McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This virus works on all Macintosh models with 128kb ROM.

In the System file the virus resides in INIT 17 resource. This resource has "Trnt" string at offset 4 from the beginning. In the infected applications the virus body is at the end of CODE 1 resource. The virus intercepts LoadSeg trap.

Symptoms

Although INIT 17 appears to be relatively harmless, it contains errors in its virus code that may cause file damage during an infection, making it a dangerous virus.

The only other observable action that INIT 17 exhibits is the display of an innocuous message in a window entitled "From the Depths of CyberSpace." This message is shown the first time an infected machine is restarted after the trigger date of 6:06:06 PM, October 31, 1993. On 68000 systems a system bus error occurs so older Macintosh models, such as the Mac Plus and SE, will crash.

Method of Infection

Infected applications introduce INIT 17 into the System file. When an infected Macintosh is booted the virus infects all launched applications. In applications the jump table is patched to point to the virus code. The infection would not occur if:

* the jump table does not point to CODE 1 resource
* size of CODE 1 is more then 31085 bytes
* file or filename is locked
* the file is already infected

Also before infecting an application the virus checks to see if WriteResource and SetResAttrs traps are pointing into memory (for example by an AV program) and then it would not infect applications.

Removal

Please use the latest updates of Virex for cleaning. If this threat is detected on a Macintosh please use Virex to repair it.

If the infected object was found on a non-Apple file server it can be cleaned using Virex from a Macintosh client.

Infected Emails (usually in BinHex format) will be currently either deleted or quarantined depending on the configuration of mail scanner. Quarantined mails should be transferred to a Macintosh and cleaned using Virex.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This virus works on all Macintosh models with 128kb ROM.

In the System file the virus resides in INIT 17 resource. This resource has "Trnt" string at offset 4 from the beginning. In the infected applications the virus body is at the end of CODE 1 resource. The virus intercepts LoadSeg trap.

Symptoms

Symptoms -

Although INIT 17 appears to be relatively harmless, it contains errors in its virus code that may cause file damage during an infection, making it a dangerous virus.

The only other observable action that INIT 17 exhibits is the display of an innocuous message in a window entitled "From the Depths of CyberSpace." This message is shown the first time an infected machine is restarted after the trigger date of 6:06:06 PM, October 31, 1993. On 68000 systems a system bus error occurs so older Macintosh models, such as the Mac Plus and SE, will crash.

Method of Infection

Method of Infection -

Infected applications introduce INIT 17 into the System file. When an infected Macintosh is booted the virus infects all launched applications. In applications the jump table is patched to point to the virus code. The infection would not occur if:

* the jump table does not point to CODE 1 resource
* size of CODE 1 is more then 31085 bytes
* file or filename is locked
* the file is already infected

Also before infecting an application the virus checks to see if WriteResource and SetResAttrs traps are pointing into memory (for example by an AV program) and then it would not infect applications.

Removal -

Removal -

Please use the latest updates of Virex for cleaning. If this threat is detected on a Macintosh please use Virex to repair it.

If the infected object was found on a non-Apple file server it can be cleaned using Virex from a Macintosh client.

Infected Emails (usually in BinHex format) will be currently either deleted or quarantined depending on the configuration of mail scanner. Quarantined mails should be transferred to a Macintosh and cleaned using Virex.

Variants

Variants -

N/A