INIT 17 Virus (31-July-1993)
Entry...............: INIT 17 Virus
Alias(es)...........: ---
Virus Strain........: ---                                         
Virus detected when.: April 1993           
              where.: USA
Classification......: Link virus, Applications and System infector
Length of Virus.....: Resource fork extension: 1,682 bytes
--------------------- Preconditions ------------------------------------
Operating System(s).: MacOS proprietary             
Version/Release.....: All prior to System 7                    
Computer model(s)...: All.
--------------------- Attributes ---------------------------------------
Easy Identification.: INIT 17 resource in System file with the string 
                         "Trnt" at offset 4 from the beginning.
                      In applications, same string can be found at 
                         offset 1,678 from end of the CODE 1 resource. 
Resource pattern....: INIT 17: 1,682 bytes in System file.
                      CODE 1:  extended by 1,682 bytes in applications.
Type of infection...: Adding an INIT 17 resource to System file.
                      Extending a present CODE 1 resource in applica-
                         tions and modifying the CODE 0 resource to 
                         point at virus code.
Infection trigger...: 1. Starting an infected application infects 
                         system, and every application started after-
                         wards becomes infected.
                      2. After starting up with an infected System,
                         every application launched becomes infected.
Applications affected:1. The System file
                      2. All applications except Finder, 
                         All programs created with StuffIt (self 
                         extracting archives),
                         file Virex and all applications who's creator
                         starts with 'AL'.
                      An application can only be infected when the
                         following preconditions hold:
                         a) first entry in CODE 0 points to CODE 1,
                         b) size of CODE 1 < 31,086 bytes,
                         c) file is not locked or it's name is locked,
                         d) file is not already infected.
Traps intercepted...: LoadSeg 
Damage..............: The virus pops up a window named 
                         "From the depths of Cyberspace" displaying the 
                         message "-Trent Saburo was here". On 68000 
                         systems (old Macs), a system bus error occurs.
Damage Trigger......: Running an infected System or application after
                         internal date reached Oct.31,1993 6:06:06 AM.
Peculiarities.......: If WriteResource and SetResAttrs traps are
                         redirected to RAM (eg. by AntiVirus program),
                         the virus does NOT infect programs.
Similarities........: ---
--------------------- Agents -------------------------------------------
Countermeasures/direct: Remove INIT 17 resource from System file using
                         ResEdit. Repairing applications should NOT be 
                         performed manually.
Countermeasures/software:Use a commercial, shareware or freeware Anti-
                         Viral product such as VirusDetective or 
                         Disinfectant >= 3.2 to scan for viral signatures.
--------------------- Acknowledgement ----------------------------------
Location............: Virus Test Center, University Hamburg, Germany
Classification by...: Hisao Tai, Peer Reymann, Ronald Greinke
Documentation by....: Tim Dierks
Date................: 31-July-1993

.