| Alias: | --- |
| Strain: | --- |
| detected when: | April 1993 |
| where: | USA |
| Classification: | Link virus, Applications and System infector |
| Length: | Resource fork extension: 1,682 bytes |
Preconditions | |
| Operating System(s): | MacOS proprietary |
| Version/Release: | All prior to System 7 |
| Computer model(s): | All. |
| Caroname: | INIT_17 |
Attributes | |
| Easy identification: | INIT 17 resource in System file with the string "Trnt" at offset 4 from the beginning. In applications, same string can be found at offset 1,678 from end of the CODE 1 resource. |
Type of Infection: | The System file 2. All applications except Finder, All programs created with StuffIt (self extracting archives), file Virex and all applications who's creator starts with 'AL'. An application can only be infected when the following preconditions hold: a) first entry in CODE 0 points to CODE 1, b) size of CODE 1 < 31,086 bytes, c) file is not locked or it's name is locked, d) file is not already infected. |
| Infection Technique: | INIT 17: 1,682 bytes in System file. CODE 1: extended by 1,682 bytes in applications. |
| Infection Trigger: | 1. Starting an infected application infects system, and every application started after- wards becomes infected. 2. After starting up with an infected System, every application launched becomes infected. |
| Storage Media affected: | |
| Interrupts hooked: | LoadSeg |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | The virus pops up a window named "From the depths of Cyberspace" displaying the message "-Trent Saburo was here". On 68000 systems (old Macs), a system bus error occurs. |
| Damage Trigger: | Running an infected System or application after internal date reached Oct.31,1993 6:06:06 AM. |
| Particularities: | If WriteResource and SetResAttrs traps are redirected to RAM (eg. by AntiVirus program), the virus does NOT infect programs. |
| Similarities: | --- |
Agents | |
| Countermeasures: | Use a commercial, shareware or freeware Anti- Viral product such as VirusDetective or Disinfectant >= 3.2 to scan for viral signatures. |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Hisao Tai, Peer Reymann, Ronald Greinke |
| Documentation by: | Tim Dierks |
| Date: | 31-July-1993 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg