From Apple on Viruses 12/5/88 Page 1 General Issues What is a virus? A virus is a program with two distinct functions: - It spreads itself from machine to machine (self-reproducing code). This includes the actual infection of other systems as well as the stashing away of code into as many "carriers" as possible. - It implements the "symptoms" planned by the perpetrator of the virus. This could be any number of things, up to and including erasing a disk on a specific date. A Bit of History Computer viruses have been around for almost as long as computers. John Van Neumann, the father of the modern computer, toyed with the idea of self-reproducing computer code as early as 1948. In the late 1970s, there was even a training ground for the writing of viruses. It was a program called Core Wars that implemented an artificial environment pitting two virus programs against each other. Viruses Are Not Unique to the Macintosh The Macintosh is not the only system to be plagued by viruses. Mainframe and minicomputers are also targets for virus programmers. One of the more recent mainframe incidents was the virus that invaded IBM's mail system and brought it to its knees for a couple of days. IBM PC users have been experiencing viruses for several years now. The most common method of attack is through the COMMAND.COM file. The Macintosh community has been lucky to have gone so long without virus programming becoming the thing to do. Not All Viruses Are Meant To Be Damaging, But... Viruses are not all meant to be damaging. The programmer may just want to prove he can do it and have the satisfaction of reading about it in magazines and on the BBS network. Sometimes, these viruses can cause problems anyway. For example, the virus that has prompted this series of articles was meant to be benign except in specific cases. However, it takes up memory and processing time and has caused random side effects such as printing problems and system crashes. Don't Panic; Don't Overreact If you think that you have a virus, it's important to not overreact. It is important to take a step back and evaluate the situation calmly. Once you know that you have a virus and what it has infected, it is a relatively easy thing to combat. This document contains enough information for you to deal with most viruses. Unix Viruses In all of this, there has not been much discussion of Unix viruses, but they do exist, and the spread of public domain software is almost as great in the Unix world as it is in the microcomputer world. The Great Virus Hunt When Do You Suspect You Might Have a Virus? When your computer begins to do things out of the ordinary, or when it stops being able to do things it has always done in the past. The problem with this is that corrupted system files can lead to similar symptoms even though a virus isn't involved. When problems occur, they are much more likely to be the result of non-virus difficulties. When you have ruled out the standard problem areas, you should look into the possibility that your system has been infected by a virus. What to Look For If You Think You Have a Virus Look for invisible files in your System folder that don't belong there. Unless you specifically have an application that creates invisible files in the System folder, every invisible file in the System folder should be suspect. Also, a general check of all the files in your System folder for resources that don't belong in those files is well worth the effort. Files and Resources a Virus Might Infect - Any and all applications - HyperCard Stacks (the MacMag virus was spread via a HyperCard stack) - Files in the System folder, including: System Finder Note Pad file Scrapbook file Clipboard file Easy Access Sound Mouse Startup Device Monitors Color General Keyboard LaserWriter ImageWriter AppleTalk ImageWriter ImageWriter LQ In other words, all system files. Files a Virus Might Damage Inadvertently - Any file on an infected volume or system, including system files, documents, applications, etc. Public Domain Issues Most viruses spread via public bulletin board systems and are hidden in public domain programs. "Sexy Ladies," a program distributed at a MacWorld Expo in San Francisco, erased whatever hard disk or floppy disk it was on when it was launched. Network Issues The use of networks can easily enhance the spread of a virus. Different scenarios are possible, with the simplest being a public domain folder on a server that everyone gets the latest neat stuff from. Also, shared applications residing on a server could become infected, which would then infect every machine that those applications were run on. Technical Issues How Viruses Propagate Viruses can propagate by a variety of methods. The most common way for a Macintosh virus to replicate itself is to have an INIT that installs a background (VBL) task that checks for specific occurrences, such as a disk insertion, and then copies itself somewhere to that disk. VBL Tasks The Macintosh has always had a limited form of background processing available to it through the use of the Vertical BLanking queue. Every time the screen on a Macintosh (except for a Macintosh II) is refreshed, any routines installed in the queue are executed. The Macintosh II has a dummy VBL queue for compatibility reasons since the advent of a variety of screens has led to different vertical retrace periods. VBL tasks can be installed in the queue by any program. The program has to load a routine into a section of memory and install the routine into the VBL queue by calling the Vinstall ROM routine. It is the responsibility of the installing program to make sure the segment of memory containing the routine remains available even after the program has exited. Each VBL task has a specified time period it should be left "asleep" before it is called. Every time the routine is executed, a counter is decremented for that routine. When that counter reaches zero, the routine is deleted from the queue unless the routine itself resets the counter. Lengthy VBL tasks such as the one that might be used to replicate a virus can interfere with the normal operation of the Macintosh by interrupting processes that shouldn't be interrupted. A perfect example of this is printing to a LaserWriter over an AppleTalk network. If a VBL task takes too long in its execution, the printing process could terminate abnormally and leave the machine's connection to the network in an unstable state. For the purposes of a virus, an INIT is most likely to be the culprit responsible for installing a VBL task. INITs INITs are routines that are run when the Macintosh is booted. For the mostpart, they have full access to all of the commands normally available to a standard Macintosh program. The major difference is that the low memory globals have not been set up yet, so any INIT needing access to structures normally stored in low memory must create its own. INITs in the System file When a Macintosh boots, the INITs in the System file in the "blessed" folder are the first code to be executed. These INITs should generally be Apple INITs only -- any non-Apple INITs should be considered suspect. The INIT 31 mechanism A special INIT in the System file, INIT 31, was created to allow for the execution of non-Apple INITs without having them installed in the System file itself. When all of the other INITs in the System file have been executed, INIT 31 walks through the System folder looking for files of types INIT, RDEV, cdev, and executes any INIT resources it finds in these files. The order in which the files get loaded is alphabetical. Needless to say, a simple way for hiding parts of a virus is to drop INITs into legitimate files already existing in the System folder with these file types. CDEVs The file type cdev indicates a file containing a Control Panel device. When the Control Panel is loaded, it walks through the directory of the System folder looking for any files of type 'cdev'. When it finds a file of this type, it loads the ICN# of that file (assuming it has one) into the list of icons shown on the left side of the Control Panel. When you click on the icon of the cdev in the Control Panel, the code in the cdev resource in the file of type 'cdev' is executed. A virus could easily use this mechanism as a way to infect a system, install a VBL task, etc. Many cdev files have INITs in them with the cdev controlling the settings that the INIT will use when it is installed. A good example of this is the settings for a screen blanker. The INIT actually installs the VBL task, but the cdev controls when dimming occurs. None of the standard Apple system cdev files have INITs in them, but there is nothing to prevent a virus installing an INIT in these files as a way of hiding its code. DRVRs DRVR resources typically can have one of two functions: they can be the code for a desk accessory, or the code for drivers necessary for the system to perform some function such as printing. Once again, the key word here is 'code'. Whenever code is involved, the potential arises for the perpetrator of a virus to take advantage of it. Just as with cdevs, when a DRVR gets opened, either by the choosing of a desk accessory or by the system, code is executed at that point. This is the stage at which a virus might fulfill its purpose. CODE Resources Each application has at least two CODE resources. The first of these CODE resources has an id of 0 and contains what is known as the jump table. This table provides the basic information necessary for various parts of a program to call routines in other CODE segments. The current rage in viruses is to modify the CODE ID = 0 resource of an application so that a CODE segment it installs in the application gets called before the application is actually run. This CODE segment could go out and check if the virus has infected the current system, and if it hasn't, install itself. All the perpetrator of a virus has to do at this point is upload a copy of an infected application to a BBS, and it spreads across the world. Applications that allow external procedures: Viruses could take advantage of the external procedures that are allowed by some applications. The perfect example of this is HyperCard, with its XCMDs and XFCNs. This is how the MacMag virus was transmitted. Known Viruses The Scores Virus You can be almost positive your system has been infected by the Scores virus if the icons of your Note Pad file and Scrapbook file look like document icons instead of system icons. Launch ResEdit and look in your System folder. If you see files called "Desktop" and "Scores" you can be 99% sure that you have the Scores virus. How Scores Spreads and What It Does The Scores virus is relatively harmless. The initial infection is caused by an application with a modified CODE ID = 0 resource, and an additional CODE resource (first unused ID number plus 1). When the 'carrier' application is launched, the CODE ID = 0 resource runs the virus installer code. This code checks for previous installation of the Scores virus. If the virus is not there, the virus files are installed. The virus consists of three INITs, one atpl, and one DATA resource found in the files listed below: FILE TYPE CREATOR RESOURCES SIZE --------------------------------------------------------------------- Desktop (invisible) INIT FNDR atpl ID = 128 2410 bytes DATA ID = -4001 7026 bytes INIT ID = 10 1020 bytes Note Pad File INIT ZSYS INIT ID = 6 772 bytes Scores (invisible) RDEV ZSYS atpl ID = 128 2410 bytes DATA ID = -4001 7026 bytes INIT ID = 10 1020 bytes Scrapbook File RDEV ZSYS INIT ID = 6 772 bytes ID = 17 480 bytes System File ZSYS MACS atpl ID = 128 2410 bytes DATA ID = -4001 7026 bytes INIT ID = 6 772 bytes INIT ID = 10 1020 bytes INIT ID = 17 480 bytes --------------------------------------------------------------------- If the Note Pad and Scrapbook files do not exist, they are created. If they exist, the type and creator of the files are altered to those listed above, and the corresponding resources are added to the files. The files still appear to function normally with the Note Pad and Scrapbook DAs, but their icons change to document icons. The Desktop and Scores files are invisible, and are created during the infection process. The next time the infected system is rebooted, the INITs are loaded into memory and are ready to infect other applications. The INITs install a VBL task that actually modifies and installs resources into an application. After an application has been launched, an internal timer is started. Somewhere between two and three minutes later, the open application is infected and becomes a carrier. A new CODE resource is added to the infected application, and the application's CODE ID = 0 resource is modified to execute the new CODE resource first, then continues with the application. To determine if an application is infected, examine the CODE ID = 0 resource. If the eleventh word of the resource (third word on the third line in the ResEdit listing) is NOT "0001", the application is suspect. If the third word is something other than "0001", convert the value to its decimal equivalent (the numbers are in hexadecimal). Then determine the resource number of the CODE resource at the top of the ResEdit resource list. If these numbers are the same, the application is probably infected, and should be replaced. Some applications will appear to be infected even though they are not. If the eleventh word of CODE ID = 0 is not 1, check the tenth word; if it is '4EED' the application is most likely not infected. How to Get Rid of the Scores Virus It is not hard to remove this virus from a system, but it may take some time. Here's how: 1. Use Font/DA Mover to copy all fonts and DAs that you do not have backups of to font and DA suitcase files (this virus does not attach itself to DAs). 2. Start the system from a locked, not infected, floppy disk. 3. Throw away the System folder on the infected disk. 4. Use ResEdit to identify all suspect applications on the infected disk. 5. Make a list of all suspect applications. 6. Throw all suspect applications in the trash, and empty the trash. 7. Reinstall the system software from a known good System Tools installer disk. 8. Using locked masters, recopy any applications that were deleted from the infected disk (it is important to verify that the master disks have not been infected). 9. You're all done. The nVIR Virus -- How the nVIR Virus Spreads and What It Does The nVIR virus is similar to the Scores virus in many ways. It does not appear to have malicious intent and is relatively harmless. Initial infection of a system is also caused by an application with a modified CODE ID = 0 resource. When a nVir carrier application is launched, the virus' code segment is executed first. This code checks for its INIT in the System File, and if it doesn't find it, the code copies the INIT there. Along with the INIT resource, eight 'nVIR' resources (0-7) are added to the System file. The next time the system is restarted, the INIT ID = 32 is loaded into memory and tries to infect every application that is launched. The nVir virus adds a CODE ID = 256 resource and modifies the CODE ID = 0 so that the nVir code is executed first. Again, infection of an application is determined by examination of the CODE ID = 0 resource. If the eleventh word of the resource (third word on the third line in the ResEdit listing) is NOT "0001", the application is suspect. If the third word is something other than "0001", convert the value to its decimal equivalent (the numbers are in hexadecimal). Then determine the resource number of the CODE resource at the top of the ResEdit resource list. If these numbers are the same, the application is probably infected, and should be replaced. Some applications will appear to be infected even though they are not. If the eleventh word of CODE ID = 0 is not 1, check the tenth word; if it is '4EED' the application is most likely not infected. The tenth word normally contains '3F3C'. When launching an infected application, there is a one in sixteen chance that you will hear a short system beep. We have been told that if MacinTalk is installed you will hear the words "don't panic". How to Get Rid of the nVIR Virus Remove the nVIR virus the same way you remove the Scores virus except you do not need to throw away all of the files in the System Folder; just throw away the System file. The MacMag Virus We don't have much information regarding the MacMag virus. It was apparently uploaded to CompuServe, inside a HyperCard stack, in the form of an XCMD, and it installed an INIT ID = 6 with a name of 'RR'. Its sole purpose in life was to display a "universal message of peace" on your computer on March 2, 1988. The virus removed itself after displaying this message and should be of little concern now. Safeguarding Your Systems What Makes Our System Susceptible to Viruses The various mechanisms described in part 2 of this article make our system easy to infiltrate by a virus. Remember that it is those same mechanisms that add to the flexibility and "look and feel" of the Macintosh. For instance, the INIT mechanism is used by mail systems to load their code in. AppleShare uses the INIT mechanism to mount network volumes at boot time. Why Vaccine Works in This Case, But Is Easy to Bypass Vaccine, a public domain INIT written to block viruses, does a good job of alerting you when the three known viruses are trying to infect your system. The problem with Vaccine: once a cure is found for one set of viruses, a new strain may appear that knows how to bypass the existing defenses. Lock your master diskettes Always keep original "Master" disks locked. This prevents a virus from spreading to your original disks. Our disk locking mechanism is hardware based -- viruses can't infect locked disks! Protect your networks Network administrators should not allow just anyone to put software on the server. Applications on a network server should come only from known good masters. Be wary of public domain software Public domain software should be checked quite thoroughly on a floppy-based system for any infections before being copied to a hard disk based system. This will also protect you from any "Trojan Horse" programs such as "Sexy Ladies." Quarantine infected systems If you identify a system as being infected with a virus, immediately isolate (quarantine) it from other systems. This means disconnecting it from any network and not allowing anyone to take any files from the exposed system to another system. Once the system has been 'disinfected,' you can allow the files to be copied or moved. Use ResEdit ResEdit is a good tool to look for viruses on your disks. There is very little that can be hidden from ResEdit, so you can use it to remove troublemaking files and resources.