From macak@lakesys.UUCP Wed Apr 13 10:25:05 1988 Flags: 000000000001 From: macak@lakesys.UUCP (Jim Macak) Subject: "SCORES" virus Summary: Info on another Macintosh virus Keywords: Virus, SCORES, Vaccine Date: 13 Apr 88 16:25:05 GMT Organization: Lake Systems - Milwaukee, WI Another rather ugly virus has reared its head in the Macintosh world. This one has come to be known as the "SCORES" virus, for a file that it leaves in the System Folder. I am taking the liberty of uploading two rather lengthy messages that I found in the User Group area of AppleLink regarding this virus. Although I realize that these files are quite long, I thought the subject important enough to share over the net. Feel free to flame away if you feel differently and I will refrain from posting this sort of info in the future. Following, then, is the first file from AppleLink, titled "Virus Info #1" on that system. This originally appeared on the Washington Apple Pi TCS: All information is from Dave Lavery. If you encounter this virus please contact at him at: (202) 453-2720 (work) [the area code might be 703 or 301] We have discovered a new virus that is circulating through the Macintosh community. This is not the now-infamous MacMag virus, but is a completely new and, as far as I can tell, unreported version.As of this date, we have not determined exactly what the virus does other than replicate itself. Because we do not know exactly what this thing does yet, we are very concerned about the possibility of any invisible operations and "time bombs" that it may contain. The presence of the virus in the Macintosh memory does causes several symptoms, which have caused losses of data. These symptoms include difficulty running MacDraw, difficulty printing from any applications (especially MacDraw), difficulty using the "Set Startup" option, difficulty running Excel, corruption of Excel files, and frequent crashes when starting applications. This virus has existed since at least February, 1988, and may have been around as early as September, 1987. Identification of infection: It is possible to determine if this virus has infected your Macintosh with the following procedure: 1) Open the System Folder of the Macintosh and locate the "Note Pad File" and "Scrapbook File." 2) Examine the icons used on these files and check that they resemble the small Macintoshes seen on the "System" and "Finder" icons. If they do not, and instead resemble the standard Macintosh document icon (an upright piece of paper with the upper right corner folded forward), you are probably infected. 3) To verify infection, execute ResEdit or some other utility which can see "invisible" files. Examine the System Folder. 4) If the System Folder contains two invisible files named "Desktop" and "Scores," you are definitely infected. The infection process: The virus transmits itself from Macintosh to Macintosh by invading a standard executable application file on a contaminated Macintosh. When this contaminated application is copied to a "sterile" Macintosh, the virus attacks the new system by making these changes to the System Folder: three INIT resources are added to the "System" file. If the files "Note Pad File" and "Scrapbook File" do not exist in the System Folder, they are created. The type and creator fields of the "Note Pad File" are changed from "ZSYS" and "MACS" to "INIT" and "ZSYS," respectively, and an INIT resource is added to the file. The type and creator fields of the "Scrapbook File" are changed >From "ZSYS" and "MACS" to "RDEV" and "ZSYS," respectively, and an INIT resource is added to the file. Two new, invisible file are added to the system folder, named "Desktop" and "Scores," each with an atpl, DATA and INIT resource. These changes are summarized below: FILE TYPE CREATOR NEW INVIS RESOURCES SIZE System ZSYS MACS No No INIT ID=6 772 bytes ID=10 1020 bytes ID=17 480 bytes Desktop INIT FNDR Yes Yes atpl ID= 128 2410 bytes DATA ID= -4001 7026 bytes INIT ID= 10 1020 bytes Note Pad File INIT ZSYS No No INIT ID=6 772 bytes Scores RDEV ZSYS Yes Yes atpl ID=128 2410 bytes DATA ID=-4001 7026 bytes INIT ID=10 1020 bytes Scrapbook File RDEV ZSYS No No INIT ID=17 480 bytes ID=6 772 bytes Note that, unlike the MacMag virus, no "nVIR" resource are used anywhere. The modified files, "Note Pad" and "Scrapbook," still appear to function normally with the Note Pad and Scrapbook Desk Accessories, and any existing contents of the file's Data Fork are not disturbed. Once the system files on the target Macintosh have been infected, the virus will then begin to attack applications. Not every application is attacked by the virus Q the determination of whether or not to infect an application is apparently a random decision (at this point, no discernible pattern has been found, except that "Finder" and "MultiFinder" are usually attacked). Applications that are attacked on one Macintosh may remain "sterile" on another Mac, and vice versa. As each application is attacked, the virus installs a new CODE resource into the application. The identification of this new resource is variable, depending upon the existing resources within the application. The virus looks for the first available CODE resource slot, then places the new resource one position above that. For example, HyperCard contains CODE resources 0 through 20, leaving an ID of 21 as the first available resource ID. The virus placed the new CODE resource in the application as CODE ID=22. The second step of the infection of the application is the modification of the CODE ID=0 resource of the application. The virus modifies the eleventh word of this resource, which is the start of the application's jump table. Where the application would normally jump to the CODE ID=1 segment, the virus modifies this pointer to refer to the new CODE resource that has just been installed. The example below shows the first sixteen words of a "sterile" and infected version of HyperCard: Sterile Infected 0000 1EF0 0000 559C 0000 1EF0 0000 559C 0000 1ED0 0000 0020 0000 1ED0 0000 0020 0008 3F3C 0001 A9F0 0008 3F3C 0016 A9F0 0000 3F3C 0001 A9F0 0000 3F3C 0001 A9F0 ... ... Note that the eleventh word has been changed from "0001" to "0016," which points to the new CODE ID=22 resource (hex 16 = decimal 22). Also note that during our examination of suspected applications, we found that at least one compiler - LightSpeed C, I think - normally places non-"0001" values in the eleventh word of the CODE ID=0 resource. To verify infection if the eleventh word is not "0001," check to see that the tenth word is NOT "4EED" and that the eleventh word points to another CODE resource. If both of these are true, then the application is infected. The new CODE resource is a copy of the virus code, is of size 7026, and is executed when the infected application is invoked. When the virus completes execution, it returns to the invoked application, which appears to proceed normally. The first sixteen words of the virus are: 0000 0001 xxxx 3F3C 0001 A9F0 4EBA 002E 204D D0FC 0020 43FA FFEC 20D9 2091 204D ... The third word of the virus code is variable, and appears to be based on the return address used when the execution of the virus is completed. The virus further modifies the code of the application in a manner which has not been fully deciphered. This was determined by attempting to recover the HyperCard application by removing the new CODE ID=22 resource and patching the eleventh word of the CODE ID=0 resource. Any attempt to run the rebuilt application resulted in a system bomb, intimating that the virus has modified other sections of the application which prevented its complete exorcism. Vaccinating your Macintosh: If your Macintosh is infected, the contaminated system files and applications must be completely removed from the Macintosh, and new ORIGINAL copies should be installed. When removing the virus from the Macintosh system files, you cannot just go in with ResEdit and delete the offensive INIT resources - this virus is apparently intelligent enough to recognize this attempt, and modifies it's resource identification and memory location when probed by resource utilities. ResEdit "thinks" that the virus resources have been deleted, but they have been renamed and will return when the Macintosh is restarted. The system must be sterilized by: 1) Examine EVERY application (including any in the System Folder, and on EVERY diskette you may have) you have with ResEdit, and check if a new CODE resource has been added and if the CODE ID=0 resource has been modified to refer to the new CODE. This is the most tedious part of the process, and will probably take quite a bit of time. I have about 160MB of stuff on two 100MB drives, and this step took about three hours. If the application has been infected, list it. 2) Using ResEdit, open the infected System Folder and locate the "Desktop" file. Select the file and use the "Get Info" option on the "File" menu. When the file information window opens, turn off the "Invisible" bit, then close the window and save the file information. Do the same for the "Scores" file. 3) Locate a sterile system diskette (preferably one of the "System Tools" diskettes from Apple), LOCK IT, and boot from it. 4) Throw away the following files from the infected System Folder: "System," "Finder," "MultiFinder," "Desktop," "Scores," "Scrapbook File," and "Note Pad File." Once these files are in the Trash Can, EMPTY THE TRASH IMMEDIATELY! Note: this is the minimum required to remove the System portion of the virus - my personal preference is to delete the ENTIRE System Folder, not just the suspect files in it. 5) Locate all of the applications which you listed in Step 1. Throw them away, and empty the Trash Can. 6) Shut down the Macintosh, and turn the power off. Wait at least 30 seconds for memory to clear before rebooting again from the sterile diskette (this may not really be necessary, but better safe than sorry). 7) Reinstall the Macintosh operating system from the System Tools diskette to your Macintosh. 8) Locate your original copies of the deleted applications software. Before reinstalling the applications, examine each one with ResEdit to be sure that it is sterile. If there is no problem, reinstall the application. A word of warning: The "Vaccine" CDEV which is currently appearing on bulletin boards is only marginally useful in fighting this virus - if your system is already infected when you install Vaccine, you will not get any warning from Vaccine that the virus exists. If you have Vaccine installed on a sterile system, and this virus is introduced at a later time, Vaccine will only warn you of the virus attack, but will not prevent infection. I do not know how far this virus has spread, or where it came from (although we are working on that). The information contained above reflects only what we know so far about this virus - I do not know if it has any maliciously destructive functions which have not yet activated, or if it does anything other than replicate. I do know that it is extremely virulent - it has defensive mechanisms built in to protect itself from deletion, most of it's resources are protected, and it places multiple copies of it's components throughout the system to avoid single point of failure destruction. This thing is an order of magnitude more sophisticated than the MacMag virus, and is considerably tougher to kill. So far, the virus appears to only affect system files and application files. Data files (documents, spreadsheet data, HyperCard stacks, etc.) do not appear to be affected, and do not seem to transmit the virus. While not apparently maliciously destructive, I have established that the mere presence of this virus in the system is sufficient to cause the printing and application instability problems (like the ones we have been experiencing). Once the virus has been removed, all of our reported Macintosh problems have gone away. I believe that whoever wrote this could not foresee enough of the potential system configurations to prevent an occasional collision between the virus and other active applications and printer drivers. Apple in Cuppertino has become intimately aware of this virus in the last two days. They are going to be working on a more complete disassembly of the virus, and will hopefully be able to determine exactly what this thing does. (Please see a following article for the second file regarding this virus.) -- Jim --> macak@lakesys.UUCP (Jim Macak) {Standard disclaimer, nothin' fancy!} From macak@lakesys.UUCP Wed Apr 13 10:32:21 1988 Flags: 000000000001 From: macak@lakesys.UUCP (Jim Macak) Subject: Re: "SCORES" virus Keywords: Virus, SCORES, Vaccine Date: 13 Apr 88 16:32:21 GMT Organization: Lake Systems - Milwaukee, WI Here is the second file (Virus Info #2) from AppleLink regarding the "SCORES" virus: The word from Dallas: The information provided in the Virus Info # 1 Document is substantially correct, although I will disagree with certain aspects according to my own experiences with this plague. Detection: Check the System Folder for Scrapbook File and Note Pad File. If they have BOTH and they are generic document icons, i.e., a blank, dog-eared page, assume you are infected. If the icons are small Macs, like the System and Finder icons, you are most likely safe. But please read and try to understand this document because failure to take precautions may cause you to be infected tomorrow. The viral files contain several distinct and possibly unique strings. Use Fedit to search for VULT and/or ERIC. If you do not find either of these strings on your disk, it is NOT infected. If you find them, proceed as though you are infected and make further tests. When Vaccine has been installed on your disk and is running, opening an infected application will produce either an alert message from Vaccine, a bomb, or the Mac will hang up. In any case, the application should be examined more closely: Use ResEd to open the CODE resource of the application. If the top one is two numbers higher than the next highest number, do a Get Info on it. If the size of this code resource is 7026, you have confirmed it as an infected application. Throw it in the trash as it is unusable and will cause you problems if you run it with Vaccine off. If it is an application for which you do not have a clean backup, save it to a floppy. I'm sure that before too long, someone will write an application that will repair applications and you can recover it then. If you have installed Vaccine and it periodically gives you a warning, even when you are doing nothing to change anything on the Mac, Vaccine is NOT defective. It is telling you that you are contaminated and that the virus has tried and failed to attack a previously clean application. If you do not have Vaccine installed and have noticed your disk drive (hard or floppy) run for a few seconds when there is no cause, it is quite likely the same thing, except in this case you just lost the application. Check ALL of your applications. It is easy to overlook some of the smaller and common ones like Font/DA Mover and backup programs. Be sure to check Finder, MultiFinder, and ResEd itself. Remember, you do NOT have to have run an application for it to be contaminated. Thus far I have not seen a contaminated document. The virus seems to attack only those files which have CODE resources, and virtually all documents do not contain these. If there is a type of document that does, please let me know and I will edit this notice. Removal: The virus CAN be removed from your System by less stringent means than described in document # 1. Open your System folder with ResEd. Select and Clear Scrapbook File, Note Pad File, Desktop, and Scores. Open the System and clear these resources: atpl ID 128, DATA ID -4001, and INITs 10, 17, & 6. Close ResEd and save changes. Note that the System file atpl and DATA resources are not mentioned in the Virus Info # 1 document. However, they are in the System and should be removed. A virgin System (4.1, at least) from Apple does not contain either resource type, but some programs - LaserSpeed, for one - legitimately place them in the System. Remove only the ID numbers listed. My experiences with this virus over the past three months have shown this to be an effective and relatively simple way to clean the System. I did this three months ago and have seen no more Scores, etc. files until a week ago, when a friend gave me an infected application. Even then I had to turn Vaccine off to get it to do its dirty work. I have seen several infected Finders. If Vaccine is running and the Finder is contaminated, the Mac will NOT boot. In this case, boot with a CLEAN floppy and replace the Finder on the hard drive. This rather simple method of decontaminated the System is suggested because it allows you to keep any special fonts, DAs, or other System modifications you may have made. If you want to go the full route and re-initialize the hard disk, you should be thoroughly de-contaminated, but I feel that may be overkill. Just be sure to check all of the files you are re-installing. A friend went to an Apple dealer to get a new System and Finder, only to discover that the dealer's Mac II was infected! After you feel that all infected applications have been removed and replaced, run Disk Express, if you have it, with the Erase Free Space option turned on. This will cluster your good data to the start of the disk and zero out all remaining space. Then use Fedit to search for the VULT and ERIC strings. If they are gone, you are cured. If they are still there, do what you can to find out which file they are in and remove it from the disk. (Since the version of Fedit I bought (1.1) had not yet implemented the "Sector Info" feature, it would not show me the name of the file(s) which contained these strings. I had to search sectors before and after them to make a guess as to which files I was looking at.) Repeat this until there is no ERIC or VULT. (By the way, if anyone knows where I might find a jerk named Eric Vult who wrote this virus, I have a few things I'd like to say - and do - to him.) Speculation: In addition to ERIC and VULT, several of the viral resources contain another possibly important string: HD20. Pure supposition on my part, but this could be a two-step virus. First the spread. You get a bad application. It infects your System. Once active, it spreads to applications. You give one of these to a friend or put it on a BBS. It infects other Systems, which infect more applications... In a finite and rather short time it is all over the country. I know for a fact that as of April 5, 1988, it is in Hawaii, Dallas, Washington, and a prominent computer in Cupertino! Then on some predetermined date, or following some specific action on your part, it performs some heinous act, and possibly on HD20's. If you own an HD20, I recommend the following: Choose a disk name other than HD20. The name may or may not have anything to do with the possible purpose of this virus, but don't take a chance. The bad news is that the name HD20 is found in multiple places on your disk. To simplify the name changing procedure, choose a name comprised of four letters like Mine, Disk, or Bomb. Use Fedit to search the disk for HD20, and change EVERY occurrence to the new name. You will also find your disk name in the next to the last sector on the disk. Don't overlook this one. Changing to a name of other than four letters is much more complex and I can't explain how to do it here, but merely changing the name of the hard disk from the Finder is NOT enough. Just a friendly suggestion. Prevention: Contrary to the advice in the Info # 1 document, I have so far found Vaccine to be very effective in controlling this virus. Make sure you have the real Vaccine and not a phony. It is 11,875 bytes in size, created March 19,1988 at 11:49 PM. (I guess CE Software worked long hours on this one. Have you thought of paying them, even though the program is free?) Notice that the file name " Vaccine" starts with a space. Leave it this way, as programs like this are loaded alphabetically, and the space makes sure Vaccine is loaded first for maximum protection. Keep Vaccine running at all times. For those who do not know how to use it, place Vaccine in your System Folder and then open the Control Panel under the Apple menu. Vaccine will appear in the left window. Select it with the mouse and read the instructions. I suggest putting an X in the top box, the second one, and the fourth one. Research: We know that an infected application grows in size by 7042 bytes. CODE 0 resource is altered, but with no change in size, and a new CODE of 7026 bytes is created. Where is the additional 16 byte increase? Apparently not in the CODE resources. Help here would be appreciated. Vaccine will beep three times when an attempt is made to infect an application. My guess is one for adding the 7026, one for the CODE 0 change, and one for the 16 bytes. Finding the last may provide the means for rescuing a sick application. Does the atpl resource have any reference to AppleTalk? Can this virus be spread over a network? I am not a programmer, just a hacker, and do not know. Me: One hates to publish a phone number in a document designed for public distribution, but without it you could not relay any important information. Please call only from 8 AM to 8 PM Central time, and only if you have found something not in either of the two documents in this package. Long distance callers, please leave a complete message on the answering machine if it answers, as I cannot afford to return many long distance calls. And thanks for any help. Howard Upchurch 3409 O'Henry Drive Garland, TX 75042 (214) 272-7826 Notices: I have reported information as I have found it. If there are any errors in the above, I apologize but ask not to be held responsible. Some statements may prove false or incomplete as more information comes to light. Although most references in this document concern hard disks, floppies can be infected in the same way. Even if you do not use a hard disk, check everything you own. -- Jim --> macak@lakesys.UUCP (Jim Macak) {Standard disclaimer, nothin' fancy!} From jpd@eecs.nwu.edu Mon Apr 18 10:11:09 1988 Flags: 000000000001 From: jpd@eecs.nwu.edu (Phil Draughon (ACNS)) Subject: The Scores Virus Date: 18 Apr 88 16:11:09 GMT Organization: Northwestern U, Evanston IL, USA Status: RO My colleague Bob Hablutzel got a copy of the Scores virus last Thursday and disassembled it, and I've been studying and testing it ever since. So far I've reverse-engineered about half the code and have a thorough understanding of how it works. This note is a preliminary report on what I know so far, after four days of research. It also outlines plans for a disinfectant program. The virus is definitely targeted against applications with signatures VULT and ERIC. I don't know if any applications with these signatures exist or are planned to be released. The virus infects your system folder when you run an infected program. The virus lies dormant for two days after your system folder is first infected. After two, four, and seven days various parts wake up and begin doing their dirty work. Two days after the initial infection the virus begins to spread to other applications. I haven't completely finished figuring out this mechanism, but it appears that only applications that are actually run are candidates for infection. After four days the second part of the virus wakes up. It begins to watch for the VULT and ERIC applications. Whenever VULT or ERIC is run it bombs after 25 minutes of use. If you don't have a debugger installed you'll get a system bomb with ID=12. If you have MacsBug installed you'll get a user break. After seven days the third part of the virus wakes up. Whenever VULT is run the virus waits for 15 minutes, then causes any attempt to write a disk file to bomb. If you don't do any writes for another 10 minutes the application will bomb anyway, as described in the previous paragraph. There's also more code to force a bomb after 45 minutes, but I can't see any way that this code can be reached, given the forced bomb after 25 minutes. The virus identifies VULT and ERIC by checking to see if the application contains any resources of type VULT or ERIC. Applications with signatures VULT and ERIC normally contain these resources, but other applications normally don't. I verified the behaviour of the virus by using ResEdit to add empty resources of types VULT and ERIC to the TeachText application. TeachText bombed as described above on an infected system, even though TeachText itself was not infected! While running my experiments I was in ResEdit on the infected system and heard the disk whir. Sure enough, ResEdit was infected. I've been running on an infected system with an infected ResEdit for three days. I reset the system clock to fool the various parts of the virus into thinking it was time for them to wake up. The Finder has also become infected. ResEdit, Finder, and the rest of the system seem to be functioning normally. Only my version of TeachText modified to look like VULT or ERIC has been affected by the virus. If you repeat any of these experiments be very careful to isolate the virus. I'm using a separate dual floppy SE to perform my experiments, and I've carefully labelled and isolated all the floppies I'm using. My main machine is an SE with a hard drive, where I have MPW and my other tools installed. It's OK to look at infected files on the main machine (e.g. with ResEqual, DumpCode, etc.), but don't run any infected applications on the main machine - that's how it installs itself and spreads. Children should not attempt this without adult supervision :-) An infected application contains an extra CODE resource of size 7026, numbered two higher than the previous highest numbered CODE resource. Bytes 16-23 of CODE resource number 0 are changed to the following: 0008 3F3C nnnn A9F0 where nnnn is the number of the new CODE resource. You can repair an infected application by replacing bytes 16-23 of CODE 0 by bytes 2-9 of CODE nnnn, then deleting CODE nnnn. I've tried this using ResEdit on an infected version of itself, and it works. The MPW utility ResEqual reports that the result is identical to the original uninfected version. The virus creates two new invisible files named Desktop (type INIT) and Scores (type RDEV) in your system folder, and adds resources to the files System, Note Pad File, and Scrapbook File. Note Pad File and Scrapbook File are created if they don't already exist. Note Pad File is changed to type INIT, and Scrapbook File is changed to type RDEV. Both of these files normally have file type ZSYS. The icons for these two files change from the usual little Macintosh to the generic plain document icon. Checking your system folder for this change is the easiest way to detect that you're infected. Copies of the following five resources are created: Type ID Size Files ----- ----- ----- ------------------------------------- INIT 6 772 System, Note Pad File, Scrapbook File INIT 10 1020 System, Desktop, Scores INIT 17 480 System, Scrapbook File atpl 128 2410 System, Desktop, Scores DATA -4001 7026 System, Desktop, Scores A disinfectant program would have to repair all infected applications and clean up the system folder, undoing the damage described above. I don't yet know exactly which files can be infected, but I know for sure that Finder (file type FNDR) can get infected, and that applications (file type APPL) can get infected. For safest results the disinfectant should examine and disinfect the resource forks of all the files on the disk. I recommend the following algorithm: Scan the entire file hierarchy on the disk, and for each file on the disk check it's resource fork. Delete any and all resources whose type, ID, and size match the table above. Delete all files whose resorce forks become empty after this operation. If the resource fork's highest numbered CODE resource is numbered two more than the next highest numbered CODE resource, and if it's size is 7026, then patch the CODE 0 resource as described above, and delete the highest numbered CODE resource. Also examine all files named Note Pad File and Scrapbook File. If their file type is INIT or RDEV, change it to ZSYS. I'm fairly confident that a disinfectant program implemented using the algorithm above would sucessfully eradicate the virus from a disk, restore all applications to their original uninfected state, and not harm any non-viral software on the disk. It should work even on disks with multiple infected system folders. I also believe that it should work even if run on an infected system, and even if the disinfectant program becomes infected itself! There's a small chance that it could delete too many resources, and hence damage some other application, but that's a small price to pay for a clean system. Getting rid of a virus is tricky, even with a disinfectant program. The disinfectant program should be placed on a floppy disk along with a system folder. Make a backup copy of this disk. The machine should be booted using the startup disk you just made, and then the disinfectant should be run on all the hard drives and floppies in your collection, including the backup copy of the startup disk you just made. Don't run any other programs or boot >From any other disks while disinfecting - you might get reinfected. When you're all done, reboot from some other (disinfected) disk and immediately erase the startup disk you used to do the disinfecting, which may be (and probably is) infected itself. This should absolutely, positively get rid of all traces of the virus. The backup disk you made and disinfected should contain an uninfected copy of the disinfectant program in case you need to use it again. There are at least two red herrings in the virus. It uses a resource of type 'atpl', which is usually some sort of AppleTalk resource. As far as I can tell, however, the virus does not attempt to spread itself over networks. The 'atpl' resource is used for something else entirely. This is not a bug. Also, the virus creates the file Desktop in your system folder. This is done on purpose. It is not a failed attempt to modify the Finder's Desktop file in the root directory. The file is used by the virus, and has nothing to do with the Finder. I don't know why the virus seems to cause reported problems with MacDraw, printing, etc. Perhaps it's a memory problem - the virus permanently allocates 16,874 bytes of memory at system startup (four blocks in the system heap of sizes 772, 40, 8, and 334, and one bock at BufPtr of size 15360). I've only found one possible bug in the virus code, and it looks pretty harmless. The code is very sophisticated, however, and I can easily understand how I might have overlooked a bug, or how it might interact in strange unintended ways with other applications and parts of the system. When we've finished completely cracking this virus we'll probably distribute another report. I've posted these preliminary results now to get the information out as quickly as possible. We also hope to write the disinfectant program, if someone else doesn't write it first. I've decided not to distribute detailed information on how this virus works. I'll distribute detailed technical information about what it does and how to get rid of it, but not internal details. This was a very difficult decision to make, because normally I firmly believe in the enormous benifit of the free exchange of code and information. The Scores virus is a very interesting and complicated piece of code, I've learned a great deal about the Mac by studying it, and I'm sure other people could learn a great deal >From it too. But I don't want to teach twisted minds how to write these incredibly nasty bits of code. If I write the disinfectant program, however, I will distribute its source, because I do want to teach untwisted minds how to get rid of them. So please don't bombard me with requests for more information. You may be the nicest, most honest, incredibly important person, but I won't tell you how it works. I'll make only two exceptions, and that's for a very few of my colleagues at Northwestern University, and for qualified representatives of Apple Computer. Thanks to Howard Upchurch for giving us a copy of the virus, and to Bob Hablutzel for helping me crack it. John Norstad Northwestern University Academic Computing and Network Services 2129 Sheridan Road Evanston, IL 60208 Bitnet: JLN@NUACC Monday morning, April 18, 1988. From jpd@eecs.nwu.edu Mon Apr 25 13:29:14 1988 Flags: 000000000000 From: jpd@eecs.nwu.edu (Phil Draughon (ACNS)) Subject: Scores Virus Report 2 Date: 25 Apr 88 18:29:14 GMT Organization: Northwestern U, Evanston IL, USA Scores Report 2 Sent on Monday 4/25/88 to comp.sys.mac. ------------------------------------------------------------------ This is my second report on the Scores virus. The important good news is there are now two free disinfection programs called KillScores and Ferret 1.0. I didn't write either one of them. They seem to work fine, so there's no need for me to write another one. I'm also happy to report that CE Software's Vaccine 1.0 is effective against Scores. There's not much new to report about the virus itself. KillScores and Ferret 1.0 were posted on AppleLink over the weekend of April 16. I discovered them shortly after posting my first report on Monday the 18th. I believe they are also available on CompuServe, but I haven't checked. Both of these programs were written specifically to eradicate the Scores virus. They can also be used to simply check for the virus, without changing anything on your disk. I tested both Ferret and KillScores on my small infected test system, and on some large uninfected ones. Both of them worked on my small infected system. They removed all traces of the virus and repaired the system folder and all the damaged applications correctly. They both also correctly reported that several large systems with nearly full 20 and 80 megabyte hard drives were uninfected. A word of warning, however. My small test system only contains infected versions of TeachText, ResEdit, and MacWrite. I don't have the facilities or the time to do large scale testing of lots of infected applications. Also, I don't have the source code for either of the programs. So I can't guarantee that either of them is perfect, or that they won't damage your files. KillScores has a better user interface than Ferret 1.0, although neither one is very good. Ferret 1.0 also seems to have a problem properly reporting the names of the infected files. This only works some of the time. KillScores does a much better job of telling you exactly what it's doing. The important thing is that both of these programs seem to work, and the authors deserve our thanks. Larry Nedry wrote Ferret 1.0, and KillScores is the work of the MacPack/Apple Corps of Dallas task force, headed by Howard UpChurch. Getting rid of a virus is very tricky, even with the help of a disinfection program like KillScores or Ferret 1.0. I managed to make mistakes using them during my tests, and ended up with a system that was still infected! I recommend that you carefully follow the steps below to make sure that you've really eradicated all traces of the virus. Step 1. Make a startup disk containing just a system folder and a copy of the disinfection program (KillScores and/or Ferret 1.0). For the safest results the system folder should be copied as is >From a locked original Apple system release disk. The only files you really need in your system folder are System and Finder. Make sure your system folder doesn't contain any non-Apple INITs, CDEVs, or other miscellaneous crap. Step 2. Restart your machine using the startup disk you just made. Step 3. Make a backup copy of the startup disk you just made. Step 4. Run the disinfection program on all the hard drives and floppies in your collection, including the backup copy you just made. Don't run any other programs or boot from any other disks until you're done disinfecting, or you might get reinfected. Use Finder, not MultiFinder (I've only tested under Finder. The programs might work OK under MultiFinder too, but I don't know). Step 5. Shut down your system and restart using some other (disinfected) startup disk. Step 6. Immediately erase the startup disk you made in step 1 and used to disinfect your system. The backup disk you made is free >From infection, and it contains a copy of the disinfection program that you can use again if you need it. For the safest results you should try to make sure that all the files you copy to your startup disk in step 1 are uninfected. That's why I recommend using your original locked Apple release disk. I have, however, tested both KillScores and Ferret 1.0 with infected startup disks, and they seem to work OK. To double check, you can run both KillScores and Ferret 1.0. The program you run first should disinfect your disk, and the one you run second should report that the disk is free of infection. I've also tested CE Software's Vaccine 1.0 with Scores. It seems to be effective against the initial attempt at infection. In all my tests my vaccinated system bombed whenever I attempted to run an application infected with Scores, and my system was not infected. I've tried this with the "expert display" option both on and off, and with the "always compile MPW INITS" option both on and off. I've seen bombs with ID=02 and ID=25. I don't know why the system bombs instead of presenting Vaccine's usual dialog box or tiny icons. I'd like to correct an error in the first report. When fixing an infected application with ResEdit, you should replace bytes 16-23 of CODE resource 0 by bytes 4-11 of CODE resource nnnn, not by bytes 2-9. Bytes are numbered starting with 0. I apologize if this caused anybody any grief. I'd also like to thank Dave Lavery and Howard Upchurch for their early work on the Scores virus. I used their results as a starting point for my own research, and I should have given them credit in my first report. I've discovered several more interesting facts about Scores, including more attacks on VULT and ERIC, an explanation for why some applications don't get infected, and several bugs in the virus. There also may be a few problems with the disinfection algorithm I presented in the first report. The details aren't important now, so I won't describe them. It has been reported that the virus contains some sort of special code designed to fool ResEdit. This isn't true, although I have had ResEdit crash inexplicably on an infected system. Please note that I am NOT Phil Draughon! I'm just using his account to post this message, since my usual machine is having trouble posting notes. My real name and address are: John Norstad Academic Computing and Network Services Northwestern University Evanston, IL 60208 Bitnet: JLN@NUACC From ephraim@vidar.think.com.UUCP Tue Apr 26 07:55:21 1988 Flags: 000000000000 From: ephraim@think.COM (ephraim vishniac) Subject: Re: Scores Virus Report 2 Date: 26 Apr 88 12:55:21 GMT Organization: Thinking Machines Corporation, Cambridge, MA In article <10330004@eecs.nwu.edu> jpd@eecs.nwu.edu (Phil Draughon (ACNS)) writes: > >Scores Report 2 > >Sent on Monday 4/25/88 to comp.sys.mac. >------------------------------------------------------------------ >This is my second report on the Scores virus. The important good >news is there are now two free disinfection programs called >KillScores and Ferret 1.0. I didn't write either one of them. >They seem to work fine, so there's no need for me to write another >one. I'm also happy to report that CE Software's Vaccine 1.0 is >effective against Scores. There's not much new to report about the >virus itself. For news about the virus, see MacWEEK for Tuesday, April 26. There's an article headlined "Scores virus prompts FBI investigation." It turns out that the target programs were two proprietary programs developed by Electronic Data Systems, Dallas TX, and used at various government agencies. The virus is believed to have been circulating since March 1987. "According to one source, both Apple and the FBI know the identity of the programmer who wrote the virus more than a year ago." No motivation for the attack is given. >KillScores and Ferret 1.0 were posted on AppleLink over the weekend >of April 16. I discovered them shortly after posting my first >report on Monday the 18th. I believe they are also available on >CompuServe, but I haven't checked. Ferret 1.1 is now available; I picked it up from Mass Mac and Electric so I imagine it's on plenty of local boards by now. It ran very smoothly on my (uninfected) file system. I don't know if it corrects the problems with file name display that the author of the above-cited report mentioned. Ephraim Vishniac ephraim@think.com Thinking Machines Corporation / 245 First Street / Cambridge, MA 02142-1214 On two occasions I have been asked, "Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?" From levin@BBN.COM Fri Apr 29 15:48:48 1988 Flags: 000000000001 From: levin@bbn.com (Joel B Levin) Subject: Vaccine: what can trigger it Date: 29 Apr 88 20:48:48 GMT Organization: BBN Communications Corporation (From the most recent DELPHI digest) : From: MACWEEKBOS : Subject: Re: Vaccine and Font/DA Mover (Re: Msg 26280) : Date: 14-APR 13:44 Network Digests : : I just tried to cause a problem running Font/DA Mover 3.6 with Vaccine : installed. I tried it with both System 4.2/Finder 5.1 and the current : System and Finder and could not get Vaccine to trigger, although it : could be triggered by other programs. : : Ric Ford I have MacNosy'd Vaccine a little, and it looks as if Font/DA Mover may well not trigger it. Vaccine doesn't seem to look at whether the System file is being modified; rather it looks at the resource types instead. The traps AddResource and ChangedResource are patched, and Vaccine is triggered if the resource type argument is one of the following list: INIT, DSAT, PTCH, CODE, MDEF, WDEF, CDEF, nVIR, PACK If you are not modifying a DA with one of these resources then you should not trigger Vaccine. Disclaimer: I don't remember whether there were some other traps patched which I didn't examine; so maybe there is another check for whether certain files are being written. /JBL UUCP: {backbone}!bbn!levin USPS: BBN Communications Corporation ARPA: levin@bbn.com 50 Moulton Street POTS: (617) 873-3463 Cambridge, MA 02238 From jpd@eecs.nwu.edu Mon May 2 09:39:32 1988 Flags: 000000000000 From: jpd@eecs.nwu.edu (Phil Draughon (ACNS)) Subject: Scores Report 3 Date: 2 May 88 14:39:32 GMT Organization: Northwestern U, Evanston IL, USA Status: O This is my third report on the Scores virus. In my first report I revealed what Scores did, how to detect it, and how to get rid of it by hand using ResEdit. In my second report I reviewed Ferret 1.0 and KillScores, two free disinfectant programs that have appeared to get rid of Scores. In this report I describe further testing of Ferret 1.0, the new Ferret 1.1, and KillScores. IMPORTANT: Ferret 1.1 has very serious bugs! Based on my tests I recommend using KillScores instead. 1. Ferret 1.1 does NOT properly delete one of the viral resources in the system file (INIT 17), at least on my small infected test system! I found this unbelievable, so I reran my test several times, and it failed each time. Ferret 1.0 does not have this problem. 2. Ferret 1.1 does NOT properly disinfect files which contain CODE resources marked "protected". Some applications are distributed with protected CODE resources, and Scores can infect them, so this is another important bug. Ferret 1.0 also has this bug. In this case the supposedly repaired application is left in a seriously damaged state - it will bomb immediately on launch. 3. Ferret 1.1 does NOT properly disinfect locked files. This is an important bug, even though Scores can't infect locked files. The file could have been unlocked when it became infected, and then the user could have locked it later. Ferret 1.0 also has this bug. I'd like to thank Rich Holmes for first pointing out this bug. 4. Ferret 1.1 still does NOT always properly report the names of infected files. Ferret 1.0 also has this bug. To make things even worse, Ferret does not give the user any indication that anything is wrong. It leaves the user with the impression that his/her system is clean, when in fact it's still at least partially infected. I also did further testing of KillScores. KillScores had no problems with the cases above where Ferret failed - it properly disinfected all the files on my test system. In the case of locked files KillScores unlocks the file, disinfects it, and leaves it unlocked. In my second report I mentioned that CE Software's Vaccine effectively prevents infection by Scores, at least on my test system. If you are at all worried about viruses, and you should be, I strongly recommend that you get Vaccine and use it religiously. CE Software deserves all of our thanks for developing and giving away this important tool. It's not perfect protection, as the authors freely admit in the documentation, but it is effective against Scores, and I understand that it's also effective against most of the other recent Mac viruses. Once again, I must emphasize that I do not have the facilities or time to do large scale testing of many infected applications. All of my testing is done on a small floppy-only system, with only MacWrite, TeachText, and ResEdit for infected applications. So I can't guarantee that KillScores or any other program is perfect, or that I haven't made mistakes in these reports. Also, I should probably mention that all of my statements in all of my reports reflect my opinions only, and not those of my employer, Northwestern University. Finally, if you're reading this on comp.sys.mac, please note that I am NOT Phil Draughon! I'm just using his account to post this message, since my usual machine is having trouble posting notes. My real name and address are: John Norstad Academic Computing and Network Services Northwestern University Evanston, IL 60208 Bitnet: JLN@NUACC Monday morning, May 2, 1988 From juniper!mentat@emx.UTEXAS.EDU Sun Oct 2 19:54:35 1988 Flags: 000000000001 Received: from emx.utexas.edu by rascal.ics.utexas.edu (3.2/4.22) id AA28732; Sun, 2 Oct 88 19:54:34 CDT Posted-Date: Sun, 2 Oct 88 20:43:05 edt Received: by emx.utexas.edu (5.54/5.51) id AA17007; Sun, 2 Oct 88 19:58:07 CDT Received: by juniper.UUCP (4.12/smail2.2/04-02-87) id AA22022; Sun, 2 Oct 88 20:43:05 edt Date: Sun, 2 Oct 88 20:43:05 edt From: juniper!mentat@emx.UTEXAS.EDU (Robert Dorsett) Message-Id: <8810030043.AA22022@juniper.UUCP> To: ut-emx!rascal.ics.utexas.edu!werner@emx.UTEXAS.EDU Subject: Re: Scores virus I suspect that SCORES lodges itself in the system by creating a redirecting the GetNextEvent trap vector to point to itself, thus "stealing cycles" and being able to run in the background. This accounts for the behavior of the Macintosh doing "disk accesses for no apparent reason," which is written up in the Scores documentation and the killscores documentation. I initially ran Scores from an infected System, but underestimated the frequency of these "disk accesses." There are alarming pauses in killscores' disk scanning, which I attribute to interference from the virus. SO, the solution is to run killscores from a sterile floppy, but creating the floppy's the problem. I initially downloaded killscores on my HD, and the processes of juggling systems, finders, and killscores, is causing my "sterile" disk to become contaminated (primarily because killscores in itself, when run >From an unsterile system, becomes a vector!). I'll get it straightened out eventually, but might have to download another copy of killscores (but then again, all of my copies of Versaterm are contaminated...:-)). I strongly suspect that scores is a nonmalicious virus. Its characteristics (and my three-month relatively trouble-free use period) suggests that it's causing problems by "getting in the way," i.e., its propagation technique itself is causing problems. It does not appear to be deliberately munging files, deleting data, or anything else that can be considered "hostile." And nobody on the net has reported any time-bomb effects. But the damn thing *is* very, very contageous...:-)