24-Jan-89 1:01:57-GMT,15355;000000000001 Return-Path: Received: from NMFECC.ARPA by sumex-aim.stanford.edu (4.0/inc-1.0) id AA08606; Mon, 23 Jan 89 17:01:57 PST Received: from ccc.mfenet by ccc.mfenet with Tell via MfeNet ; Mon, 23 Jan 89 12:46:44 PST Date: Mon, 23 Jan 89 12:46:45 PST From: PUGH@nmfecc.arpa Message-Id: <890123124645.21600214@NMFECC.ARPA> Subject: Init 29 Report To: INFO-MAC@sumex-aim.stanford.edu Comment: From PUGH@CCC.MFENET on 23-JAN-1989 11:24:41.79 PST 0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0 THE ELEVENTH WORD: 0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0-0 An Investigation Into the 712-byte RINIT 29S Macintosh Virus by Thomas Bond, Mac Consultant 11684 Ventura Blvd., #932 % Studio City, CA 91604 818-843-0567 ) 1989 by Thomas Bond. Permission is hereby granted to distribute in whole part by any means, whether in print or electronic, as long as the name, address and phone of the author remain unchanged. Publications may quote parts for use in education on computer virus problems. Code 0 / Virus Segment \ Application Segments / ???????? ACKNOWLEDGEMENTS: This research could not have been completed without the very valuable help received from Q Tom Pitts, Robert Wright and David Lagerson of the MacValley Macintosh Users Group, Mark Weems of Kinko's Studio City store, Ken Cary of PaperWorks in Burbank, Joe Niewe of California State University, Northridge, and many others who gave up their time and advice. [MacValley membership is $30.00 per year, and provides access to the PD Library with 1000's of freeware and shareware programs, official releases of Apple System software, association with over 700 Mac users, and special presentations from software companies, covering new programs and developments in the industry. For membership info, call Bob Campbell, 818-784-2666.] BACKGROUND: This report is being prepared on January 17, 1989, for distribution at the monthly meeting of MacValley Macintosh Users Group in Burbank, California. It contains the most recent information available to the author at this time: How the new RINIT 29S 712 byte virus acts, how to detect it, how to prevent it, and how to repair the damage it may do, at least in the early stages of its infection. Those who need immediate help because they know or strongly suspect that their disks or hard disk(s) are infected, please turn to the section below labeled FOR EMERGENCY ACTION. Others may benefit from a more deliberate reading of this paper, learning how these kinds of viruses work and what to do about them. The author, Thomas Bond, is a Mac Consultant working primarily in desktop publishing and graphics, for various companies in the San Fernando Valley and Greater Los Angeles area. He is available for professional consultations regarding this or other Macintosh applications and problems by calling the number above, 24 hours. Late in December, 1988, one of my clients, the Kinko's Copy Center at Fulton Boulevard & Burbank Boulevards in Van Nuys, reported an unusual problem: It's three rental computers, all with hard disks attached, were rejecting all locked disks inserted into them. After unlocking and reinserting the disks, documents would open normally. Sometimes documents created with several programs such as PageMaker 3.0, MacWrite 5.01, Ready,Set,Go! 4.0a, Microsoft Word 3.02, Aldus Freehand 2.0, Adobe Illustrator 88, and others, would fail to print. The report from the program was either that Rthis document failed to printS or in some cases there would be a bomb, or no report at all, simply a failure to print. On occasion, the hard disk would fail to boot properly. Checks with Apple's Virus Rx 1.3 & later Virus Rx 1.4 showed only that almost all applications, the System and Finder (v. 6.0.2) were damaged. Replacement of the damaged programs and system files was performed repeatedly over a week's period. In the meanwhile, hundreds of customers used the machines and infected their diskettes. In between my own efforts, employees of the store often replaced the system files and applications themselves, in an effort to fix the problem. The hard disks were initialized several times over several days. Never-the-less, the infection reappeared immediately each time, soon after it began to be used. A few days later, similar problems began to be reported at the Kinko's Studio City store, on Ventura Boulevard near Laurel Canyon. The same procedures were followed at that store. Some of the same well-meaning but uninformed employees tried to solve the problem. In spite of the best efforts of several staff members and my own frequent visits, the equipment failed to print roughly half the time. Each store was losing 100's of dollars due to the problem, adding to $1000's. On Tuesday, January 3, I began to seriously and scientifically investigate the nature of the problem. Careful poking around in the files with ResEdit 1.2b2 had already revealed no infestation of either Scores or nVIR, with which we were sadly very familiar and expert at handling. Using ResEdit, I opened up a RcleanS and RdirtyS copy of Teach Text. The infected copy was exactly 728 bytes larger than the clean one. The CODE resource list showed ID's 0 thru 3 in the infected copy, and 0 thru 2 in the clean copy. The new resource, ID number 3, was exactly 712 bytes. The CODE resource numbered 0 was exactly 16 bytes bigger in the dirty copy than the clean copy. I became very, very concerned about the problem, as I found by using the Virus Detective* desk accessory to search for 712 byte CODE and INIT resources that there was also an INIT ID 29 installed in most documents, other INIT files such as Pyro* & Suitcase II, the System of course, the Desktop file, and all font and DA suitcase files, as well as font printer drivers such as the LaserWriter driver, and Adobe printer fonts. Some applications such as PageMaker, Freehand and Illustrator, had literally dozens of extra 712-byte CODE resources added. They grew bigger on each startup and during each boot, whether started up or not. HOW RINIT 29S WORKS: After some 57 hours of research and virus fighting labor at Kinko's 2 infected local stores, I have determined the following: 1. The INIT 29 Virus will not accept locked disks after it has been fully activated on an infected system. This is the easiest way to find out if you are fully infected. However, since this symptom does not occur immediately, you will also need to make further checks. 2. The virus first invades the Desktop file of a disk when a program is copied onto it, inserting the 712 byte INIT ID 29 resource into it. (Alternately, the INIT is added to a system file if an infected application is started up, even without being copied to the disk.) 3. On the next boot, the INIT is added to the System from the desktop file (or elsewhere, perhaps), and to every application (as a new code resource numbered one higher than the existing resource ID, and adjusted CODE ID 0 resource) that is used during that work session, and to most documents created by the infected applications during the session. 4. During the very next boot, the infected System will insert the INIT or CODE resources into every targeted file on the hard disk (or diskette), including: % The actual Desktop file of the operative system disk (hard disk or not) % INITs such as Suitcase II, Pyro*, etc. % CDEVs, RDEVs, and other system folder files % All applications and programs containing CODE resources, with Illustrator 88, Freehand 2.0 and PageMaker 3.0 getting (2) new 712 byte resources per each use or boot. Others seem to stay content to keep only one extra CODE resource. % Most document files, including those created by MS Word, MacWrite, Ready,Set,Go!, PageMaker, Illustrator, Freehand, and MS Works. Oddly, MacPaint files seemed to be free of the INIT. % All Rscreen fontS files (whether for imagewriter or laserwriter, new or old versions), all Desk Accessory files, new or old, all LaserWriter printer drivers, including those used by Cassidy, Adobe and Apple fonts, Laser Prep and Aldus Prep files, etc. 5. During invasion of an application, the INIT 29 Virus makes itself a vital part of the application, by changing the applications "jump-table" or CODE ID = 0 resource to list it as the FIRST SEGMENT TO BE RUN ON LAUNCH. The address of the next segment of CODE to be run is copied from the jump table into the virus itself. This means that removing the virus will kill the application (very much like some protoplasmic viruses). The title of this report is taken from the address of the order to run first, namely the eleventh word of the jump table, which is changed to read the new address of the virus instead of the first segment of the original program CODE. It is this word that is changed by most Mac viruses, at least so far, to ensure that they are run before any other, possibly anti-viral, instructions. SYMPTOMS OF THE INFECTION INCLUDE: % After the infected system is rebooted with the INIT running, it will not accept locked disks. It provides the alert saying that the disk suffers from minor damage and asks to repair it. You say OK and then it ejects the disk saying, of course, that the Desktop file could not be rebuilt on it. % After the infection is mature, often several days old, it begins to interrupt printing and cause documents to fail to print. This has especially been noticed with MacWrite, MS Word, PageMaker, Illustrator and Ready,Set,Go! This seems to be an intermittent problem, and can sometimes express itself very soon after infection. {Apple's own Virus Information Report says this is most likely due to the Vertical Screen Blanking Interval being used by the virus to do its work, and the work cycle of the virus running too long and interfering with the printing tasks.} % Also after a mature infection of several days, the system seems to often fail to boot from the infected disk, giving a System Error ID 02. {Robert Wright tells me that that this is due to the Virus trying to use parts of the system which have not yet loaded into RAM.} FOR EMERGENCY ACTION: % Don't rely entirely on Vaccine 1.01 from CE Software, or Apple's own VirusRX 1.4a2, or any other currently available program other than Virus Detective* DA, version 2.0 (1.2 will do, but is not as flexible, and will sometimes give false reports of removing locked or protected viral resources). % You will need to type 3 new lines of search instructions into Virus Detective* 1.2: INIT ID 29, INIT Size 712, CODE Size 712. (Virus Detective* 2.0 comes setup for several viruses including INIT 29 already.) So far, the only two programs I have found with legitimate CODE resources of 712 bytes are the fun PD programs Biorhythm and Geographic. Others you may find are most likely infected and need to be removed from your hard disk. NOTE: Simply removing the INIT is good enough from the infected non-application files, but applications will bomb if they are restarted after only removing the 712 byte CODE sections. Their jump-table, or CODE ID = 0 resource has been re-written by the virus to look for the VirusUs own CODE segment. Since the segment will no longer be there after you remove it, the System will crash with a System Error ID 15 {Robert Wright tells me this is a "segment loader" failure}. If you know how to use ResEdit, you can replace words 9, 10, 11 and 12 in Code Segment 0 with words 16, 17, 18 and 19 of the top-most viral code segment. Then remove the viral code segment(s) by RclearingS them. Remember that many applications may have received many, many segments of the 712 byte viral code. The newest segment, or highest numbered one, will be the one containing the proper words for copying back into the code 0 segment. Be certain to removed all viral segments. If you are not willing or able to re-write the code using ResEdit as described here, rely on your original master disk (which should always, of course, be kept locked), and simply replace the damaged copy with another clean one. % Be sure that you do not miss a single infected file, especially the Desktop, System, Finder or INITs, CDEVs, or RDEVs. Also, check ALL your diskettes. They can be infected, even if no programs have been copied from them or to them. Simple insertion into an infected hard disk computer set-up infects them. You can then run your system again. % The Virus Detective* 1.2 desk accessory will not remove certain INIT ID 29 resources from documents and other files, since they are locked or protected by the virus. Sometimes it claims to have removed the infections EVEN THOUGH IT HAS NOT DONE SO, and sometimes it tells you it actually failed. Don't trust it completely. (Version 2.0 of the DA may do this job better, and comes fixed to look for Peace, Scores, nVIR, hPAT, and INIT 29.) Go into ResEdit and check all questionable files and clear out the locked INIT ID 29s. To encourage great Mac-ers like the author of this program, Jeffry Shulman, be sure to send him his money Q $ 20.00 is a bargain! His address is Q P.O. Box 521, Ridgefield, CT 06877-0521. I understand from talking with people in the LAMG and elsewhere that this virus is as yet not well known around LA. However, rumors of the virus have cropped up, evidently occurring some weeks ago in the Simi Valley. Members of the Canejo-Ventura area Mac Users Group reported a new virus which added INIT ID 29 to various applications on hard disks. As far as I know, no application has yet been written by their group to repair jump tables of infected applications. Of course, this report is posted on several local BBS units and 100 copies were given away at the January MacValley meeting to interested members. Communication is also being performed with other regional BBS units and interested parties in an effort to fight the growing epidemic of INIT 29 and its associated problems. FUTURE EFFORTS: We are now working on efforts to automatically detect the infection of the INIT 29 Virus and to prevent its operation. MacValley members should expect to receive further information by the next meeting, in February. Other efforts are being made to provide a program that will automatically repair infected documents, files, and applications. Until such programs are available, you would be advised to avoid using public service bureau computers for laser printing or otherwise WITHOUT FIRST LOCKING YOUR DISKETTES, then copying the data onto their hard disks for revision or printing. If your locked disk is rejected, DO NOT UNLOCK IT. You may unlock it, and try to copy it, print it and or revise it on their hard disk. DO NOT RECOPY THE REVISED VERSION OF YOUR FILE TO YOUR DISK unless you are willing to accept the consequences of an infection at home. NOTE: Some document files after infection fail to copy, due apparently to their "protect" bit being set by the virus. This is the cause of much frustration at such service bureaus. FURTHER REPORTS OF INFECTIONS, NEW VIRUS SYMPTOMS, ETC.: Any further information, elaboration on the symptoms, or other virus reports would be appreciated . Call Thomas Bond at 818-843-0567, or David Lagerson, MacValley President, at 818-882-4467.