| Alias: | D-Day Virus |
| Strain: | --- |
| detected when: | April 1992 |
| where: | USA |
| Classification: | Application and system file infector |
| Length: | Resource fork extension 1916 bytes (application), 1908 bytes (System file) |
Preconditions | |
| Operating System(s): | MacOS proprietary |
| Version/Release: | All versions (including System 7) |
| Computer model(s): | Apple Macintosh: all models |
| Caroname: | CODE_252 |
Attributes | |
| Easy identification: | 1. CODE 252 Resource 1908 Bytes in applications 2. INIT 34 Resource in System 3. The following strings can be found at offset Hex 3E0 from beginning of both resources: "Ha Ha Ha Ha Ha Ha Ha You have a virus. Now erasing all disks! P.S. Have a nice day (Click to continue!)" |
Type of Infection: | |
| Infection Technique: | CODE ID 252 1908 Bytes; INIT ID 34 1908 Bytes |
| Infection Trigger: | To infect system: Running an infected application. To infect application: Running it by using the Launch trap. |
| Storage Media affected: | |
| Interrupts hooked: | Launch,AddResource,ChangedResource,WriteResource |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | The Virus opens a window, displays some text (see Easy Identification) and then removes itself. |
| Damage Trigger: | If the internal clock's date is between June 6th (D-Day) and December 31th (included), any year. |
| Particularities: | The virus searches for a file 'Hard Disk:Empty Folder:pf' that includes a 'PROC' ID 42 Resource; if this is found, it will be executed, but the resource hasn't been encountered yet. The virus tries to work around SAM Intercept by getting the addresses of AddResource, ChangedResource and WriteResource out of the code of SAM to call Traps without SAM noticing it; this will go wrong if any other program or recent versions of SAM starts the pathed trap calls with a JSR instruction ($4EFA) or if the patch-address are located at another adress. |
| Similarities: | --- |
Agents | |
| Countermeasures: | Use of a commercial anti-viral product or a public domain utility such as Virus Detective, Disinfectant >=2.8 to carry out virus signature scans. 2. Use of a protection INIT such as Vaccine or Gatekeeper to trap resource manager calls. |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Ronald Greinke |
| Documentation by: | Ronald Greinke |
| Date: | 20-April-1992 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg