This originally appeared on the Washington Apple Pi TCS
We have discovered a new virus that is circulating through the Macintosh community. This is not the now-infamous MacMag virus, but is a completely new and, as far as I can tell, unreported version. As of this date, we have not determined exactly what the virus does other than replicate itself. Because we do not know exactly what this thing does yet, we are very concerned about the possibility of any invisible operations and "time bombs" that it may contain. The presence of the virus in the Macintosh memory does causes several symptoms, which have caused losses of data . These symptoms include difficulty running MacDraw, difficulty printing from any applications (especially MacDraw), difficulty using the "Set Startup" option, difficulty running Excel, corruption of Excel files, and frequent crashes when starting applications. This virus has existed since at least February, 1988, and may have been around as early as September, 1987.
Identification of "infection":
It is possible to determine if this virus has infected your Macintosh with the following procedure: 1) Open the System Folder of the Macintosh and locate the "Note Pad File" and "Scrapbook File". 2) Examine the icons used on these files and check that they resemble the small Macintoshes seen on the "System" and "Finder" icons. If they do not, and instead resemble the standard Macintosh document icon (an upright piece of paper with the upper right corner folded forward), you are probably infected. 3) To verify infection, execute ResEdit or some other utility which can see "invisible" files. Examine the System Folder. 4) If the System Folder contains two invisible files named "Desktop" and "Scores", you are definitely infected.
The infection process:
The virus transmits itself from Macintosh to Macintosh by invading a standard executable application file on a contaminated Macintosh. When this contaminated application is copied to a "sterile" Macintosh, the virus attacks the new system by making these changes to the System Folder: three INIT resources are added to the "System" file. If the files "Note Pad File" and "Scrapbook File" do not exist in the System Folder, they are created. The type and creator fields of the "Note Pad File" are changed from "ZSYS" and "MACS" to "INIT" and "ZSYS", respectively, and an INIT resource is added to the file. The type and creator fields of the "Scrapbook File" are changed from "ZSYS" and "MACS" to "RDEV" and "ZSYS", respectively, and an INIT resource is added to the file. Two new, invisible file are added to the system folder, named "Desktop" and "Scores", each with an atpl, DATA and INIT resource. These changes are summarized below:
FILE TYPE CREATOR NEW? INVIS? RESOURCES SIZE
System ZSYS MACS No No INIT ID=6 772 bytes
ID=10 1020 bytes
ID=17 480 bytes
Desktop INIT FNDR Yes Yes atpl ID=128 2410 bytes
DATA ID=-4001 7026 bytes
INIT ID=10 1020 bytes
Note Pad File INIT ZSYS No No INIT ID=6 772 bytes
Scores RDEV ZSYS Yes Yes atpl ID=128 2410 bytes
DATA ID=-4001 7026 bytes
INIT ID=10 1020 bytes
Scrapbook File RDEV ZSYS No No INIT ID=17 480 bytes
ID=6 772 bytes
Note that, unlike the MacMag virus, no "nVIR" resource are used anywhere. The modified files, "Note Pad" and "Scrapbook", still appear to function normally with the Note Pad and Scrapbook Desk Accessories, and any existing contents of the file's Data Fork are not disturbed.
Once the system files on the target Macintosh have been infected, the virus will then begin to attack applications. Not every application is attacked by the virus - the determination of whether or not to infect an application is apparently a random decision (at this point, no discernible pattern has been found, except that "Finder" and "MultiFinder" are usually attacked). Applications that are attacked on one Macintosh may remain "sterile" on another Mac, and vice versa .
As each application is attacked, the virus installs a new CODE resource into the application. The identification of this new resource is variable, depending upon the existing resources within the application. The virus looks for the first available CODE resource slot, then places the new resource one position above that. For example, HyperCard contains CODE resources 0 through 20, leaving an ID of 21 as the first available resource ID. The virus placed the new CODE resource in the application as CODE ID=22.
The second step of the infection of the application is the modification of the CODE ID=0 resource of the application. The virus modifies the eleventh word of this resource, which is the start of the application's jump table. Where the application would normally jump to the CODE ID=1 segment, the virus modifies this pointer to refer to the new CODE resource that has just been installed. The example below shows the first sixteen words of a "sterile" and infected version of HyperCard:
Sterile Infected
0000 1EF0 0000 559C 0000 1EF0 0000 559C
0000 1ED0 0000 0020 0000 1ED0 0000 0020
0008 3F3C 0001 A9F0 0008 3F3C 0016 A9F0
0000 3F3C 0001 A9F0 0000 3F3C 0001 A9F0
.. . ...
Note that the eleventh word has been changed from "0001" to "0016", which points to the new CODE ID=22 resource (hex 16 = decimal 22). Also note that during our examination of suspected applications, we found that at least one compiler - LightSpeed C, I think - normally places non-"0001" values in the eleventh word of the CODE ID=0 resource. To verify infection if the eleventh word is not "0001", check to see that the tenth word is NOT "4EED" and that the eleventh word points to another CODE resource. If both of these are true, then the application is infected.
The new CODE resource is a copy of the virus code, is of size 7026, and is executed when the infected application is invoked. When the virus completes execution, it returns to the invoked application, which appears to proceed normally. The first sixteen words of the virus are:
0000 0001 xxxx 3F3C
0001 A9F0 4EBA 002E
204D D0FC 0020 43FA
FFEC 20D9 2091 204D
...
The third word of the virus code is variable, and appears to be based on the return address used when the execution of the virus is completed. The virus further modifies the code of the application in a manner which has not been fully deciphered. This was determined by attempting to recover the HyperCard application by removing the new CODE ID=22 resource and patching the eleventh word of the CODE ID=0 resource. Any attempt to run the rebuilt application resulted in a system bomb, intimating that the virus has modified other sections of the application which prevented it's complete exorcism.
Vaccinating your Macintosh:
If your Macintosh is infected, the contaminated system files and applications must be completely removed from the Macintosh, and new ORIGINAL copies should be installed. When removing the virus from the Macintosh system files, you cannot just go in with ResEdit and delete the offensive INIT resources - this virus is apparently intelligent enough to recognize this attempt, and modifies it's resource identification and memory location when probed by resource utilities. ResEdit "thinks" that the virus resources have been deleted, but they have been renamed and will return when the Macintosh is restarted. The system must be sterilized by:
1) Examine EVERY application (including any in the System Folder, and on EVERY diskette you may have) you have with ResEdit, and check if a new CODE resource has been added and if the CODE ID=0 resource has been modified to refer to the new CODE. This is the most tedious part of the process, and will probably take quite a bit of time. I have about 160MB of stuff on two 100MB drives, and this step took about three hours. If the application has been infected, list it.
2) Using ResEdit, open the infected System Folder and locate the "Desktop" file. Select the file and use the "Get Info" option on the "File" menu. When the file information window opens, turn off the "Invisible" bit, then close the window and save the file information. Do the same for the "Scores" file.
3) Locate a sterile system diskette (preferably one of the "System Tools" diskettes from Apple), LOCK IT, and boot from it.
4) Throw away the following files from the infected System Folder: "System", "Finder", "MultiFinder", "Desktop", "Scores", "Scrapbook File", and "Note Pad File". Once these files are in the Trash Can, EMPTY THE TRASH IMMEDIATELY! Note: this is the minimum required to remove the System portion of the virus - my personal preference is to delete the ENTIRE System Folder, not just the suspect files in it.
5) Locate all of the applications which you listed in Step 1. Throw them away, and empty the Trash Can.
6) Shut down the Macintosh, and turn the power off. Wait at least 30 seconds for memory to clear before rebooting again from the sterile diskette (this may not really be necessary, but better safe than sorry).
7) Reinstall the Macintosh operating system from the System Tools diskette to your Macintosh.
8) Locate your original copies of the deleted applications software. Before reinstalling the applications, examine each one with ResEdit to be sure that it is sterile. If there is no problem, reinstall the application.
A word of warning:
The "Vaccine" CDEV which is currently appearing on bulletin boards is only marginally useful in fighting this virus - if your system is already infected when you install Vaccine, you will not get any warning from Vaccine that the virus exists. If you have Vaccine installed on a sterile system, and this virus is introduced at a later time, Vaccine will only warn you of the virus attack, but will not prevent infection.
I do not know how far this virus has spread, or where it came from (although we are working on that). The information contained above reflects only what we know so far about this virus - I do not know if it has any maliciously destructive functions which have not yet activated, or if it does anything other than replicate. I do know that it is extremely virulent - it has defensive mechanisms built in to protect itself from deletion, most of it's resources are protected, and it places multiple copies of it's components throughout the system to avoid single-point-of-failure destruction. This thing is an order of magnitude more sophisticated than the MacMag virus, and is considerably tougher to kill.
So far, the virus appears to only affect system files and application files. Data files (documents, spreadsheet data, HyperCard stacks, etc.) do not appear to be affected, and do not seem to transmit the virus.
While not apparently maliciously destructive, I have established that the mere presence of this virus in the system is sufficient to cause the printing and application instability problems (like the ones we have been experiencing). Once the virus has been removed, all of our reported Macintosh problems have gone away. I believe that whoever wrote this could not foresee enough of the potential system configurations to prevent an occasional collision between the virus and other active applications and printer drivers.
Apple in Cuppertino has become intimately aware of this virus in the last two days. They are going to be working on a more complete disassembly of the virus, and will hopefully be able to