The information provided in the Virus Info # 1 Document is substantially correct, although I will disagree with certain aspects according to my own experiences with this plague.
Detection:
Check the System Folder for Scrapbook File and Note Pad File. If they have BOTH and they are generic document icons, i.e., a blank, dog-eared page, assume you are infected. If the icons are small Macs, like the System and Finder icons, you are most likely safe. But please read and try to understand this document because failure to take precautions may cause you to be infected tomorrow.
The viral files contain several distinct and possibly unique strings. Use Fedit to search for VULT and/or ERIC. If you do not find either of these strings on your disk, it is NOT infected. If you find them, proceed as though you are infected and make further tests.
When Vaccine has been installed on your disk and is running, opening an infected application will produce either an alert message from Vaccine, a bomb, or the Mac will hang up. In any case, the application should be examined more closely: Use ResEd to open the CODE resource of the application. If the top one is two numbers higher than the next highest number, do a Get Info on it. If the size of this code resource is 7026, you have confirmed it as an infected application. Throw it in the trash as it is unusable and will cause you problems if you run it with Vaccine off. If it is an application for which you do not have a clean backup, save it to a floppy. I'm sure that before too long, someone will write an application that will repair applications and you can recover it then.
If you have installed Vaccine and it periodically gives you a warning, even when you are doing nothing to change anything on the Mac, Vaccine is NOT defective. It is telling you that you are contaminated and that the virus has tried and failed to attack a previously clean application. If you do not have Vaccine installed and have noticed your disk drive (hard or floppy) run for a few seconds when there is no cause, it is quite likely the same thing, except in this case you just lost the application.
Check ALL of your applications. It is easy to overlook some of the smaller and common ones like Font/DA Mover and backup programs. Be sure to check Finder, MultiFinder, and ResEd itself. Remember, you do NOT have to have run an application for it to be contaminated. Thus far I have not seen a contaminated document. The virus seems to attack only those files which have CODE resources, and virtually all documents do not contain these. If there is a type of document that does, please let me know and I will edit this notice.
Removal:
The virus CAN be removed from your System by less stringent means than described in document # 1.
Open your System folder with ResEd.
Select and Clear Scrapbook File, Note Pad File, Desktop, and Scores.
Open the System and clear these resources: atpl ID 128, DATA ID -4001, and INITs 10, 17, & 6.
Close ResEd and save changes.
Note that the System file atpl and DATA resources are not mentioned in the Virus Info # 1 document. However, they are in the System and should be removed. A virgin System (4.1, at least) from Apple does not contain either resource type, but some programs - LaserSpeed, for one - legitimately place them in the System. Remove only the ID numbers listed.
My experiences with this virus over the past three months have shown this to be an effective and relatively simple way to clean the System. I did this three months ago and have seen no more Scores, etc. files until a week ago, when a friend gave me an infected application. Even then I had to turn Vaccine off to get it to do its dirty work. I have seen several infected Finders. If Vaccine is running and the Finder is contaminated, the Mac will NOT boot. In this case, boot with a CLEAN floppy and replace the Finder on the hard drive.
This rather simple method of decontaminated the System is suggested because it allows you to keep any special fonts, DAs, or other System modifications you may have made. If you want to go the full route and re-initialize the hard disk, you should be thoroughly de-contaminated, but I feel that may be overkill. Just be sure to check all of the files you are re-installing. A friend went to an Apple dealer to get a new System and Finder, only to discover that the dealer's Mac II was infected!
After you feel that all infected applications have been removed and replaced, run Disk Express, if you have it, with the Erase Free Space option turned on. This will cluster your good data to the start of the disk and zero out all remaining space. Then use Fedit to search for the VULT and ERIC strings. If they are gone, you are cured. If they are still there, do what you can to find out which file they are in and remove it from the disk. (Since the version of Fedit I bought (1.1) had not yet implemented the "Sector Info" feature, it would not show me the name of the file(s) which contained these strings. I had to search sectors before and after them to make a guess as to which files I was looking at.) Repeat this until there is no ERIC or VULT. (By the way, if anyone knows where I might find a jerk named Eric Vult who wrote this virus, I have a few things I'd like to say - and do - to him.)
Speculation:
In addition to ERIC and VULT, several of the viral resources contain another possibly important string: HD20. Pure supposition on my part, but this could be a two-step virus. First the spread. You get a bad application. It infects your System. Once active, it spreads to applications. You give one of these to a friend or put it on a BBS. It infects other Systems, which infect more applications... In a finite and rather short time it is all over the country. I know for a fact that as of April 5, 1988, it is in Hawaii, Dallas, Washington, and a prominent computer in Cupertino! Then on some predetermined date, or following some specific action on your part, it performs some heinous act, and possibly on HD20's.
If you own an HD20, I recommend the following: Choose a disk name other than HD20. The name may or may not have anything to do with the possible purpose of this virus, but don't take a chance. The bad news is that the name HD20 is found in multiple places on your disk. To simplify the name changing procedure, choose a name comprised of four letters like Mine, Disk, or Bomb. Use Fedit to search the disk for HD20, and change EVERY occurrence to the new name. You will also find your disk name in the next to the last sector on the disk. Don't overlook this one. Changing to a name of other than four letters is much more complex and I can't explain how to do it here, but merely changing the name of the hard disk from the Finder is NOT enough. Just a friendly suggestion.
Prevention:
Contrary to the advice in the Info # 1 document, I have so far found Vaccine to be very effective in controlling this virus. Make sure you have the real Vaccine and not a phony. It is 11,875 bytes in size, created March 19,1988 at 11:49 PM. (I guess CE Software worked long hours on this one. Have you thought of paying them, even though the program is free?) Notice that the file name " Vaccine" starts with a space. Leave it this way, as programs like this are loaded alphabetically, and the space makes sure Vaccine is loaded first for maximum protection. Keep Vaccine running at all times. For those who do not know how to use it, place Vaccine in your System Folder and then open the Control Panel under the Apple menu. Vaccine will appear in the left window. Select it with the mouse and read the instructions. I suggest putting an X in the top box, the second one, and the fourth one.
Research:
We know that an infected application grows in size by 7042 bytes. CODE 0 resource is altered, but with no change in size, and a new CODE of 7026 bytes is created. Where is the additional 16 byte increase? Apparently not in the CODE resources. Help here would be appreciated. Vaccine will beep three times when an attempt is made to infect an application. My guess is one for adding the 7026, one for the CODE 0 change, and one for the 16 bytes. Finding the last may provide the means for rescuing a sick application.
Does the atpl resource have any reference to AppleTalk? Can this virus be spread over a network? I am not a programmer, just a hacker, and do not know.
Me:
One hates to publish a phone number in a document designed for public distribution, but without it you could not relay any important information. Please call only from 8 AM to 8 PM Central time, and only if you have found something not in either of the two documents in this package. Long distance callers, please leave a complete message on the answering machine if it answers, as I cannot afford to return many long distance calls. And thanks for any help.
Howard Upchurch
3409 O'Henry Drive
Garland, TX 75042
(214) 272-7826
Notices:
I have reported information as I have found it. If there are any errors in the above, I apologize but ask not to be held responsible. Some statements may prove false or incomplete as more information comes to light.
Although most references in this document concern hard disks, floppies can be infected in the same way. Even if you do not use a hard disk, check everything you own.
