[Geobunny]

Hi guys, I'm writing a virus checker for Mac OS X, but would dearly like for it to be able to identify the older viruses from System 7 through OS 9. I was infected by the Sevendust virus a few years back, but obviously disposed of it at the time. Does anybody have or know where I can get my hands on these older style viruses?

I need to try and identify a signature for them and then see if my checker can pick it up under various circumstances (ie compressed, part of an archive, infected apps etc) with no false positives (and more importantly no false negatives).

If you can help, please either reply here or email mark AT gwc DOT org DOT uk

Thanks

[Jacke]

You can have a look at this page and see if it's of any use. For obvious reasons I don't want to check what's in the archives myself...

[Geobunny]

Fantastic! Thanks so much. I've spent all night searching google and news groups etc, but have come up with nothing, I post here and I get the answer I'm looking for in 5 minutes. Amazing

[yukon]

I guess all I can do is hope that freaky's archives are as out of date as they used to be, or that you really are making a virus scanner ;-)

Anyway, since the "market" for utilities is kinda flooded with the one application (virex. there's no MacOS X virri yet ("viruses" for those who don't believe language should evolve)), I'd suggest concidering the GPL, BSD, or similar source licences, as probably anything freaky has will be detected by the freeware Disinfectant (unless he carries Word macros now, or distributes code snippets of developing virri).

Told a friend they should concider scanning their files with Virex once, "what, so I can scan my 80's files for 80's viruses?"

EDIT: oh yeah, page hasn't changed in years, go to town. LOL, I love how all the DoS utilities etc have been superceded by the administration utilities packaged with OS X

[CharlesS]

Originally posted by Jacke:
You can have a look at this page and see if it's of any use. For obvious reasons I don't want to check what's in the archives myself...

That page doesn't seem to have either SevenDust or AutoStart - the only two relevant viruses for OS 9.

[yukon]

Which really is hilarious, sevendust was the only virus I remember that actually caused damage (check the extensions for a "666" file), never had autostart virus (I just turned the feature off, I hate autostart). I know a few of the viruses there that actually won't run on system7 and above.

Neverness being the only other site I remember having a "virus archive" at "http://www.neverness.net/archives/virii/", neverness has been gone for years. For the record, I care about security, I've actually gotten a few viruses "in the wild" (none otherwise), I'm no 1773 script kiddie.

[Geobunny]

Originally posted by yukon:
I guess all I can do is hope that freaky's archives are as out of date as they used to be, or that you really are making a virus scanner ;-)

Yes, I am. Don't worry, I'm not about to start sending these things out – apart from anything else, it'd be pretty futile to recirculate old viruses which have already been innoculated (or whatever you want to call it!)

I know the market (or lack of) is saturated with one or two checkers but they're not free, are they?! Mine would be cos I'm really only making it for myself, but making it available to others if they want it. As is, for the time being I'm only checking the data fork, which is why I wanted at least one of the old-style viruses so that I could have some means to test the resource fork, scanning against real resource fork viruses.

Maybe I'll just release it now, and add old-style checking later on, if enough people cry out for it.

[yukon]

Virex isn't free, but Disinfectant is. Problem with Disinfectant is that it's old and discontinued, it only catches old viruses, like the ones you're looking for. That's why I suggested making your software open source, it's the only way to "one up" the available solutions. Unless you're going to be scanning for PC viruses (virex. you'd need a lot of help to do this, or a parnership with a PC scanner company), you're fighting against an ancient scanner that would do just fine for any mac virus threat. Unless you package in trojan detectors (there are a couple "remote administration" programs outside the usual, keyloggers and such, for OS X), bundle chkrootkkit etc...there's a program that supposedly does this called MacScan I believe, but I'm wary of security programs that can't be verified (see the hundreds of PC "ad ware removal" programs for Windows that are actually spyware themselves), OSS prevents this...never know if the flu remedy being sold is actually arsenic with a pretty package, made by the people trying to give you the flu ;-)

ISTR there's an open source virus scanner, it's a bit of a joke, but if you submit your detection rules to them, we'd have the UNIX people elimitinating our viruses as well. we certainly aren't innoculated against what's out there already, our systems are just so much newer that they have no effect anymore outside classic....many of the virri can't run on system7 (think "too old for Windows 3.1", though Sys7 is more like Win95).

best of luck to you though, if you add a heuristic scanner, it'll be a defense against what could be coming. Virex has that though :-\

[philzilla]

back in the day, i'm sure i managed to backup some SevenDust-infected files onto an old system backup cd (took me a while to realise!), but i can't find it right now. it might be in the attic, i dunno. i'll try and find it for you.

[Geobunny]

Originally posted by philzilla:
back in the day, i'm sure i managed to backup some SevenDust-infected files onto an old system backup cd (took me a while to realise!), but i can't find it right now. it might be in the attic, i dunno. i'll try and find it for you.

Thanks, that'd be great. Don't go risking an infection to find out though!! I've got enough samples to be working with just now.

[GeeYouEye]

Just out of curiosity, what was SevenDust? I've never heard of it.

[Geobunny]

Originally posted by GeeYouEye:
Just out of curiosity, what was SevenDust? I've never heard of it.

Google (and even MacNN) search to the rescue!

http://www.ravantivirus.com/virus/showvirus.php?v=130

The strain I had must've been an earlier one as I didn't actually lose any files to it. I ended up having to delete a number of applications though purely cos they'd been corrupted by the virus. Maybe I caught it in time as all it really seemed to do was slow down my computer horrendously. I had the strain which installed an extension with the name "666" so maybe if I hadn't caught it, I'd have been screwed - it does its deleting on the 6th minute of the 6th hour of the sixth month...or maybe my machine was just switched off at the time!

[CharlesS]

Originally posted by Geobunny:
I know the market (or lack of) is saturated with one or two checkers but they're not free, are they?!

Agax scanned for SevenDust and AutoStart. Disinfectant took care of basically everything that came before them. Adding those together, you should be able to cover all OS 9 viruses for free.

[Millennium]

"virii" is an incorrect and completely illogical construct. It is not, however, a word.

It appears to be a degenerate plural of "virus", probably coming from a misreading of the word "genii", the plural of "genius". Our grammatically-challenged friend, however, made a critical mistake by forgetting that only the one of the two is in "genii" comes from the plural. The other one -namely the first- is already part of the singular, and doesn't go away. In the same way, the plural of "genus" (a biological term) would be "geni".

Going by this logic, the plural of "virus" would be "viri", not "virii". However, even this fails, because "virus" was a medical term long before it was a computer term, and there "viruses" has been accepted as the proper plural for a long time.

The evolution of language is inevitable. However, callous disregard for grammar and spelling is not linguistic evolution; it's just being lazy.

[CharlesS]

Originally posted by Millennium:
"virii" is an incorrect and completely illogical construct. It is not, however, a word.

[Geobunny]

Originally posted by CharlesS:

Wow, it's been a while since I've seen one of those!! Makes me smile now, to think that sort of error is a way in the past (ignoring the rare occurrence of kernel panics for now). Curiously though, it gave me a weird sense of nostalgia