| Alias: | --- |
| Strain: | nVIR Virus Strain |
| detected when: | July 1991 |
| where: | USA |
| Classification: | Application and System file infector |
| Length: | Resource fork extension: 3916 bytes (Application) 3934 bytes (System file) |
Preconditions | |
| Operating System(s): | MacOS proprietary |
| Version/Release: | All |
| Computer model(s): | Apple Macintosh: all models |
| Caroname: | nVIR.C |
Attributes | |
| Easy identification: | 1. Characteristic nVIR auxiliary resources 2. CODE 0 Jump table entry 1 changed to 0000 3F3C 0100 A9F0 |
Type of Infection: | All applications with a non-readonly resource fork and an unprotected CODE 0 resource will be infected. |
| Infection Technique: | System File Application Common to both INIT 32 416b CODE 256 788b nVIR 1 428b nVIR 0 2b nVIR 2 8b nVIR 6 66b nVIR 4 788b nVIR 3 416b nVIR 7 2106b nVIR 5 8b |
| Infection Trigger: | All applications calling the TEInit trap will cause attempted infection. |
| Storage Media affected: | |
| Interrupts hooked: | TEInit |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent damage: --- Transient damage: Virus occasionally beeps. |
| Damage Trigger: | The counter nVIR 0 resource is set to 1000 on first infection of the system; this counter is decremented by 1 on system reboot, and by 2 each time when an infected application is run; when counter= 0, the virus will beep 1 in 8 reboots, and one in 4 infected appli- cation launches. |
| Particularities: | 1. An nVIR 10 resource in the system file will prevent infection by this virus. 2. Applications calling OpenResFile prior to TEInit will be damaged. 3. The virus will hybridise with other variants of the nVIR strain. |
| Similarities: | The code of all resources is identical to nVIR B except the nVIR 4 resource in system file and the CODE 256 resource in applications. |
Agents | |
| Countermeasures: | 1. Use a commercial anti-viral product or a public domain utility such as Virus Detective, VirusRx, Interferon or Disinfectant to scan for virus' signature. 2. Use a protection INIT such as vaccine or gatekeeper to trap resource manager calls. |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Ronald Greinke |
| Documentation by: | Ronald Greinke |
| Date: | 15-July-1991 |
| Information Source: | --- |
(c) 1996 Virus-Test-Center, University of Hamburg