Content

MacOS/INIT1984

Type
Virus
SubType
Macintosh
Discovery Date
03/01/1992
Length
4,342 bytes
Minimum DAT
N/A (06/30/2004)
Updated DAT
4371 (06/30/2004)
Minimum Engine
N/A
Description Added
12/10/2002
Description Modified
12/18/2002 4:52 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This virus only infects files on Macintosh computers running System 4.1 and higher. It is a parasitic System extension infector hitting INIT resources.

The payload triggers on any Friday the 13th after 1991. Then the virus will do the following:

  • Rename all files to random 8 byte names. Files to be renamed will be chosen in alphabetical order, so some files will be renamed more than once while some won't be renamed at all.
  • Change Type and Creator to random 4 byte values.
  • Change creation and modification date to January 1st, 1904. Files that can't be renamed (when filename exists or new name contains ":") will be deleted.

    In older Macs (Mac 128, 512, IIx, etc) there will be a crash on startup.

    • Symptoms

  • Presence of INIT 1984 resource of 4342 bytes in size
  • Presence of STR 1984 resource called "SCULLEY MUST DIE!"

    • Method of Infection

    After an infected file is run the virus tries to infect another INIT within 6 seconds, and subsequently tries to deactivate SAM Intercept (but it searches for the wrong file type). The virus' behaviour depends on the value of a counter stored in STR ID 1984 resource.

    Removal

    Please use the latest updates of Virex for cleaning. If this threat is detected on a Macintosh please use Virex to repair it.

    If the infected object was found on a non-Apple file server it can be cleaned using Virex from a Macintosh client.

    Infected Emails (usually in BinHex format) will be currently either deleted or quarantined depending on the configuration of mail scanner. Quarantined mails should be transferred to a Macintosh and cleaned using Virex.

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Characteristics

    Characteristics -

    This virus only infects files on Macintosh computers running System 4.1 and higher. It is a parasitic System extension infector hitting INIT resources.

    The payload triggers on any Friday the 13th after 1991. Then the virus will do the following:

  • Rename all files to random 8 byte names. Files to be renamed will be chosen in alphabetical order, so some files will be renamed more than once while some won't be renamed at all.
  • Change Type and Creator to random 4 byte values.
  • Change creation and modification date to January 1st, 1904. Files that can't be renamed (when filename exists or new name contains ":") will be deleted.

    In older Macs (Mac 128, 512, IIx, etc) there will be a crash on startup.

    • Symptoms

    Symptoms -

  • Presence of INIT 1984 resource of 4342 bytes in size
  • Presence of STR 1984 resource called "SCULLEY MUST DIE!"

    • Method of Infection

    Method of Infection -

    After an infected file is run the virus tries to infect another INIT within 6 seconds, and subsequently tries to deactivate SAM Intercept (but it searches for the wrong file type). The virus' behaviour depends on the value of a counter stored in STR ID 1984 resource.

    Removal -

    Removal -

    Please use the latest updates of Virex for cleaning. If this threat is detected on a Macintosh please use Virex to repair it.

    If the infected object was found on a non-Apple file server it can be cleaned using Virex from a Macintosh client.

    Infected Emails (usually in BinHex format) will be currently either deleted or quarantined depending on the configuration of mail scanner. Quarantined mails should be transferred to a Macintosh and cleaned using Virex.

    Variants

    Variants -

      N/A