McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• AIDS

• F***

• f__k

• Hpat

• Jude

• kOOL

• MEV#

• nCAM

• nFLU

• prod

Characteristics

This virus repicates only on Macintosh computers that run OS 4.1 or higher.

The source code of the nVIR virus unfortunately has become widely available, enabling individuals to use it as a template to create new viruses. Therefore, the nVIR virus is actually a family of viruses with two major strains, nVIR-a and nVIR-b. This virus has been modified a number of times to alter its behaviour and to elude detection. AIDS, f__k, Hpat, Jude, nVIR, MEV#, MODM, nCAM, nFLU, kOOL, _HIT and prod - these viruses are all derivatives of the nVIR virus family. The viruses replace nVIR code resources with renamed resources. Virex scanning engine has a powerful diagnose and repair capability that handle renamed variations of nVIR automatically.

Symptoms

nVIR 0 resource holds the counter that is set to 1000 on the first infection of the system. Each reboot decrements the counter by one. Each application launch decrements it by 2. When the counter reaches 0 the virus will beep 1 out of 8 reboots and 1 of 4 infected application launches.

nVIR can cause applications and System files to crash. If MacinTalk is installed in your System folder, your computer may occasionally say "Don't Panic." Otherwise, it may beep unexpectedly.

Method of Infection

Infected applications carry additional code resource - CODE 256 (some variants - CODE 255). The viruses patch the jump table to point to it. Original application's entry point is saved in nVIR 2 resource.

In System these viruses introduce INIT 32 resource which is executed at startup at which point it patches the TEInit trap. Any application calling this trap will be subsequently infected. Resource called nVIR 3 (or nVIR 5) is merely a copy of INIT 32.

An nVIR 10 resource in the System file will prevent infection.
If an application calls OpenResFile prior to TEInit - it will be damaged.
Some strains will hybridize with other variants of the nVIR strain.

Removal

Please use the latest updates of Virex for cleaning. If this threat is detected on a Macintosh please use Virex to repair it.

If the infected object was found on a non-Apple file server it can be cleaned using Virex from a Macintosh client.

Infected Emails (usually in BinHex format) will be currently either deleted or quarantined depending on the configuration of mail scanner. Quarantined mails should be transferred to a Macintosh and cleaned using Virex.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• AIDS

• F***

• f__k

• Hpat

• Jude

• kOOL

• MEV#

• nCAM

• nFLU

• prod

Characteristics

Characteristics -

This virus repicates only on Macintosh computers that run OS 4.1 or higher.

The source code of the nVIR virus unfortunately has become widely available, enabling individuals to use it as a template to create new viruses. Therefore, the nVIR virus is actually a family of viruses with two major strains, nVIR-a and nVIR-b. This virus has been modified a number of times to alter its behaviour and to elude detection. AIDS, f__k, Hpat, Jude, nVIR, MEV#, MODM, nCAM, nFLU, kOOL, _HIT and prod - these viruses are all derivatives of the nVIR virus family. The viruses replace nVIR code resources with renamed resources. Virex scanning engine has a powerful diagnose and repair capability that handle renamed variations of nVIR automatically.

Symptoms

Symptoms -

nVIR 0 resource holds the counter that is set to 1000 on the first infection of the system. Each reboot decrements the counter by one. Each application launch decrements it by 2. When the counter reaches 0 the virus will beep 1 out of 8 reboots and 1 of 4 infected application launches.

nVIR can cause applications and System files to crash. If MacinTalk is installed in your System folder, your computer may occasionally say "Don't Panic." Otherwise, it may beep unexpectedly.

Method of Infection

Method of Infection -

Infected applications carry additional code resource - CODE 256 (some variants - CODE 255). The viruses patch the jump table to point to it. Original application's entry point is saved in nVIR 2 resource.

In System these viruses introduce INIT 32 resource which is executed at startup at which point it patches the TEInit trap. Any application calling this trap will be subsequently infected. Resource called nVIR 3 (or nVIR 5) is merely a copy of INIT 32.

An nVIR 10 resource in the System file will prevent infection.
If an application calls OpenResFile prior to TEInit - it will be damaged.
Some strains will hybridize with other variants of the nVIR strain.

Removal -

Removal -

Please use the latest updates of Virex for cleaning. If this threat is detected on a Macintosh please use Virex to repair it.

If the infected object was found on a non-Apple file server it can be cleaned using Virex from a Macintosh client.

Infected Emails (usually in BinHex format) will be currently either deleted or quarantined depending on the configuration of mail scanner. Quarantined mails should be transferred to a Macintosh and cleaned using Virex.

Variants

Variants -

N/A