nVIR B Virus

Strain:nVIR Virus Strain
detected when:December 1987
Classification:Application and system file infector
Length:Resource fork extension 3550 bytes (application), 3568 bytes (System file)


Operating System(s):MacOS proprietary
Computer model(s):Apple Macintosh: all models


Easy identification:1. Characteristic nVIR auxiliary resources 2. CODE 0 Jump table entry 1 changed to 0000 3F3C 0100 A9F0

Type of Infection:

All applications which are not locked, have a non-readonly resource fork and an un- protected CODE 0 resource will be infected.

Infection Technique:System File Application Common to both INIT 32 416b CODE 256 422b nVIR 1 428b nVIR 0 2b nVIR 2 8b nVIR 6 66b nVIR 4 422b nVIR 3 416b nVIR 7 2106b nVIR 5 8b
Infection Trigger:All applications calling the TEInit trap will cause infection to be attempted.
Storage Media affected:
Interrupts hooked:TEInit
Encoding Method:
Damage:None. Virus occasionally beeps.
Damage Trigger:The counter nVIR 0 resource is set to 1000 on 1st infection of the system. This counter is de- cremented by 1 on system reboot, and 2 each time an infected application is run. When the counter reaches zero the virus will beep 1 in 8 reboots, and 1 in 4 infected application launches.
Particularities:1. An nVIR 10 resource in the system file will prevent infection by the virus. 2. Applications calling OpenResFile prior to TEInit will be damaged. 3. The virus will hybridise with other variants of the nVIR strain.


Countermeasures:1. Use of a commercial anti-viral product or a public domain utility such as Virus detective, VirusRx, Interferon or Disinfectant to carry out virus signature scans. 2. Use of a protection INIT such as vaccine or gatekeeper to trap resource manager calls.
Standard means:


Location:Heriot-Watt University, Edinburgh (UK)
Classification by:David Ferbrache
Documentation by:David Ferbrache
Information Source:---

(c) 1996 Virus-Test-Center, University of Hamburg