McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• D-Day

Characteristics

This virus can spread on all Macintosh models running System 6 or 7.

The CODE 252 virus was discovered when a Virex customer, using the snapshot feature, noted changes in his files and programs and immediately notified his AV vendor.

The virus searches for a file called "Hard Disk:Empty Folder:pf" that includes a "PROC" ID 42 resource. If this is found, it will be executed, but the resource hasn't been encountered yet.

The virus tries to work around SAM Intercept by getting the addresses of AddResource, ChangedResource and WriteResource out of the code of SAM to call Traps without SAM noticing it. This will go wrong if any other program or recent versions of SAM start the pathed trap calls with a JSR instruction ($4EFA) or if the patch addresses are located at another address.

Symptoms

When the clock's date is between June 6th (D-Day) and December 31st (inclusive) the virus opens a windows, displays the text

“Ha Ha Ha Ha Ha Ha Ha
You have a virus.
Ha Ha Ha Ha Ha Ha Ha
Now Erasing all disks!
Ha Ha Ha Ha Ha Ha Ha
P.S. Have a nice day
(Click to continue!)

After clicking to continue, the virus then removes itself from memory and from the infected file. The virus DOES NOT ERASE files, but infected files remain infected until they are launched.

Method of Infection

CODE 252 is passed from application programs to the System file. Then it infects other applications. In applications CODE252 resource takes 1916 bytes. In the System file the virus is in resource INIT34 and takes 1908 bytes. All applications can be infected including Finder.

The virus intercepts the following traps - Launch, AddResource, ChangedResource, WriteResource. The applications are infected on "Launch" - the virus copies CODE252 resource to the victim file, saves the original entry point and patches the jump table to point to the CODE 252 resource.

Removal

Please use the latest updates of Virex for cleaning. If this threat is detected on a Macintosh please use Virex to repair it.

If the infected object was found on a non-Apple file server it can be cleaned using Virex from a Macintosh client.

Infected Emails (usually in BinHex format) will be currently either deleted or quarantined depending on the configuration of mail scanner. Quarantined mails should be transferred to a Macintosh and cleaned using Virex.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• D-Day

Characteristics

Characteristics -

This virus can spread on all Macintosh models running System 6 or 7.

The CODE 252 virus was discovered when a Virex customer, using the snapshot feature, noted changes in his files and programs and immediately notified his AV vendor.

The virus searches for a file called "Hard Disk:Empty Folder:pf" that includes a "PROC" ID 42 resource. If this is found, it will be executed, but the resource hasn't been encountered yet.

The virus tries to work around SAM Intercept by getting the addresses of AddResource, ChangedResource and WriteResource out of the code of SAM to call Traps without SAM noticing it. This will go wrong if any other program or recent versions of SAM start the pathed trap calls with a JSR instruction ($4EFA) or if the patch addresses are located at another address.

Symptoms

Symptoms -

When the clock's date is between June 6th (D-Day) and December 31st (inclusive) the virus opens a windows, displays the text

“Ha Ha Ha Ha Ha Ha Ha
You have a virus.
Ha Ha Ha Ha Ha Ha Ha
Now Erasing all disks!
Ha Ha Ha Ha Ha Ha Ha
P.S. Have a nice day
(Click to continue!)

After clicking to continue, the virus then removes itself from memory and from the infected file. The virus DOES NOT ERASE files, but infected files remain infected until they are launched.

Method of Infection

Method of Infection -

CODE 252 is passed from application programs to the System file. Then it infects other applications. In applications CODE252 resource takes 1916 bytes. In the System file the virus is in resource INIT34 and takes 1908 bytes. All applications can be infected including Finder.

The virus intercepts the following traps - Launch, AddResource, ChangedResource, WriteResource. The applications are infected on "Launch" - the virus copies CODE252 resource to the victim file, saves the original entry point and patches the jump table to point to the CODE 252 resource.

Removal -

Removal -

Please use the latest updates of Virex for cleaning. If this threat is detected on a Macintosh please use Virex to repair it.

If the infected object was found on a non-Apple file server it can be cleaned using Virex from a Macintosh client.

Infected Emails (usually in BinHex format) will be currently either deleted or quarantined depending on the configuration of mail scanner. Quarantined mails should be transferred to a Macintosh and cleaned using Virex.

Variants

Variants -

N/A