| Alias: | "Trent Saburo" Virus;"Halloween" Virus |
| Strain: | --- |
| detected when: | 31 Oktober 1993 |
| where: | USA, University of Pennsylvania |
| Classification: | Link virus , applications and system infector |
| Length: | Resource fork extension 2936 bytes |
Preconditions | |
| Operating System(s): | MacOS proprietary |
| Version/Release: | All. |
| Computer model(s): | Newer or equal to Macintosh SE. |
| Caroname: | CODE_1 |
Attributes | |
| Easy identification: | PTCH 0 resource in System file with the string " _ PC" at offset 13 from the end. In applications the same string can be found at offset 13 from the end of the CODE 1 resource. |
Type of Infection: | The System file 2. All applications except the Finder An application can only be infected when the following preconditions are given: a) the first entry in CODE 0 points to CODE 1, b) the size of CODE 1 is smaller than 29831 bytes, c) the file is not locked, d) the file is not already infected. |
| Infection Technique: | PTCH 0 in System file. CODE 1 in applications. Both are extended by 2936 bytes. |
| Infection Trigger: | 1. Starting an infected application disinfects the application and infects the system. If the mac has not been started from an infected System the application will not be reinfected. 2. After starting up with an infected System every application launched becomes infected. |
| Storage Media affected: | |
| Interrupts hooked: | CloseResFile to infect applications. The virus contains a table of known addresses in ROM for the GetResAttrs, ChangedResource, UpdateResFile, and Write traps, for ROM versions 118, 120 and 124. Trap adresses for other ROM versions can also be present. See Particularities. |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | The default volume will be renamed to "Trent Saburo". |
| Damage Trigger: | Running an infected System on October 31th. (Helloween) |
| Particularities: | The virus changes several internal code pointers that may be set by various extensions and updates. This may cause the system to crash. The virus learns about new ROMs. The ROM-table have room for 9 entries. If the following two system traps are redirected to RAM (e.g. by an anti-virus program) the virus doesn't infect programs: SetResInfo and SetFileInfo trap. |
| Similarities: | INIT 17 |
Agents | |
| Countermeasures: | 1. Use of a commercial anti-viral product or a public domain utility such as Virus detective or Disinfectant >= 3.3 to scan for virus signatures. |
| Standard means: | |
Acknowledgements | |
| Location: | VTC University Hamburg,(D) |
| Classification by: | Thomas Piehl |
| Documentation by: | John Norstad,Ronald Greinke |
| Date: | 20-Nov-1993 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg