Frankie, as Disfectant 2.0 will do.
Countermeasures successful: Applying Viruskiller application
Standard means......: - Check file size, file modification date;
- open file with ResEdit and check sequence of
"CODE" resource entries; if the upper left
icon has a higher resource number, be
alert;
- open "CODE 0" with ResEdit and check byte $15;
if it equals the highest available resource
number, be warned.
- Use the INIT "Vaccine"
--------------------- Acknowledgement --------------------------------
Location............: Virus Test Center, University Hamburg, FRG
Classification by...: Christian Markus, VTC
Documentation by....: Christian Markus/Zbigniew Fiedorowicz
Date................: 14-June-90
Information Source..: Zbigniew Fiedorowicz, Ohio (USA)
===================== End of "Frankie" Virus =========================
======= Computer Virus Catalog 1.2: "fuck" Virus (20-July-1990) ======
Clone...............: "fuck" Virus
Alias(es)...........: ---
Virus Strain........: nVIR Virus (B) Strain
Virus detected when.: January 1990
where.: USA
Classification......: Application and system file infector
Length of Virus.....: Resource fork extension 3550 bytes (application),
3568 bytes (System file)
--------------------- Preconditions ----------------------------------
Operating System(s).: MacOS proprietary
Version/Release.....: All
Computer model(s)...: Apple Macintosh: all models
--------------------- Attributes ------------------------------------
Variation...........: All details are as for nVIR B except that all
references to nVIR resources should be read as
fuck resources; for all other details:
see nVIR B (MACVIR.790)
--------------------- Acknowledgement --------------------------------
Location............: Heriot-Watt University, Edinburgh (UK)
Classification by...: David Ferbrache
Documentation by....: David Ferbrache
Date................: 12-March-1990
Information Source..: ---
===================== End of "fuck" Virus ============================
====== Computer Virus Catalog 1.2: "Hpat" Virus (20-July-1990) =======
Clone...............: "Hpat" Virus
Alias(es)...........: ---
Virus Strain........: nVIR (B) Virus Strain
Virus detected when.: December 1988
where.: Arizona, USA
Classification......: Application and system file infector
Length of Virus.....: Resource fork extension 3550 bytes (application),
3568 bytes (System file)
--------------------- Preconditions ----------------------------------
Operating System(s).: MacOS proprietary
Version/Release.....: All
Computer model(s)...: Apple Macintosh: all models
--------------------- Attributes ------------------------------------
Variation...........: All details are as for nVIR B except that all
references to nVIR resources should be read as
Hpat resources, and CODE 256 to be read as
CODE 255; for other details: nVIR B (MAC.790)
Easy identification.: 1. Characteristic Hpat auxiliary resources
2. CODE 0 Jump table entry 1 changed to
0000 3F3C 00FF A9F0
--------------------- Acknowledgement --------------------------------
Location............: Heriot-Watt University, Edinburgh (UK)
Classification by...: David Ferbrache
Documentation by....: David Ferbrache
Date................: 12-March-1990
Information Source..: ---
===================== End of "Hpat" Virus ============================
====== Computer Virus Catalog 1.2: "Hpat" Virus (20-July-1990) =======
Clone...............: "Hpat" Virus
Alias(es)...........: ---
Virus Strain........: nVIR (B) Virus Strain
Virus detected when.: December 1988
where.: Arizona, USA
Classification......: Application and system file infector
Length of Virus.....: Resource fork extension 3550 bytes (application),
3568 bytes (System file)
--------------------- Preconditions ----------------------------------
Operating System(s).: MacOS proprietary
Version/Release.....: All
Computer model(s)...: Apple Macintosh: all models
--------------------- Attributes ------------------------------------
Variation...........: All details are as for nVIR B except that all
references to nVIR resources should be read as
Hpat resources, and CODE 256 to be read as
CODE 255; for other details: nVIR B (MAC.790)
Easy identification.: 1. Characteristic Hpat auxiliary resources
2. CODE 0 Jump table entry 1 changed to
0000 3F3C 00FF A9F0
--------------------- Acknowledgement --------------------------------
Location............: Heriot-Watt University, Edinburgh (UK)
Classification by...: David Ferbrache
Documentation by....: David Ferbrache
Date................: 12-March-1990
Information Source..: ---
===================== End of "Hpat" Virus ============================
====== Computer Virus Catalog 1.2: "MEV#" Virus (20-July-1990) =======
Clone...............: "MEV#" Virus
Alias(es)...........: ---
Virus Strain........: nVIR (B) Virus Strain
Virus detected when.: April 1989
where.: Belgium
Classification......: Application and system file infector
Length of Virus.....: Resource fork extension 3550 bytes (application),
3568 bytes (System file)
--------------------- Preconditions ----------------------------------
Operating System(s).: MacOS proprietary
Version/Release.....: All
Computer model(s)...: Apple Macintosh: all models
--------------------- Attributes ------------------------------------
Variation...........: All details are as for nVIR B except that all
references to nVIR resources should be read as
MEV# resources; for all other details:
see nVIR B (MACVIR.790)
--------------------- Acknowledgement --------------------------------
Location............: Heriot-Watt University, Edinburgh (UK)
Classification by...: David Ferbrache
Documentation by....: David Ferbrache
Date................: 12-March-1990
Information Source..: ---
===================== End of "MEV#" Virus ============================
======= Computer Virus Catalog 1.2: "nFLU" Virus (20-July-1990) ======
Clone...............: "nFLU" Virus
Alias(es)...........: ---
Virus Strain........: nVIR (B) Virus Strain
Virus detected when.: August 1989
where.: Minnesota, USA
Classification......: Application and system file infector
Length of Virus.....: Resource fork extension 3550 bytes (application),
3568 bytes (System file)
--------------------- Preconditions ----------------------------------
Operating System(s).: MacOS proprietary
Version/Release.....: All
Computer model(s)...: Apple Macintosh: all models
--------------------- Attributes ------------------------------------
Variation...........: All details are as for nVIR B except that all
references to nVIR resources should be read as
nFLU resources; for all other details:
see nVIR B (MACVIR.790)
--------------------- Acknowledgement --------------------------------
Location............: Heriot-Watt University, Edinburgh (UK)
Classification by...: David Ferbrache
Documentation by....: David Ferbrache
Date................: 12-March-1990
Information Source..: ---
===================== End of "nFLU" Virus ============================
========================================================================
== The Computer Virus Catalog may be copied free of charges provided ==
== that the source is properly mentioned at any time and location ==
== of reference. ==
== ==
== Editor: Virus Test Center, Faculty for Informatics ==
== University of Hamburg ==
== Schlueterstr. 70, D2000 Hamburg 13, FR Germany ==
== Prof. Dr. Klaus Brunnstein, Simone Fischer-Huebner ==
== Tel: (040) 4123-4158 (KB), -4175 (SFH), -4162(Secr.) ==
== Email (EAN/BITNET): Brunnstein@RZ.Informatik.Uni-Hamburg.dbp.de ==
========================================================================
== Critical and constructive comments as well as additions are ==
== appreciated. Especially, descriptions of recently detected viruses =
== will be of general interest. To receive the Virus Catalog Format, ==
== please contact the above address. ==
========================================================================
========================================================================
== End of MacVIR.790 document ==
== (376 Lines, 23 kBytes) ==
========================================================================