NVIR (computer virus)

Computer virus
Fullname = nVIR virus family
Common name = nVIR
Technical name = Mac OS/nVIR virus
Family = nVIR, three predominant strains: nVIR-A, nVIR-B, nVIR-C
Aliases = AIDS, Fuck, Hpat, Jude, nVIR, MEV#, MODM, nCAM, nFLU, kOOL, SHIT, prod
Classification = Virus
Type = Macintosh
Subtype = Application infector. Nuisance; system hanger.
IsolationDate = 1987 (nVIR-A and nVIR-B), 1991 (nVIR-C)
Isolation = Unknown
Origin = Unknown
Author = Unknown

nVIR is a computer virus which can replicate only on Macintosh computers that run System 4.1 or higher. The source code to the original nVIR has been made widely available, and so numerous variants have arisen. Each variant causes somewhat different symptoms, such as: application crashes, printing errors on laser printers, slow system response time, or unpredictable system crashes. nVIR spreads through any nVIR-infected program, but due to the long period of time nVIR lies basically dormant in a host system, nVIR generally finds its way into system backups and is not detected until the first overt symptoms appear. For example, if a disk used in an infected Macintosh is removed and inserted in a second Macintosh, the other machine will become infected if any application on that disk is executed in the second machine. Further, any method used to transfer programs between Macintoshes will spread nVIR, including file transfer over a network. However, nVIR cannot spread via a print network's hardware.

nVIR carries an additional code resource, CODE 256 (though some variants carry CODE 255), and patches the jump table to point to it. The original application's entry point is saved in the nVIR 2 resource. nVIR introduces to the System file the INIT 32 resource which is executed at startup, at which time nVIR patches the TEInit trap. Any application subsequently calling this trap will be infected. The nVIR 3 (or nVIR 5) resource is a copy of INIT 32. An nVIR 10 resource in the System file will prevent nVIR infection. If an application calls OpenResFile prior to TEInit, that application will be damaged.

nVIR 0 resource holds a counter that is set to 1000 on the first infection of the system. Each reboot decrements the counter by 1. Each application launch decrements it by 2. When the counter reaches 0, nVIR will beep 1 out of 8 reboots and 1 of 4 infected application launches. If MacinTalk is installed in the machine's System folder, the machine may occasionally say "Don't Panic". Otherwise, it may beep unexpectedly.

nVIR has been known to 'hybridize' with different variants of nVIR on the same machine.

External links

* [http://www.mactech.com/articles/mactech/Vol.04/04.05/Virus/ A Vaccine for the 'nVIR' Virus] , by Mike Scanlin, MacTech
* [http://www.ciac.org/ciac/bulletins/ciac-09.shtml CIAC-09: Macintosh nVIR Virus] , by CIAC
* [http://vil.nai.com/vil/content/v_99830.htm Mac OS/nVIR virus] , by McAfee
* [http://agn-www.informatik.uni-hamburg.de/catalog/mac/html/nvira.htm nVIR A] , by Virus-Test-Center, University of Hamburg
* [http://agn-www.informatik.uni-hamburg.de/catalog/mac/html/nvirb.htm nVIR B] , by Virus-Test-Center, University of Hamburg
* [http://agn-www.informatik.uni-hamburg.de/catalog/mac/html/nvirc.htm nVIR C] , by Virus-Test-Center, University of Hamburg
* [http://istpub.berkeley.edu:4201/bcc/Summer95/mic.macvirus.html nVIR B countermeasures] , UC Berkeley
* [http://www.macvirus.org/database_detail/36/Virus/nVIR nVIR] , by MacVirus.org