McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This is a parasitic virus hitting applications and System on Macintosh computers. Variant A was originally distributed attached to GoMoku version 2.0 while variant B was attached to version 2.1.

The virus carries STR ID 32767 resource. Near the end of the infected CODE resource, the string "Disinfectant" can be found. Moreover, strings "Application is infected" and "with the T4 virus" can be found in that resource too.

In an attempt to evade detection (stealth), the virus tries to fool the user by renaming an application to "Disinfectant" during infection. If Disinfectant (rather dated Macintosh AV software) is present, it will be renamed to "Dis". If a virus detecting program is installed, messages will appear stating that "Disinfectant" wants to modify boot 2 or INIT 31 and to modify a program which the virus then tries to infect.

The virus disables all INIT's and CDEV's on all future boots by patching INIT 31 to a RTS (System 6.x) or boot 2 (System 7.x). Patching boot 2 on System 7.01 (affecting Quadras and Powerbooks) may cause the computer to hang.

Symptoms

The virus displays the message "Application is infected with the T4 virus" and displays some biological virus icon. Infected files may not be restored to their original state because of different patches for InitDialogs and TEInit.

The message is displayed if an infected application is run after 8/15/92 (strain A), 6/26/92 (strain B). For message and icon to be displayed, the executed application has to have infected 10 other applications.

Method of Infection

Executing an infected file infects one other file. The virus uses a recursive search to find the next uninfected file staring on the desktop of volume 0. A file is only infected if the size of the resource to become infected is less than 32767-the virus length.

This virus was one of the first to use entry-point obfuscating techniques. Instead of patching the jump table or the entry point of the program it locates and patches calls to system functions InitDialogs or TEInit. Therefore applications not using these functions could not be infected. The virus patches the original BSR instruction so that it transfers control to the virus.

This infection method is not fully reliable and so patched programs may not work.

The body of the virus is appended to the same CODE resource that had the function call patched. As a result this existing CODE resource increases in size by almost 6 kilobytes.

Removal

Please use the latest updates of Virex for cleaning. If this threat is detected on a Macintosh please use Virex to repair it.

If the infected object was found on a non-Apple file server it can be cleaned using Virex from a Macintosh client.

Infected Emails (usually in BinHex format) will be currently either deleted or quarantined depending on the configuration of mail scanner. Quarantined mails should be transferred to a Macintosh and cleaned using Virex.

Variants

Variants

• T4-D

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This is a parasitic virus hitting applications and System on Macintosh computers. Variant A was originally distributed attached to GoMoku version 2.0 while variant B was attached to version 2.1.

The virus carries STR ID 32767 resource. Near the end of the infected CODE resource, the string "Disinfectant" can be found. Moreover, strings "Application is infected" and "with the T4 virus" can be found in that resource too.

In an attempt to evade detection (stealth), the virus tries to fool the user by renaming an application to "Disinfectant" during infection. If Disinfectant (rather dated Macintosh AV software) is present, it will be renamed to "Dis". If a virus detecting program is installed, messages will appear stating that "Disinfectant" wants to modify boot 2 or INIT 31 and to modify a program which the virus then tries to infect.

The virus disables all INIT's and CDEV's on all future boots by patching INIT 31 to a RTS (System 6.x) or boot 2 (System 7.x). Patching boot 2 on System 7.01 (affecting Quadras and Powerbooks) may cause the computer to hang.

Symptoms

Symptoms -

The virus displays the message "Application is infected with the T4 virus" and displays some biological virus icon. Infected files may not be restored to their original state because of different patches for InitDialogs and TEInit.

The message is displayed if an infected application is run after 8/15/92 (strain A), 6/26/92 (strain B). For message and icon to be displayed, the executed application has to have infected 10 other applications.

Method of Infection

Method of Infection -

Executing an infected file infects one other file. The virus uses a recursive search to find the next uninfected file staring on the desktop of volume 0. A file is only infected if the size of the resource to become infected is less than 32767-the virus length.

This virus was one of the first to use entry-point obfuscating techniques. Instead of patching the jump table or the entry point of the program it locates and patches calls to system functions InitDialogs or TEInit. Therefore applications not using these functions could not be infected. The virus patches the original BSR instruction so that it transfers control to the virus.

This infection method is not fully reliable and so patched programs may not work.

The body of the virus is appended to the same CODE resource that had the function call patched. As a result this existing CODE resource increases in size by almost 6 kilobytes.

Removal -

Removal -

Please use the latest updates of Virex for cleaning. If this threat is detected on a Macintosh please use Virex to repair it.

If the infected object was found on a non-Apple file server it can be cleaned using Virex from a Macintosh client.

Infected Emails (usually in BinHex format) will be currently either deleted or quarantined depending on the configuration of mail scanner. Quarantined mails should be transferred to a Macintosh and cleaned using Virex.

Variants

Variants -

• T4-D