From JLN@nuacc.acns.nwu.edu Tue Nov 15 15:25:33 1988
Flags: 000000000011
Received: from accuvax.nwu.edu (northwestern.arpa) by rascal.ics.utexas.edu (3.2/4.22)
	id AA21977; Tue, 15 Nov 88 15:25:29 CST
Received: from nuacc.acns.nwu.edu by accuvax.nwu.edu id aa20017;
          15 Nov 88 15:20 CST
Date: Tue, 15 Nov 88 15:22 CST
From: John Norstad <JLN@nuacc.acns.nwu.edu>
Subject: Viral Resources
To: info-mac@sumex-aim.stanford.edu, werner@rascal.ics.UTEXAS.EDU
X-Vms-To: 
 IN%"info-mac@sumex-aim.stanford.edu",IN%"werner@rascal.ics.utexas.edu",JLN
Message-Id:  <8811151520.aa20017@accuvax.nwu.edu>
Status: RO


Someone asked for a list of known Mac viruses and their resource
identifications, so that users of Virus Detective could update the
list of suspicious resources, and so that users of ResEdit would know
what to look for.

Here's what I know about Scores and two strains of nVIR:

Scores infected system files:

       Type      ID    Size    Files
       ----    ----   -----    -------------------------------------
       INIT       6     772    System, Note Pad File, Scrapbook File
       INIT      10    1020    System, Desktop, Scores
       INIT      17     480    System, Scrapbook File
       atpl     128    2410    System, Desktop, Scores
       DATA   -4001    7026    System, Desktop, Scores

Scores infected application:

       Type      ID    Size
       ----    ----   -----
       CODE     n+1    7026

   where n = the id of the first unused CODE resource.  For example,
   if the application has CODE resources numbered 0,1,2,3,4,5, then
   n=6 and the viral CODE resource is numbered n+1=7.

nVIR infected System file:

       Type      ID    Size A   Size B
       ----    ----    ------   ------
       INIT      32       366      416
       nVIR       0         2        2
       nVIR       1       378      428
       nVIR       4       372      422
       nVIR       5         8        8
       nVIR       6       868       66
       nVIR       7      1562     2106

nVIR infected application:

       Type      ID    Size A   Size B
       ----    ----    ------   ------
       CODE     256       372      422
       nVIR       1       378      428
       nVIR       2         8        8
       nVIR       3       366      416
       nVIR       6       868       66
       nVIR       7      1562     2106

Unlike Scores, nVIR does not infect any files in the system folder
other than the System file itself.  The two columns "A" and "B" above
are the sizes for what I call "nVIR strain A" and "nVIR strain B".

Hope this helps.

John Norstad
Academic Computing and Network Services
Northwestern University

Bitnet: jln@nuacc
Internet: jln@nuacc.acns.nwu.edu

��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������