Jump to content

nVIR

From Wikipedia, the free encyclopedia

This is the current revision of this page, as edited by Iritscen (talk | contribs) at 18:59, 2 March 2023 (made reference into a proper citation, rescued external links with archive.org snapshots). The present address (URL) is a permanent link to this version.

(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)
nVIR
Technical nameMac OS/nVIR virus
AliasAIDS, Fuck, Hpat, Jude, nVIR, MEV#, MODM, nCAM, nFLU, kOOL, SHIT, prod, PISS
TypeMacintosh
SubtypeApplication infector. Nuisance; system hanger.
ClassificationVirus
FamilynVIR, three predominant strains: nVIR-A, nVIR-B, nVIR-C
OriginUnknown
AuthorsUnknown

nVIR is an obsolete computer virus which can replicate on Macintosh computers running any System version from 4.1 to OS 8. The source code to the original nVIR has been made widely available, and so numerous variants have arisen. Each variant causes somewhat different symptoms, such as: application crashes, printing errors on laser printers, slow system response time, or unpredictable system crashes. nVIR spreads through any nVIR-infected program, but due to the long period of time nVIR lies basically dormant in a host system, nVIR generally finds its way into system backups and is not detected until the first overt symptoms appear. For example, if a disk used in an infected Macintosh is removed and inserted in a second Macintosh, the other machine will become infected if any application on that disk is executed in the second machine. Further, any method used to transfer programs between Macintoshes will spread nVIR, including file transfer over a network. However, nVIR cannot spread via a print network's hardware.[1]

nVIR carries an additional code resource, CODE 256 (though some variants carry CODE 255), and patches the jump table to point to it. The original application's entry point is saved in the nVIR 2 resource. nVIR introduces to the System file the INIT 32 resource which is executed at startup, at which time nVIR patches the TEInit trap. Any application subsequently calling this trap will be infected. The nVIR 3 (or nVIR 5) resource is a copy of INIT 32. An nVIR 10 resource in the System file will prevent nVIR infection. If an application calls OpenResFile prior to TEInit, that application will be damaged.

nVIR 0 resource holds a counter that is set to 1000 on the first infection of the system. Each reboot decrements the counter by 1. Each application launch decrements it by 2. When the counter reaches 0, nVIR will beep 1 out of 8 reboots and 1 of 4 infected application launches. If MacinTalk is installed in the machine's System folder, the machine may occasionally say "Don't Panic". Otherwise, it may beep unexpectedly.

nVIR has been known to 'hybridize' with different variants of nVIR on the same machine.

References

[edit]
  1. ^ Scanlin, Mike. "A Vaccine for the 'nVIR' Virus". MacTech. Archived from the original on March 13, 2007.
[edit]