TweetFollow Us on Twitter

Volume Number:4
Issue Number:5
Column Tag:Advanced Mac'ing

A Vaccine for the 'nVIR' Virus

By Mike™ Scanlin, Contributing Editor

Unless you are going to Africa or Indochina, viruses and vaccinations are not something that most of us need to worry about. However, even if you’re not planning on travelling, there is one virus you need to be aware of. It is a computer virus that is infecting Macintoshes everywhere. [Note: The virus described in this article is apparently only one of at least three viruses that are going around as reported in the press. This article discusses what we shall name the ‘nVIR’ virus. The other two are the infamous ‘peace message’ virus and the ‘scrapbook’ virus reported in this month’s mousehole column, and in a recent MacWeek article. -Ed]

Are you infected?

Use ResEdit to open your system file and look for ‘nVIR’ resources. If you have them, then your system has been infected and chances are that at least some (if not most or all) of your applications are infected. Don’t panic. This particular virus is relatively harmless. There is an application at the end of this article that will allow you to remove the virus from your infected applications. There is also an ‘INIT’ resource you can put in your System Folder that will warn you if this virus ever shows up on your system. [Note that this vaccine and virus warning init applies only to this particular ‘nVIR’ virus. New vaccines will be necessary for the other two once it is known how they operate. -Ed]

Fig. 1 Vaccination Alert tells Application status

How I found it

Until last week, I had had no experience with computer viruses. I had heard rumors about the existence of Mac viruses, but didn’t really believe them. I do not know when this virus first got into my system. It must have come from some program I downloaded off of a network, but I do not know which one. By the time I figured out what was going on, the virus had modified seventeen of the applications on my hard disk and my System file.

Virus Symptoms

Sometime near the beginning of last week, I started hearing a beep when launching programs. It didn’t happen every time, only once in a while and with no discernable pattern. Using TMON, I trapped SysBeep() and discovered that something was modifying ‘CODE’ 0 and installing several ‘nVIR’ resources into every application I launched. I looked in my System file and, in addition to several ‘nVIR’ resources, found an ‘INIT’ 32 resource that I didn’t put there. I compared the standard ‘INIT’s from an original system disk and none of them matched the ‘INIT’ 32 I had found. What really clued me in to the idea of a virus was that if I took the ‘INIT’ 32 resource out of my System file, quit ResEdit, and then relaunched ResEdit, the ‘INIT’ 32 resource would be back in there. After disassembling ‘INIT’ 32, I learned how it worked and how to make my system immune to it. I am sharing this information so that other Mac users can protect themselves as well. [Note that this virus exhibits the ability to re-install itself after being patched out with ResEdit! -Ed]

How to make your System file immune

Use ResEdit to open your System file. Create an ‘INIT’ 32 resource that consists of these 2 hex bytes: 4E 75 (which is an RTS instruction). If ‘INIT’ 32 already exists and has a size of 366 bytes, then you can be pretty sure it is the virus’ ‘INIT’. Replace the existing ‘INIT’ 32 with the 2 byte version (4E 75). Now create 8 resources of the type ‘nVIR’; the case of the resource type is important -- do not use ‘NVIR’ or ‘nvir’. Their IDs should be 0 through 7, with size zero bytes. If they already exist, then delete them and create 8 new empty ones (with IDs 0-7).

That’s it. Your system is now immune to this particular virus (but not all possible viruses). If you now run an infected application, the virus will think that it is already installed in your system file, since it sees the ‘INIT’ and ‘nVIR’ resources it expects, and will leave it alone.

If your System file was infected before you immunized it, you should reboot the system before using the procedure below to remove the virus from your applications. This guarantees that the effects of ‘INIT’ 32 are removed from memory.

Removing the virus from infected applications

If an application has been infected, it will have several ‘nVIR’ resources, a ‘CODE’ 256 resource, and a possibly modified ‘CODE’ 0 resource. Here are instructions on how to restore an infected application (note: this is only useful if you are certain that your System file is not infected. Otherwise, the applications will become infected again. Also, you should practice on a copy of an infected application):

1) Open the application with ResEdit. If ‘CODE’ 256 exists, use GetInfo on it to check its size. If it is 372 bytes, then remove it. The reason we check for the size is because some applications, such as ReadySetGo, already have a ‘CODE’ 256 resource of their own and we don’t want to remove part of the application’s code.

2) Open ‘CODE’ 0 and look at the 3rd line of 8 hex bytes (bytes 16-23). If it is “0000 3F3C 0100 A9F0” then you need to replace that line of hex numbers with the 8 bytes contained in the ‘nVIR’ 2 resource. If the third line does not look like the above 8 bytes, then the ‘CODE’ resource is probably protected and did not get modified -- see below for an explanation. In this case leave it alone.

3) Remove all ‘nVIR’ resources. Make sure you have completed step 2 before removing ‘nVIR’ 2. You cannot restore the application without it.

Because this procedure is so automatic, I have written a program that does it for you. The application Vaccination displays the SFGetFile dialog and allows you to choose an application to vaccinate. A message is displayed that tells you the result of the vaccination and the SFGetFile dialog is displayed again. If your system has been infected, you should vaccinate every application on your hard drive. You will only see files of type ‘APPL’, ‘FNDR’ (for the Finder), and ‘dahd’ (for the DA handler) in the SFGetFile dialog so you might want to do a manual tree walk of your hard drive to be sure you vaccinate all of your applications. There is no harm in vaccinating an uninfected application or in vaccinating the same application more than once. This program does not make applications immune to this virus, it only removes this virus from them. But if your System file is immune, then there is no way this particular virus can spread to your applications. Note: you cannot use the Vaccination program to make your System file immune. You will have to do that manually using the procedure above.

How this virus works

This particular virus modifies the ‘CODE’ 0 resource of an application in such a way that when you launch that application the first thing to execute is a piece of virus installation code. That installation code looks for the virus’ presence in the System file you are launching from. If it does not find evidence of the virus, it then installs itself (as ‘INIT’ 32 and several ‘nVIR’ resources) into your System file and then executes the application you had originally launched. Once your System file is infected, every application launched from that system will become infected. The whole infection process only takes a second or two, so there is little chance you will notice it. If the virus detects that it is already in the System file and in the application you are launching (meaning that no installation of itself is necessary on this launch), then there is about a 6% chance (1 in 16) that you will hear a short beep. This is the beep that first got my attention. According to a friend of mine, Chris Borton, whose computer was also infected, if you have MacinTalk in your System Folder, then the virus speaks the words “Don’t Panic” instead of beeping.

This virus does not check if the ‘CODE’ 0 resource of the application it is trying to infect is protected or not. Consequently, applications that have ‘CODE’ 0 resources with the resProtected bit set are still infected, but are not contagious, i.e. they have the ‘CODE’ 256 resource and the ‘nVIR’ resources added to them, but they can not pass the virus on to a clean System file. I learned this by noticing that QUED/M and PageMaker were infected, but were not contagious. I couldn’t figure out why some programs had protected ‘CODE’ resources and others didn’t. Then one of the people I work with, Victor Romano, put it together. He told me that Lightspeed C (which QUED/M and PageMaker were written in) automatically sets the resProtected bit of the ‘CODE’ resources it generates. MPW does not. So, protecting the ‘CODE’ resources (which can be done with ResEdit) is another simple way of preventing this virus from affecting an application.

To be forewarned

I don’t know how far this virus has already spread, or how far it will spread. As a partial defense, however, I have written a piece of code that can be installed as an ‘INIT’ file in your System Folder that will warn you if it detects something that looks like this particular virus. VirusWarnINIT is a patch on 2 routines that this virus relies on: GetResource() and ChangedResource(). The patch to GetResource() makes a beep if theType == ‘nVIR’. The patch to ChangedResource() makes a beep if theResource is a handle to a ‘CODE’ 0 resource. I wouldn’t suggest installing this ‘INIT’ in a system known to be infected -- the number of beeps is sure to annoy you. I would have used something like an alert window instead of a beep as a warning, but I can’t be sure that the Window Manager has been initialized at the time the virus is detected. If you install this ‘INIT’ in a clean system and then launch a contagious application, you will hear about 5 or 6 beeps in a row as the virus tries to install itself in your System file.

Note that this ‘INIT’ is only a warning, not a vaccination. The virus will still install itself. The advantage is that you will know about it right away and can stop it before it spreads very far.

Now that my Mac has been vaccinated, it’s my turn. After Typhoid, Yellow Fever, Cholera and Meningococcal vaccinations, I’m off to Africa and Indochina. I wonder if I can get David Smith to send MacTutor to Serengeti National Park? Or do they already get it there? I’ll let you know

/* Vaccination.c
   * by Mike™ Scanlin   12 March 88
   * Removes the ‘nVIR’ virus from an 
 * application chosen by the user.

#define NIL 0L
#define reg register


#define nVIR_CODE_256_SIZE372

#define nVIR2Bad -10
#define nVIR2NotFound-11

void    RemoveResourceFromFile(long theType, int theID, int    
intInnoculate(Str255 *fileName, int vRef);
void    pStrCpy(char *p2, char *p1);
Boolean ChooseFile(Str255 *fn, int *vRef);
void    main(void);

static  SFReply  reply;
static  int applResFile;

/* RemoveResourceFromFile(theType, theID, refNum)
   * This will remove the resource of type theType 
 * and ID theID from the open resource file
   * whose refNum is refNum.
void  RemoveResourceFromFile(theType, theID, refNum)
long  theType;
 reg Handle theResource;
 if ((theResource = GetResource(theType, theID)) && (HomeResFile(theResource) 
== refNum))

/* Innoculate(fileName, vRef)
  * This removes the ‘nVIR’ virus from *fileName 
 in directory vRef.
int     Innoculate(fileName, vRef)
reg Str255*fileName;
 reg Handle oldCODE, currentCODE;
 reg inti, refNum, returnVal;
 ParamBlockRec   pb;
 /* init the ParamBlockRec to all zeros */
 asm {
 lea    pb,A0
 move.l #sizeof(ParamBlockRec),D0
 subq.l #1,D0
 dbra D0,@1
 /* set the current working directory */
 pb.ioParam.ioVRefNum = vRef;
 PBHSetVol(&pb, FALSE);
 refNum = OpenResFile(fileName);
 if ((oldCODE = GetResource(‘nVIR’, 2)) && (HomeResFile(oldCODE) == refNum)) 
 if (GetHandleSize(oldCODE) != 8)
 /* if ‘nVIR’ 2 isn’t 8 bytes, then something 
 isn’t right. */
 returnVal = nVIR2Bad;
 else {
 if ((currentCODE = GetResource(‘CODE’, 0)) && (HomeResFile(currentCODE) 
== refNum)) {
 asm {
 MOVE.L (A1),A1
 MOVE.L currentCODE, A0
 MOVE.L (A0),A0
 ADDA #16, A0
 MOVE.L (A1)+, (A0)+
 MOVE.L (A1), (A0)
 /* kill the ‘nVIR’ resources */
 for (i = 0; i <= 7; i++)
 RemoveResourceFromFile(‘nVIR’, i, refNum);

 /* kill the extra ‘CODE’ resource that this 
 virus adds (only if it has the size 
 of nVIR_CODE_256_SIZE) */
 if ((currentCODE = GetResource(‘CODE’, 256)) &&
 (GetHandleSize(currentCODE) == 
 nVIR_CODE_256_SIZE) && (HomeResFile(currentCODE) 
 == refNum))
 returnVal = noErr;
 returnVal = nVIR2NotFound;
 if (refNum != applResFile)

/* pStrCpy(p2, p1)
  * Copy the pascal string at *p1 to *p2.
void pStrCpy(p2, p1)
reg char*p2, *p1;
 reg intlen;
 len = *p2++ = *p1++;
 while (--len >= 0) 
 *p2++ = *p1++;

/* ChooseFile(fn, vRef)
   * Use SFGetFile() to get the name of an 
 * application from the user. Return the directory
   * of the chosen file in *vRef. Return FALSE if the 
 * user clicked Cancel, TRUE if they clicked
   * Open.
  * Thanks to Chris Borton for this routine.
Boolean ChooseFile(fn, vRef)
Str255  *fn;
 SFTypeList myTypes;
 static Point  SFGwhere = { 90, 82 };
 myTypes[0] = ‘APPL’;
 myTypes[1] = ‘FNDR’;
 myTypes[2] = ‘dahd’;
 SFGetFile(SFGwhere, NIL, 0L, 3, myTypes, 0L, &reply);
 if (reply.good) {
 pStrCpy((char *)fn , (char *)reply.fName);
 *vRef = reply.vRefNum;

void main() {
 Str255 fileName;
 int    vRef;
 /* save the application’s resource file refNum */
 applResFile = CurMap;

 /* keep choosing files until the user hits Cancel */
 while (ChooseFile(&fileName, &vRef)) {
 switch (Innoculate(&fileName, vRef)) {
 case   nVIR2Bad:
 ParamText(&fileName, “\pResource ‘nVIR’ 2 is not 8 bytes long. File 
cannot be repaired.”, NIL, NIL);
 case nVIR2NotFound:
 ParamText(&fileName, “\pResource ‘nVIR’ 2 not found. File is not infected 
or cannot be repaired.”, NIL, NIL);
 ParamText(&fileName, “\pVirus successfully removed.”, NIL, NIL);
 /* show the result of the attempted removal */

/* VirusWarnINIT.c
   * by Mike™ Scanlin   13 March 88
   * Put this in your system folder to warn you 
 * about the ‘nVIR’ virus.
   * It patches GetResource() and ChangedResource().
#include “Asm.h”
#include “ResourceMgr.h”

#define GetResource0xA9A0
#define ChangedResource 0xA9AA
#define JMP 0x4EF9
#define memFullErr -108
#define beepDuration 20

void  main(void);

void  main()
 asm  {

/* beginning of the code that installs the patches */

 move.l D3,-(SP)
/* get the original GetResource address */   
 move #GetResource,D0
/* set up the JMP instruction that calls the original GetResource */
 lea    @origGR,A1
 move #JMP,(A1)+
 move.l A0,(A1)

/* get the original ChangedResouce address */
 move #ChangedResource,D0
/* set up the JMP instruction that calls the original ChangedResource 
 lea    @origCR,A1
 move #JMP,(A1)+
 move.l A0,(A1)

/* get some space in the system heap for the patches */
 lea    @last,A0
 lea    @first,A1
 suba.l A1,A0    /* the length of our patches */
 move.l A0,D0
 add.l  #254,D0  /* the extra space for the Str255 at the end (@name) 
 move.l D0,D3    /* save for _BlockMove */
 cmpi   #memFullErr,D0
 beq.s  @noPatch
 move.l A0,-(SP) /* save for _BlockMove */
 move.l (SP),-(SP) /* for _SetTrapAddress */

/* set GetResource to the beginning of the space we just got in the system 
heap */
 move #GetResource,D0

/* set ChangedResource trap */
 lea    @changedResouce,A0
 lea    @getResource,A1
 suba.l A1,A0
 adda.l (SP)+,A0
 move #ChangedResource,D0
/* now move it into place */
 lea    @first,A0
 move.l (SP)+,A1
 move.l D3,D0

@noPatchmove.l (SP)+,D3
/* end of the code that installs the patches */


  * This is the patch to GetResource
 move.l 6(SP),D0 /* get theType */
 cmpi.l #’nVIR’,D0
 bne.s  @origGR

/* at this point we know something is trying to load an ‘nVIR’ resource 
 move #beepDuration,-(SP)
/* note that this is only a warning beep, it falls through 
 * to the original GetResource, so the calling function 
 * never knows that it was detected. */
@origGR nop /* JMP to original trap */

  * This is the patch to ChangedResource

/* call GetResInfo() to see if we are changing a CODE 0 resource */
 move.l 4(SP),-(SP)/* copy the resource handle 
 * that was passed to
   * ChangedResouce() */
 pea    @theID
 pea    @theType
 pea    @name
 lea    @theType,A0
 move.l (A0),D0
 cmpi.l #’CODE’,D0
 bne.s  @origCR
 lea    @theID,A0
 tst    (A0)
 bne.s  @origCR

/* give a warning beep a CODE 0 resource is being changed */   
 move #beepDuration,-(SP)
@origCR nop /* JMP to original trap */
@theID  dc0
@name   dc0 
 /* there are actually 254 more bytes to this
 * variable (for a total of 256). Check the
 * add.l #254,D0 instruction in the install code. */


Community Search:
MacTech Search:

Software Updates via MacUpdate

Dragon Dictate 6.0 - Premium voice-recog...
With Dragon Dictate speech recognition software, you can use your voice to create and edit text or interact with your favorite Mac applications. Far more than just speech-to-text, Dragon Dictate lets... Read more
OmniFocus 3.11.7 - GTD task manager with...
OmniFocus is an organizer app. It uses projects to organize tasks naturally, and then add tags to organize across projects. Easily enter tasks when you’re on the go, and process them when you have... Read more
rekordbox - Professional DJ m...
rekordbox is the best way of preparing and managing your tracks, be it at home, in the studio, or even on the plane! It allows you to import music from other music-management software using the... Read more
1Password 7.8.1 - Powerful password mana...
1Password is a password manager that uniquely brings you both security and convenience. It is the only program that provides anti-phishing protection and goes beyond password management by adding Web... Read more
Ableton Live 10.1.35 - Record music usin...
Ableton Live lets you create and record music on your Mac. Use digital instruments, pre-recorded sounds, and sampled loops to arrange, produce, and perform your music like never before. Ableton Live... Read more
Microsoft Office 365, 2019 16.48 - Popul...
Microsoft Office 365. The essentials to get it all done. Unmistakably Office, designed for Mac Get started quickly with new, modern versions of Word, Excel, PowerPoint, Outlook and OneNote-... Read more
Adobe After Effects 18.1 - Create profes...
After Effects is available as part of Adobe Creative Cloud for $52.99/month (or $20.99/month for a single app license). The new, more connected After Effects can make the impossible possible. Get... Read more
Adobe Audition 14.1 - Professional post-...
Audition is available as part of Adobe Creative Cloud for as little as $20.99/month (or $9.99/month if you're a previous Audition customer). Adobe Audition empowers you to create and deliver... Read more
Adobe Animate 21.0.5 - Animation authori...
Animate is available as part of Adobe Creative Cloud for as little as $20.99/month (or $9.99/month if you're a previous Flash Professional customer). Animate (was Flash CC) lets you share work... Read more
Adobe Photoshop 22.3.1 - Professional im...
You can download Photoshop for Mac as a part of Creative Cloud for only $20.99/month (or $9.99/month if you have purchased an earlier software version). Adobe Photoshop is a recognized classic of... Read more

Latest Forum Discussions

See All

Moonlight Sculptor is an upcoming MMORPG...
Kakao Games and XL Games – who you might be familiar with from their previous game ArcheAge – have announced that their MMORPG Moonlight Sculptor is now available to pre-order for iOS and Android devices. Moonlight Sculptor has previously launched... | Read more »
MU Archangel is now open for pre-registr...
MU Archangel is now open for pre-registration in Southeast Asia following its massive success in other territories. Players from Singapore, Thailand, Malaysia, Indonesia, and the Philippines (except Vietnam) can now join in on the fun by applying... | Read more »
Compete, a new social media app you can...
Whoever told you you can’t get rich making videos has obviously never heard of Compete, Competitive Media Technologies Limited’s hot new social media app where you can rake in all the dough just by doing what you love. Video monetization that... | Read more »
Bethesda has released a new DOOM mobile...
Bethesda Softworks has released a new DOOM game out of the blue exclusively for mobile devices. It’s called Mighty DOOM and is currently only available as an early access title on Android but will be expanding to more users in the future. [Read... | Read more »
Anagraphs is a word puzzle game with a t...
Cinq-Mars Media has released its word puzzle game Anagraphs for iOS and Android devices. The game released last week after a short delay in getting it onto the appropriate platforms. [Read more] | Read more »
These are the top 5 best iPhone games li...
Fortnite has been the big hitter in mobile gaming this year, and it's not hard to see why. Thanks to some excellent marketing, and a polished experience that almost anyone can enjoy, it's really taken the App Store by storm. But there are other... | Read more »
The top 5 best iPhone games like Pokemon...
Pokemon GO is still the, if you'll excuse the pun, go-to game if you want some AR action on your phone. But it's not the only choice out there, and if you've got a hankering for something a bit different, then your eyes might already have started... | Read more »
The top 5 best iPhone games like Starcra...
Starcraft sits at the top of the RTS tree for a number of very good reasons. It also isn't on mobile, again, for a number of very good reasons. But that doesn't mean you can't find a way to indulge your sci-fi, competitive, massive, or engaging RTS... | Read more »
Apple Arcade: Ranked - Top 25 [Updated 4...
In case you missed it, I am on a quest to rank every Apple Arcade game there is. [Read more] | Read more »
The top 5 best iPhone games like The Roo...
The Room has had a massive impact on the world of mobile gaming. Not only is it a brilliant adventure, it also shows how the touchscreen controls on your iPhone can be turned into something far more elegant and tactile than just a bunch of buttons... | Read more »

Price Scanner via

B&H is offering clearance prices on lefto...
Apple reseller B&H Photo has clearance 2020 13″ 1.4GHz Intel-based MacBook Pros on sale today for $200-$300 off Apple’s original MSRP with prices starting at only $1099. Expedited shipping is... Read more
Roundup of Today’s Best MacBook Deals: M1 Mac...
Apple resellers are offering sale prices on Apple’s M1-powered 13″ MacBook Airs ranging up to $190 off MSRP. Here’s where to pick one up today, and as always, keep an eye on our 13″ MacBook Air Price... Read more
Apple AirPods Pro drop to new low price of on...
Amazon has Apple’s AirPods Pro on sale today for a new low price of only $197 shipped. That’s $52 off MSRP and the lowest price currently available for a set of AirPods Pro from any Apple reseller.... Read more
Apple restocks clearance 13″ Intel-based MacB...
Apple has clearance, Certified Refurbished, 2020 13″ Intel-based MacBook Airs available starting at only $809 and up to $280 off original MSRP. Each MacBook features a new outer case, comes with a... Read more
OWC drops prices on 2020 Intel multi-core Mac...
Other World Computing has clearance 2020 Intel-based Mac minis on sale starting at only $499. Both 4-core and 6-core models are in stock today. These are new, unopened, factory-sealed minis: – 3.6GHz... Read more
Save $50 off Apple’s 10.9″ iPad Air today at...
B&H Photo has new 10.9″ Apple iPad Airs in stock and on sale today for up to $50 off MSRP. Expedited shipping is free to most addresses in the US. Note that some sale prices may be restricted to... Read more
Rare Apple sale: Get a HomePod mini for $10 o...
Apple reseller Expercom has the Space Gray HomePod mini on sale today for $89 shipped. Their price is $10 off Apple’s MSRP, and it’s currently the only sale price available for a HomePod mini among... Read more
Apple has M1 Mac minis available starting at...
Apple has a full line of standard configuration M1 Mac minis available in their Certified Refurbished section starting at only $589 and up to $140 off MSRP. Each mini comes with Apple’s one-year... Read more
New sale at Amazon: $55-$70 discounts on Appl...
Amazon has 7.9″ iPad minis on sale today for up to $70 off Apple’s MSRP, each including free shipping. Prices start at $344. These are the same iPad minis sold by Apple in their retail and online... Read more
Apple offering 13″ M1 MacBook Airs for as lit...
Apple has a full line of 2020 13″ M1 MacBook Airs available, Certified Refurbished, starting at only $849 and up to $190 off original MSRP. These are the cheapest M1 MacBook Airs for sale today at... Read more

Jobs Board

*Apple* Valley 20hr Teller - Wells Fargo (Un...
…or scheduled + Ability to stand for extended periods of time **Street Address** **MN- Apple Valley:** 14325 Cedar Ave - Apple Valley, MN **Disclaimer** All offers Read more
*Apple* Valley 20hr Teller - Wells Fargo (Un...
…or scheduled + Ability to stand for extended periods of time **Street Address** **MN- Apple Valley:** 14325 Cedar Ave - Apple Valley, MN **Disclaimer** All offers Read more
Desktop Support Technician - *Apple* / Mac...
…infrastructure and internal desktop systems. Must have an IT background that includes Apple / Mac support. **Overview:** + Responds to routine technical questions or Read more
Geek Squad *Apple* Consultation Professiona...
**801042BR** **Job Title:** Geek Squad Apple Consultation Professional **Job Category:** Store Associates **Store Number or Department:** 000214-Willowbrook-Store Read more
*Apple* Mobility Specialist - Best Buy (Unit...
**800879BR** **Job Title:** Apple Mobility Specialist **Job Category:** Store Associates **Store Number or Department:** 000803-Lansing-Store **Job Description:** Read more
All contents are Copyright 1984-2011 by Xplain Corporation. All rights reserved. Theme designed by Icreon.