nVIR A Virus

Alias:---
Strain:nVIR Virus Strain
detected when:December 1987
where:USA
Classification:Application and system file infector
Length:Resource fork extension 3658 bytes (application), 3676 bytes (System file)

Preconditions

Operating System(s):MacOS proprietary
Version/Release:All
Computer model(s):Apple Macintosh: all models
Caroname:nVIR.A

Attributes

Easy identification:1. Characteristic nVIR auxiliary resources 2. CODE 0 Jump table entry 1 changed to 0000 3F3C 0100 A9F0

Type of Infection:

All applications which are not locked, have a non-readonly resource fork and an un- protected CODE 0 resource will be infected.

Infection Technique:System file Application Common to both INIT 32 366b CODE 256 372b nVIR 1 378b nVIR 0 2b nVIR 2 8b nVIR 6 868b nVIR 4 372b nVIR 3 366b nVIR 7 1562b nVIR 5 8b
Infection Trigger:All applications calling the TEInit trap will cause infection to be attempted.
Storage Media affected:
Interrupts hooked:TEInit
Stealth:
Tunneling/Selfprot:
Oligo/Polymorphism:
Encoding Method:
Damage:None. Virus occasionally uses MacinTalk to say the words "Don't Panic", if the latter is not installed the virus will beep.
Damage Trigger:The counter nVIR 0 resource is set to 1000 on 1st infection of the system. This counter is de- cremented by 1 on system reboot, and 2 each time an infected application is run. When the counter reaches zero the virus will speak or beep 1 in 16 reboots, and 1 in 8 infected application launches.
Particularities:1. An nVIR 10 resource in the system file will prevent infection by the virus. 2. Applications calling OpenResFile prior to TEInit will be damaged. 3. The virus will hybridise with other variants of the nVIR strain.
Similarities:---

Agents

Countermeasures:1. Use of a commercial anti-viral product or a public domain utility such as Virus detective, VirusRx, Interferon or Disinfectant to carry out virus signature scans. 2. Use of a protection INIT such as vaccine or gatekeeper to trap resource manager calls.
Standard means:

Acknowledgements

Location:Heriot-Watt University, Edinburgh (UK)
Classification by:David Ferbrache
Documentation by:David Ferbrache
Date:12-March-1990
Information Source:---

(c) 1996 Virus-Test-Center, University of Hamburg