McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

These viruses only infect Apple Macintosh computer models with ROMs smaller than 512k running System 4.1 or later.

The virus intercepts the following OS traps: 'SetFileInfo', 'ChangedResource', 'SetResAttr'. In addition, values of traps changed by antivirus programs are noticed by the virus and patched back to original routines.

The virus changes bit 7 of SpMisc2 in the parameter RAM. The computer will hang if there is no RAM for the VBL-task in the system heap.

Symptoms

Strains .a and .b activate on March 2, 1990 or two weeks after initial infection. Strain .c activates only between 13 and 26 days after initial infection after August 13, 1990. When triggered they:

- change Desktop pattern in some cases
- creates VBL-routine to bounce the cursor whenever the mouse button is pressed
- can cause long delays and heavy disk activity
- once the Finder becomes infected the system can become unusable.

Method of Infection

The virus hits all applications of type "APPL" with a CODE 1 resource that is larger than 32 bytes and in cases where CODE 1 + virus is less than 32768 bytes and where the Creator is not one of the following: 'SpDo', 'XPRS', 'DFCT', 'VGDt', 'VIRy' or 'OMEG'.

The virus increases the size of CODE 1 resource and appends to it. The jump table is patched to point to the viral code.

Infection starts after executing a virus between November 1, 1989 at 16:18:44 and the last infection date stored in the virus. This virus has two infection strategies:

- 15 out of 16 times, the virus searches for an uninfected application by scanning all accessible Desktop files for resources of type "APPL" and infects the first one found.

- 1 out of 16 times the virus uses a recursive search to find an uninfected application on all connected volumes (such as AppleShare). This strategy is chosen if the value of the system variable time is a multiple of 16.

Removal

Please use the latest updates of Virex for cleaning. If this threat is detected on a Macintosh please use Virex to repair it.

If the infected object was found on a non-Apple file server it can be cleaned using Virex from a Macintosh client.

Infected Emails (usually in BinHex format) will be currently either deleted or quarantined depending on the configuration of mail scanner. Quarantined mails should be transferred to a Macintosh and cleaned using Virex.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

These viruses only infect Apple Macintosh computer models with ROMs smaller than 512k running System 4.1 or later.

The virus intercepts the following OS traps: 'SetFileInfo', 'ChangedResource', 'SetResAttr'. In addition, values of traps changed by antivirus programs are noticed by the virus and patched back to original routines.

The virus changes bit 7 of SpMisc2 in the parameter RAM. The computer will hang if there is no RAM for the VBL-task in the system heap.

Symptoms

Symptoms -

Strains .a and .b activate on March 2, 1990 or two weeks after initial infection. Strain .c activates only between 13 and 26 days after initial infection after August 13, 1990. When triggered they:

- change Desktop pattern in some cases
- creates VBL-routine to bounce the cursor whenever the mouse button is pressed
- can cause long delays and heavy disk activity
- once the Finder becomes infected the system can become unusable.

Method of Infection

Method of Infection -

The virus hits all applications of type "APPL" with a CODE 1 resource that is larger than 32 bytes and in cases where CODE 1 + virus is less than 32768 bytes and where the Creator is not one of the following: 'SpDo', 'XPRS', 'DFCT', 'VGDt', 'VIRy' or 'OMEG'.

The virus increases the size of CODE 1 resource and appends to it. The jump table is patched to point to the viral code.

Infection starts after executing a virus between November 1, 1989 at 16:18:44 and the last infection date stored in the virus. This virus has two infection strategies:

- 15 out of 16 times, the virus searches for an uninfected application by scanning all accessible Desktop files for resources of type "APPL" and infects the first one found.

- 1 out of 16 times the virus uses a recursive search to find an uninfected application on all connected volumes (such as AppleShare). This strategy is chosen if the value of the system variable time is a multiple of 16.

Removal -

Removal -

Please use the latest updates of Virex for cleaning. If this threat is detected on a Macintosh please use Virex to repair it.

If the infected object was found on a non-Apple file server it can be cleaned using Virex from a Macintosh client.

Infected Emails (usually in BinHex format) will be currently either deleted or quarantined depending on the configuration of mail scanner. Quarantined mails should be transferred to a Macintosh and cleaned using Virex.

Variants

Variants -

N/A