======================================================================== == Computer Virus Catalog (Version 1.2) == == *** 29 Macintosh Viruses/Clones/Trojans *** == ======================================================================== == Status: January 6, 1992 == == Classified: 10 Macintosh-Viruses (MACVIR.790): July 20,1990 == == + 9 Macintosh-Viruses (MACVIR.791): July 15,1991 == == + 1 Macintosh Trojan ( " " ) == == ==NEW> + 8 Macintosh-Viruses (MACVIR.192): January,1992 == == ==NEW> + 1 Macintosh Trojan ( " " ) == ======================================================================== == List of Macintosh Viruses: =Doc= == -------------------------- =---= == 1) AIDS Clone (nVIR B Strain)=790= == 2) Aladin Virus (Frankie Strain)=790= == + 3) ANTI A Virus (ANTI Strain)=192= == + 4) ANTI B Virus (ANTI Strain)=192= == + 5) ANTI Variant Virus (ANTI Strain)=192= == 6) CDEF Virus =791= == 7) Frankie Virus (Frankie Strain)=790= == 8) fuck Clone (nVIR B Strain)=790= == 9) Hpat Clone (nVIR B Strain)=790= == 10) INIT 29 Virus =791= == 11) Jude Clone (nVIR B Strain)=790= == + 12) MacMag = Peace Trojan (MacMag Strain)=192= == + 13) MacMag = Peace Virus (MacMag Strain)=192= == 14) MDEF A = Garfield Virus (MDEF Strain)=791= == 15) MDEF B = Top Cat Virus (MDEF Strain)=791= == + 16) MDEF C Virus (MDEF Strain)=192= == + 17) MDEF D Virus (MDEF Strain)=192= == 18) MEV# Clone (nVIR B Strain)=790= == 19) nFLU Clone (nVIR B Strain)=790= == 20) nVIR A Virus (nVIR Strain)=790= == 21) nVIR B Virus (nVIR B Strain)=790= == 22) nVir C Virus (nVir Strain)=791= == + 23) SCORES Virus =192= == 24) STEROID INIT Trojan =791= == 25) WDEF (A) Virus (WDEF Strain)=791= == + 26) WDEF B Virus (WDEF Strain)=291= == 27) ZUC A Virus (ZUC Strain)=791= == 28) ZUC B Virus (ZUC Strain)=791= == 29) 2-Tunes (=HC=HyperCard) Virus =791= == == ======================================================================== ====== Computer Virus Catalog 1.2: "ANTI A" Virus (17-Dec-1991) ====== Entry...............: "ANTI A" Virus Alias(es)...........: --- Virus Strain........: ANTI Virus Strain Virus detected when.: --- where.: USA Classification......: Link virus Length of Virus.....: 1348 Bytes + 1 Jump table entry --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: all versions Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Easy Identification.: The strings "ANTI" and "#000001" can be found in CODE 1 resource Resource pattern....: CODE 1 is increased by 1348 bytes Type of infection...: Extending CODE 1 and modifying CODE 0 Infection trigger...: Running an infected application to get in memory. Use of OpenResFile Applications affected:All those having a CODE 0 and 1 resource with size of old CODE 1 + virus <= 32768 bytes. Traps intercepted...: OpenResFile, MountVol Damage..............: If MountVol is called for a disk drive, this virus searches the first sector of track 16 for the string $16+"%%S" at offset 8 from begin of sector (works only on 400K and 800K floppies); if this string is found, virus executes the code in that sector via JSR call. (No such code has been discovered until classification date) Damage Trigger......: Invocation of MountVol Peculiarities.......: Detects files infected with ANTI B and modifies them to become ANTI Variant Similarities........: ANTI B, ANTI Variant --------------------- Agents ----------------------------------------- Countermeasures/direct: Countermeasures/software:Use an anti-viral product (public domain or commercial) such Disinfectant, Interferon, Virus detective or VirusRx to scan for virus signature. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 17-December-1991 Information Source..: --- ===================== End of "ANTI A" Virus ========================== ======= Computer Virus Catalog 1.2: "ANTI B" Virus (17-Dec-1991) ===== Entry...............: "ANTI B" Virus Alias(es)...........: --- Virus Strain........: ANTI Virus Strain Virus detected when.: --- where.: USA Classification......: Link virus Length of Virus.....: 1144 Bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: all versions Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Easy Identification.: The strings "ANTI" and "#000001" can be found in the CODE 1 resource Resource pattern....: CODE 1 is increased by 1144 bytes Type of infection...: Extending CODE 1 and modifying CODE 0 Infection trigger...: Running an infected application to get in memory. Use of OpenResFile. Applications affected:All those having a CODE 0 and 1 resource with size of old CODE 1 + virus <= 32768 bytes. Traps intercepted...: OpenResFile, MountVol Damage..............: If MountVol is called for a disk drive, this virus searches the first sector of track 16 for the string $16+"%%S" at offset 8 from begin of sector (works only on 400K and 800K floppies); if this string is found, virus executes the code in that sector via JSR call. (No such code has been discovered until classification date) Damage Trigger......: Invocation of MountVol Peculiarities.......: --- Similarities........: ANTI A, ANTI Variant --------------------- Agents ----------------------------------------- Countermeasures/direct: Countermeasures/software:Use an anti-viral product (public domain or commercial) such Disinfectant, Interferon, Virus detective or VirusRx to scan for virus signature. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 17-December-1991 Information Source..: --- ===================== End of "ANTI B" Virus ========================== === Computer Virus Catalog 1.2: "ANTI Variant" Virus (17-Dec-1991) === Entry...............: "ANTI Variant" Virus Alias(es)...........: --- Virus Strain........: ANTI Virus Strain Virus detected when.: --- where.: USA Classification......: Link virus Length of Virus.....: 1348 Bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: all versions Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Easy Identification.: The strings "ANTI" and "#000001" can be found in CODE 1 resource Resource pattern....: CODE 1 is increased by 1348 bytes Type of infection...: Extending CODE 1 and modifying CODE 0 Infection trigger...: Running an infected application to get in memory. Use of OpenResFile. Applications affected:All those having a CODE 0 and 1 resources with size of old CODE 1 + virus <= 32768 bytes. Traps intercepted...: OpenResFile, MountVol Damage..............: Due to a programming error, the computer will hang if an infected application is executed. If MountVol is called for a disk drive, the virus searches the first sector of track 16 for the string $16+"%%S" at offset 8 from begin of sector (works only on 400K and 800K floppies); if this string is found, virus executes the code in that sector via JSR call. (No such code has been discovered until classification date) Damage Trigger......: Execution of an infected application Peculiarities.......: --- Similarities........: ANTI A, ANTI B --------------------- Agents ----------------------------------------- Countermeasures/direct: Countermeasures/software:Use an anti-viral product (public domain or commercial) such Disinfectant, Interferon, Virus detective or VirusRx to scan for virus signature. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 17-December-1991 Information Source..: --- ===================== End of "ANTI Variant" Virus ==================== ====== Computer Virus Catalog 1.2: "MacMag" Trojan (17-Dec-1991) ===== Entry...............: "MacMag" Trojan Alias(es)...........: Peace Trojan Virus Strain........: MacMag Trojan/Virus Strain Virus detected when.: --- where.: USA Classification......: Trojan Horse containing virus Length of Trojan....: 1908 (DREW)+ 408 (XCMD) Bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: all versions Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Easy Identification.: The stack contains resources "XCMD" ID 95 and "DREW" ID. Resource pattern....: XCMD 95 "Effects", DREW 0 "Main" Type of infection...: Adding the DREW resource as an INIT with first unused ID beginning with 6 to System file Infection trigger...: Opening stack Applications affected:System file Traps intercepted...: none Damage..............: none Damage Trigger......: --- Peculiarities.......: --- Similarities........: --- --------------------- Agents ----------------------------------------- Countermeasures/direct: Countermeasures/software:Use an anti-viral product (public domain or commercial) such Disinfectant, Interferon, Virus detective or VirusRx to scan for virus signature. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 17-December-1991 Information Source..: --- ===================== End of "MacMag" Trojan ========================= ======= Computer Virus Catalog 1.2: "MacMag" Virus (17-Dec-1991) ===== Entry...............: "MacMag" Virus Alias(es)...........: Peace Virus Virus Strain........: MacMag Trojan/Virus Strain Virus detected when.: --- where.: USA Classification......: System file virus Length of Virus ....: 1908 Bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: all versions Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Easy Identification.: INIT in System file named "DR" Resource pattern....: INIT with normally unused ID Type of infection...: Generated by MacMag trojan horse Infection trigger...: --- Applications affected:System file Traps intercepted...: none Damage..............: This virus displays a peace message on screen and shows an icon with America symbol. Damage Trigger......: Launching an infected system after March 2,1988 Peculiarities.......: The virus destroys itself after the damage. Similarities........: --- --------------------- Agents ----------------------------------------- Countermeasures/direct:Remove INIT from System file using ResEdit Countermeasures/software:Use an anti-viral product (public domain or commercial) such Disinfectant, Interferon, Virus detective or VirusRx to scan for virus signature. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 17-December-1991 Information Source..: --- ===================== End of "MacMag" Virus ========================== ======= Computer Virus Catalog 1.2: "MDEF C" Virus (10-Aug-1991) ===== Entry...............: "MDEF C" Virus Alias(es)...........: --- Virus Strain........: MDEF Virus Strain Virus detected when.: May 1990 where.: New York, USA Classification......: Link virus Length of Virus.....: Bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: All Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Easy Identification.: (MDEF Resource with ID 6982 in System file) MDEF 0 Resource Resource pattern....: MDEF Resource ID 0 (and old MDEF 0 with ID 6982) Type of infection...: Adding (and renaming) an MDEF resource Infection trigger...: Executing an infected file. Applications affected:All + Documents used by current application Traps intercepted...: (only 128 and 256K ROMs) AddResource, ChangedResource Damage..............: Due to an error in this virus, an invocation of AddResource may crash the system because AddResource will point to ChangedResource which has a different number of arguments; garbage left on stack may cause problems. Damage Trigger......: Infecting one file Peculiarities.......: If SAM Intercept is present, it will allow changing the ID of MDEF 0 to 6982 but will prevent the addition of the MDEF 0 resource. This causes the system to hang if a menu item is activated. Similarities........: MDEF A,B viruses --------------------- Agents ----------------------------------------- Countermeasures/direct:1.System: Removal of MDEF resource ID 0 and changing the ID of MDEF 6982 back to 0 with ResEdit. 2. Applications and documents: Remove MDEF 0 resource. Countermeasures/software:Use an anti-viral product (public domain or commercial) such Disinfectant, Interferon, Virus detective or VirusRx to scan for virus signature. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 10-August-1991 Information Source..: --- ===================== End of "MDEF C" Virus ========================== ======= Computer Virus Catalog 1.2: "MDEF D" Virus (10-Aug-1991) ===== Entry...............: "MDEF D" Virus Alias(es)...........: --- Virus Strain........: MDEF Virus Strain Virus detected when.: May 1990 where.: New York, USA Classification......: Link virus Length of Virus.....: Bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: All Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------- Easy Identification.: MDEF Resource with ID 8375 Resource pattern....: MDEF Resource ID 8375 Type of infection...: Adding an MDEF resource and changing a MENU resource. Infection trigger...: Executing an infected file. This virus searches (via GetCatInfo) for the first file of type "APPL" that has no MDEF ID 8375 and infects it Applications affected:All of type "APPL" Traps intercepted...: none Damage..............: none Damage Trigger......: none Peculiarities.......: --- Similarities........: MDEF A,B,C viruses --------------------- Agents ----------------------------------------- Countermeasures/direct: Removal of MDEF resource ID 8375. Change 2 bytes at offset 6 in MENU 1 resource from $20B7 to 0. Countermeasures/software:Use an anti-viral product (public domain or commercial) such Disinfectant, Interferon, Virus detective or VirusRx to scan for virus signature. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 10-August-1991 Information Source..: --- ===================== End of "MDEF D" Virus ========================== ======= Computer Virus Catalog 1.2: "Scores" Virus (17-Dec-1991) ===== Entry...............: "Scores" Virus Alias(es)...........: --- Virus Strain........: --- Virus detected when.: --- where.: USA Classification......: System file virus Length of Virus ....: 7026 Bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: all versions Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------ Easy Identification.: A visible Desktop file Resource pattern....: Application: Additional CODE Resource with highest ID+2 (S=System,D=Desktop,B=Scrapbook File V=Scores,N=Note Pad): INIT 6, 772 Bytes (S,N,B) INIT 10, 1020 Bytes (S,D,V) INIT 17, 480 Bytes (S,B) atpl 128, 2410 Bytes (S,D,V) DATA -4001, 7026 Bytes (S,D,V) Type of infection...: System and file infector (Link virus) Infection trigger...: Running an infected System or application two days after infection or later Applications affected:System file, All applications Traps intercepted...: --- Damage..............: Damage 1: after 25 minutes of use, applications of type VULT or ERIC are bombed with ID 12 Damage 2: after 15 minutes, a write attempt causes a bomb; after 25 minutes, an infected program will bomb anyway. Damage Trigger......: Only applications with resources of type VULT or ERIC: Damage 1: 4 days after infection Damage 2: 7 days after infection Peculiarities.......: INIT's used by virus are present in System versions 6.04-6.08 Similarities........: --- --------------------- Agents ----------------------------------------- Countermeasures/direct: Countermeasures/software:Use an anti-viral product (public domain or commercial) such Disinfectant, Interferon, Virus detective or VirusRx to scan for virus signature. --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 17-December-1991 Information Source..: --- ===================== End of "Scores" Virus ========================== ==== Computer Virus Catalog 1.2: "WDEF B" Virus (17-December-1991) === Entry...............: "WDEF B" Virus Alias(es)...........: --- Virus Strain........: WDEF Virus Strain Virus detected when.: March 1991 where.: Hannover,Germany Classification......: File infector only Desktop file Length of Virus.....: Resource fork extension: 1842 bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: System 4.1 or greater , not 7.0 Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------- Easy Identification.: Additional WDEF 0 resource in Desktop file; Desktop shouldn't have one. Resource pattern....: Desktop File: WDEF 0 1842 Bytes. Type of infection...: The virus copies itself to all Desktop files on all connected volumes. Infection trigger...: Executing an infected Desktop file and a random algorithm produces the value 1 long and the availability of SysEnvirons-Trap; the random value is calculated using the RandomSeed system variable. Applications affected:Only Desktop files Traps intercepted...: Only during infection: Write, AddResource, ChangedResouse, WriteResource, UpdateResFile Damage..............: Permanent damage: --- Transient damage: Only when running under MultiFinder. Only first launched application: if the application has a menu that displays font-size-information using the system, available font sizes are no longer displayed outlined; all sizes are displayed in normal style. Switching between applications doesnot change the first application's behavior. Damage Trigger......: Running an infected Desktop file. Peculiarities.......: No infection on systems without SysEnvirons. Virus beeps once if infected application is run. Similarities........: CDEF, WDEF A --------------------- Agents ----------------------------------------- Countermeasures/direct:1.Removal of WDEF 0 from all Desktop files: copy Desktop to another file and cut off WDEF 0 resource, delete original Desktop file and rename cleaned copy to Desktop. The desktop file is always active, so copying and renaming must be done by special file utilities like the file tools DA. 2.Or create a new Desktop file by pressing Option and Command key when opening a volume. (Can be very time-consuming on full harddisk, and information in the comment field of file information are lost) Countermeasures/software: 1.Use an anti-viral product (public domain or commercial) such Disinfectant, Interferon, Virus detective or VirusRx to scan for virus signature. 2.Use a protection INIT called Eradicat'Em that prevents WDEF infection (also prevents CDEF infection) --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 17-December-1991 Information Source..: --- ===================== End of "WDEF B" Virus ========================== ======================================================================== == The Computer Virus Catalog may be copied free of charges provided == == that the source is properly mentioned at any time and location == == of reference. == == == == Editor: Virus Test Center, Faculty for Informatics == == University of Hamburg == == Vogt-Koelln-Str.30, D2000 Hamburg 54, FR Germany == == Prof. Dr. Klaus Brunnstein, Vesselin Bontchev, == == Simone Fischer-Huebner, Wolf-Dieter Jahn == == Tel: (+40) 54715-406 (KB), -225 (Bo/Ja), -405(Secr.) == == Fax: (+40) 54 715 - 226 == == Email (EAN/BITNET): brunnstein@rz.informatik.uni-hamburg.dbp.de == == bontchev@rz.informatik.uni-hamburg.de> == == FTP site: ftp.informatik.uni-hamburg.de == == Adress: 134.100.4.42 == == login anonymous; password: your-email-adress; == == directory: pub/virus/texts/catalog == ======================================================================== == Critical and constructive comments as well as additions are == == appreciated. Especially, descriptions of recently detected viruses = == will be of general interest. To receive the Virus Catalog Format, == == please contact the above address. == ======================================================================== ======================================================================== == End of MacVIR.192 document == == (510 Lines, 29 kBytes) == ========================================================================