ALADIN Virus

Alias:---
Strain:"Aladin Emulator Viruses"
detected when:December '87
where:Hamburg, FRG
Classification:Program Virus
Length:Varying from 3312 to 3822 Bytes in storage

Preconditions

Operating System(s):MacOS
Version/Release:Version 2.0 and higher
Computer model(s):infection: all Apple MacIntosh series computers Aladin (MacI
Caroname:Aladin

Attributes

Easy identification:---

Type of Infection:

- extending infected programs by virus size - modifying infected program's jump table - patching operating system calls in RAM - upon each launch, the programs "last modified" date entry is updated

Infection Technique:
Infection Trigger:- program files are infected when copied (when an infected "Finder" is running) - program files are infected when launched (when an infected "Finder" is running) - a running "Finder" is infected when it launches an infected program
Storage Media affected:all type of media which is not write-protected
Interrupts hooked:System traps OpenRF and SetFileInfo
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:all printing functions are intercepted
Damage Trigger:value of infection counter
Particularities:Probably, Spectre (MacIntosh emulator) will not be infected (similar to Frankie) as a bug in Spectre's bus error handler may deceive Aladin into thinking that it is not running on an Atari.
Similarities:---

Agents

Countermeasures:Applying Viruskiller application
Standard means:- check file size, file modification date - open file with ResEdit and check sequence of "CODE" resource entries: if the upper left icon has a higher resource number, be warned; - open "CODE 0" with ResEdit and check byte $15: if it equals the highest available resource number, be warned; - use the INIT "Vaccine"

Acknowledgements

Location:Virus Test Center, University Hamburg, FRG
Classification by:Christian Markus, VTC
Documentation by:Christian Markus/Zbigniew Fiedorowicz
Date:14-June-90
Information Source:---

(c) 1996 Virus-Test-Center, University of Hamburg