ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ VIRUS REPORT ³ ³ nVIR ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Host Machine: Macintosh. nVIR is a Macintosh virus that has now led to numerous strains, including MEV#, AIDS, nFLU, and nVIR A and B. When you run an application infected with nVIR A or B on a clean system, the infection spreads from the application to the system file. After rebooting, the infection in turn spreads from the system to other applications, as they are run. The effect can be devastating (see sidebar). At first, nVIR A and B only replicate. When the system file is first infected, a counter is initialized to 1000. The counter is decremented by 1 each time the system is booted, and it is decremented by 2 each time an infected application is run. When the counter reaches 0, nVIR A will sometimes either say "Don't Panic" (if MacinTalk is installed in the system folder) or beep (if MacinTalk is not installed in the system folder). This will happen on a system boot with a probability of 1/16. It will also happen when an infected application is launched with a probability of 31/256. In addition, when an infected application is launched, nVIR A may say "Don't Panic" twice or beep twice, with a probability of 1/256. When the counter reaches 0, nVIR B will sometimes beep. nVIR B does not call MacinTalk. The beep will happen on a system boot with a probability of 1/8. A single beep will happen when an infected application is launched with a probability of 15/64. A double beep will happen when an infected application is launched with a probability of 1/64. It is possible for nVIR A and nVIR B to mate and sexually reproduce, resulting in new viruses combining parts of their parents. For example, if a system is infected with nVIR A, and if an application infected with nVIR B is run on that system, part of the nVIR B infection in the application is replaced by part of the nVIR A infection from the system. The result contains part from each of its parents, and behaves like nVIR A. Similarly, if a system is infected with nVIR B, and if an application infected with nVIR A is run on that system, part of the nVIR A infection in the application is replaced by part of the nVIR B infection from the system. The result is very similar to its sibling described in the previous paragraph, except that it has the opposite "sex" - each part is from the opposite parent. It behaves like nVIR B. These offspring are new viruses. If they are taken to a clean system they will infect that system, which will in turn infect other applications. The descendents are identical to the original offspring. Incestual matings of these children with each other and with their parents produce results that contain various combinations of parts from their parents. ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» º This document was adapted from the book "Computer Viruses", º º which is copyright and distributed by the National Computer º º Security Association. It contains information compiled from º º many sources. To the best of our knowledge, all information º º presented here is accurate. º º º º Please send any updates or corrections to the NCSA, Suite 309, º º 4401-A Connecticut Ave NW, Washington, DC 20008. Or call our BBS º º and upload the information: (202) 364-1304. Or call us voice at º º (202) 364-8252. This version was produced May 22, 1990. º º º º The NCSA is a non-profit organization dedicated to improving º º computer security. Membership in the association is just $45 per º º year. Copies of the book "Computer Viruses", which provides º º detailed information on over 145 viruses, can be obtained from º º the NCSA. Member price: $44; non-member price: $55. º º º º The document is copyright (c) 1990 NCSA. º º º º This document may be distributed in any format, providing º º this message is not removed or altered. º ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ  Downloaded From P-80 International Information Systems 304-744-2253