| Alias: | --- |
| Strain: | nVIR Virus Strain |
| detected when: | December 1987 |
| where: | USA |
| Classification: | Application and system file infector |
| Length: | Resource fork extension 3658 bytes (application), 3676 bytes (System file) |
Preconditions | |
| Operating System(s): | MacOS proprietary |
| Version/Release: | All |
| Computer model(s): | Apple Macintosh: all models |
| Caroname: | nVIR.A |
Attributes | |
| Easy identification: | 1. Characteristic nVIR auxiliary resources 2. CODE 0 Jump table entry 1 changed to 0000 3F3C 0100 A9F0 |
Type of Infection: | All applications which are not locked, have a non-readonly resource fork and an un- protected CODE 0 resource will be infected. |
| Infection Technique: | System file Application Common to both INIT 32 366b CODE 256 372b nVIR 1 378b nVIR 0 2b nVIR 2 8b nVIR 6 868b nVIR 4 372b nVIR 3 366b nVIR 7 1562b nVIR 5 8b |
| Infection Trigger: | All applications calling the TEInit trap will cause infection to be attempted. |
| Storage Media affected: | |
| Interrupts hooked: | TEInit |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | None. Virus occasionally uses MacinTalk to say the words "Don't Panic", if the latter is not installed the virus will beep. |
| Damage Trigger: | The counter nVIR 0 resource is set to 1000 on 1st infection of the system. This counter is de- cremented by 1 on system reboot, and 2 each time an infected application is run. When the counter reaches zero the virus will speak or beep 1 in 16 reboots, and 1 in 8 infected application launches. |
| Particularities: | 1. An nVIR 10 resource in the system file will prevent infection by the virus. 2. Applications calling OpenResFile prior to TEInit will be damaged. 3. The virus will hybridise with other variants of the nVIR strain. |
| Similarities: | --- |
Agents | |
| Countermeasures: | 1. Use of a commercial anti-viral product or a public domain utility such as Virus detective, VirusRx, Interferon or Disinfectant to carry out virus signature scans. 2. Use of a protection INIT such as vaccine or gatekeeper to trap resource manager calls. |
| Standard means: | |
Acknowledgements | |
| Location: | Heriot-Watt University, Edinburgh (UK) |
| Classification by: | David Ferbrache |
| Documentation by: | David Ferbrache |
| Date: | 12-March-1990 |
| Information Source: | --- |
(c) 1996 Virus-Test-Center, University of Hamburg