| Alias: | --- |
| Strain: | T4 Virus Strain |
| detected when: | June 1992 |
| where: | Serveral FTP sites around the world |
| Classification: | Link virus, applications only |
| Length: | Resource fork extension 5792 bytes |
Preconditions | |
| Operating System(s): | MacOS proprietary |
| Version/Release: | All systems (including System 7) |
| Computer model(s): | All. |
| Caroname: | T4.B |
Attributes | |
| Easy identification: | STR ID 32767 Resource. Near the end of one of the CODE resources, the string "Disinfectant" can be found; in that resource, strings "@ookhb`shnm hr hmedbsdc" and "vhsg sgd S3 uhqtr" can be found. |
Type of Infection: | |
| Infection Technique: | Extenting an existing CODE resource by 5792 Bytes |
| Infection Trigger: | Executing an infected file infects one other file. The virus uses a recursive search to find the next uninfected file starting on the desktop of volume 0. A file is only infected if the size of the resource to be infected is <32767-5792 bytes. |
| Storage Media affected: | |
| Interrupts hooked: | None |
| Stealth: | |
| Tunneling/Selfprot: | |
| Oligo/Polymorphism: | |
| Encoding Method: | |
| Damage: | Permanent damage: 1. Infected files may not be restored to their original state because of different patches for InitDialogs and TEInit. 2. The virus disables all INITs and cdevs on all next boots by patching INIT 31 to a RTS (System 6.xx) and boot 2 (System 7.x). 3. Patching boot 2 on a System 7.01 (Quadra, Powerbook) may cause the computer to hang because boot 2 has been changed. Transient damage: Virus displays the message "Application is infected with the T4 virus" and displays some biological virus icon. |
| Damage Trigger: | Running an infected application. Trigger for message and icon: if the infected program infected 10 other applications. |
| Particularities: | In an attempt to hide before detection (stealth), the virus tries to fool the user by renaming an application to "Disinfectant" during infection. If "Disinfectant is present, it will be renamed to "Dis". If SAM Intercept or another monitoring program is installed, this will cause messages that "Disinfectant" wants to modify boot 2 (System 7) or INIT 31 (System 6.xx) and to modify a program the virus tries to infect. |
| Similarities: | T4-A (and its trojan predecessor) |
Agents | |
| Countermeasures: | Use commercial anti-viral product or public domain utility such as Virus detective or Disinfectant >= 2.9 to carry out virus signature scans. |
| Standard means: | |
Acknowledgements | |
| Location: | Virus Test Center, University Hamburg, Germany |
| Classification by: | Ronald Greinke |
| Documentation by: | Ronald Greinke |
| Date: | 13-July-1992 |
| Information Source: | |
(c) 1996 Virus-Test-Center, University of Hamburg