This page is a wiki. Please login or create an account to begin editing.
HomeGeneral Discussion



59 posts / 0 new
Login or register to post comments
Last post
2013, July 25 - 11:12am
#1
mrdav's picture
mrdav
Online
Joined: 2011 Dec 3
Files here that are infected with a virus

The recent discovery (and subsequent removal) of a virus in Logic Audio Platinum 4.7 has prompted me to do a scan of the many files from here that I have uncompressed and archived privately. Below is a list of those files that Virex shows as being infected. The virus strain is given in brackets. Please either beware of these files or, even better, fix the problem and reupload. I have not looked inside any disk images so there may still be the occasional infected file in these.

Carmen Sandiego Math Detective: Installer (666-A)

Abalone:
abalone1.4.2 (nVIR)

Black Box
(BlackBox (nVIR)

Brickles Plus
Brickles Plus v2.0 (MBDF-B)

Cryptogrammer
Cryptogrammer v1.1.1 (nVIR)

HangMan Plus
Hangman plus v2.0 (MBDF-B)

Logic Audio Platinum 4.0.4
Logic Audio Dongle EMU 1.2 (666-D)
Logic Audio Platinum 4.0.4 68k (666-D)
Logic Audio AKAI DR8/16 info (666-D)

Microsoft Excel
Excel 4.0 Folder/TeachText (nVIR)

OmniPage 8.0 LE
Instalar OmniPage Ltd Edition (666-A)
Install OmniPage Ltd Edition (666-A)
Installa OmniPage Ltd Edition (666-A)
Installer OmniPage Ltd Edition (666-A)

Rose Garden (nVIR)

Steinberg Nuendo 1.5.2
1-Nuendo Install (666-D)

Stuffit Deluxe/Stuffit Deluxe.sit
Stuffit 1.5.1/1.5.1 Note (ReadMe) (nVIR)

Tao Te Ching (666-A)

Turbo Pascal 1.0
Turbo (nVIR)

Top
Tags:

Comments

2013, July 25 - 12:03pm
#2
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

Good idea for this list, mrdav. I suggest to the Admins that it also be made a sticky so we can add/subtract to it in the future.

You can scratch "Logic Audio Platinum 4.0.4" & its associated infected files from the list, thanks.

I may replace the infected OmniPage 8.0 LE copy entirely with a clean OmniPage 8.0 Pro too, shortly.

Top
2013, July 25 - 3:52pm
(Reply to #2) #3
IIGS_User's picture
IIGS_User
Offline
Joined: 2009 Apr 8

Good idea for this list, mrdav. I suggest to the Admins that it also be made a sticky so we can add/subtract to it in the future.

Thanks, MikeTomTom, sticked now. Smile

Top
2013, July 25 - 12:15pm
#4
mrdav's picture
mrdav
Online
Joined: 2011 Dec 3

I was a little imprecise about where the virus in Stuffit 1.5.1 was, as there is more than one copy embedded in different places. Now it should be clear

Top
2013, July 25 - 2:08pm
(Reply to #3) #5
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

Stuffit 1.5.1 - This one is confusing. - I had cleaned this and re-uploaded (as seperate DL's) into the Stuffit Deluxe page (back in 2010) - but I left the infected 26.86MB item there, not wanting to offend the original uploader... hoping someone else would deal with it (and its still there). See "[Updated]" & "[Note]" sections in Description on Deluxe page.

There is also a separate Stuffit 1.5.1 page... so, with a little bit more precision, which 1.5.1 exactly are you referring to here?

[Edit] ah saw your amendment. Delete the 26.86MB file & problem solved (I cleaned then uploaded separate as per IIGS_User's request (in comments section) way back in 2010).

[Edit 2] Also in description of Stuffit Deluxe page:

IMPORTANT NOTE:
One of the Packages (The Stuffit App v1.5.1) that comes in this File, is infected with the -nVir A- type Virus, but since that Stuffit version is too old to be used, is pretty much harmless,

Else that virus became itself abandonware, so it is left there for educational purposes (in case someone would like to disassemble it and experiment with that)

Interesting philosophy, no?

Well, I say no. If you want to run old OS's on old hardware and/or emulators (and I do), I don't want them getting effed up by crappy script-kiddy-ware. So I say just get rid of it.

Top
2013, July 25 - 3:52pm
#6
IIGS_User's picture
IIGS_User
Offline
Joined: 2009 Apr 8

Better to remove the infected files completely.

Top
2013, July 26 - 12:39pm
(Reply to #6) #7
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

Have removed virus infected archive from Stuffit Deluxe page + updated info in Description field.

I notice that Balrog (original uploader of the Deluxe archive) later adds to Comments field "The nVir A virus probably won't become abandonware -- even its source code is available."

So I'm thinking that it was OK to remove this. Wink

Top
2013, July 27 - 12:27am
#8
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

"Steinberg Nuendo 1.5.2" this one is an easy fix as its a duplicate and a clean installer version of the same software is located on this page. I've put a notice in the Duplicates sticky, so once the dirty copy & page is removed, this can be scratched from the list.

I've also placed alerts in the infected file's DL page, pending its removal.

[Edit] And nuendo has gone. Thanks IIGS_User.

Top
2013, July 27 - 6:17am
#9
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

Scratch "OmniPage 8.0 LE" from the list please, mrdav.
@IIGS_User: had you installed this one previously? If you installed only the German language OmniPage, you may have escaped the 666 contaminant, as only that one appeared to be clean.
All are cleaned now.

Top
2013, July 27 - 7:38am
#10
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

Rose Garden has been cleaned and replaced by Daxeria back in May, 2013. Dax left this comment in the RG page:

Replaced with a clean copy after discovering that the original upload was infected with nVIR A

Top
2013, July 27 - 2:44pm
#11
IIGS_User's picture
IIGS_User
Offline
Joined: 2009 Apr 8

Not installed the "OmniPage 8.0 LE" on my systems.

Top
2013, July 28 - 10:37am
#12
themacmeister's picture
themacmeister
Offline
Joined: 2009 Oct 26

nVir-A was EVERYWHERE, and was pretty harmless. I believe it had a payload for a date back in the 80s/90s??. Anyways, most antivirus will remove it harmlessly. I conservatively guess that >5% of my software backups from that time will be infected. It could attach itself to ANY file I believe, so nothing was safe.

Top
2013, July 29 - 3:55am
#13
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

Abalone, Black Box, Brickles Plus, Cryptogrammer & HangMan Plus now replaced with cleaned copies: Eeps, 4 out of 5 were from a single source...

@mrdav: Can you mount the Disk Copy 6.x images found in the Excel 1.03 & Excel 2.2a folders, inside the main "Microsoft Excel" folder? I cannot. Disk Copy 6 reports that they are all fubar. Was about to replace the infected archive, but it looks like it will be missing those Disk Copy versions too, when I do.

Top
2013, July 29 - 4:07am
#14
grawlix.computing's picture
grawlix.computing
Offline
Joined: 2009 Jun 1

It looks like that source might have been me--I think I stripped those games off of a salvaged machine. Thanks for cleaning up my rot.

Top
2013, July 29 - 4:28am
(Reply to #14) #15
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

YW. Did you happen to run any of those, too? I think even Disinfectant will clear nVIR & MBDF-B

Top
2013, July 29 - 5:37am
(Reply to #15) #16
grawlix.computing's picture
grawlix.computing
Offline
Joined: 2009 Jun 1

Did you happen to run any of those, too?

The system that those applications were run upon has been wiped clean and rebuilt from read-only media.

Top
2013, July 29 - 5:07am
#17
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

Abalone, Black Box, Brickles Plus, Cryptogrammer, HangMan Plus, Tao Te Ching, Turbo Pascal 1.0 have now been replaced with cleaned copies - Only Microsoft Excel to go:

@mrdav (in case you missed my earlier post): Can you mount the Disk Copy 6.x images found in the Excel 1.03 & Excel 2.2a folders, inside of the main "Microsoft Excel" folder? I cannot. Disk Copy 6 reports that they are all fubar.

The Disk Copy 6 image files inside of this archive will need to be replaced by someone else, as there is no point in leaving broken files in with the cleaned copy.

Top
2013, July 29 - 9:07am
#18
mrdav's picture
mrdav
Online
Joined: 2011 Dec 3

@MTT

Those Excel disk images certainly do not mount with DiskCopy 6.4, but they do mount just fine in Mini vMac so they can be accessed, and are good to keep. I don't know if we should re-image them so they can be opened by DiskCopy...might be useful.

Top
2013, July 29 - 1:12pm
(Reply to #18) #19
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

Good idea. I'll access them via MvM and re-image. Will test these for virrii too, while at it. Right after dinner Wink

[Edit] Microsoft Excel has been cleaned, repaired and replaced. Thanks for the Mini vMac suggestion.

Interesting exercise with this one. Both Basilisk & Sheepshaver wouldn't mount these images. Mini vMac would. But, Disk Copy 6 and ShrinkWrap wouldn't image the mounted disks (Disk Copy would but offered a ridiculous 35MB filesize to do so). I managed to duplicate these using Disk Dup+ on SSW 6.0.8! From there, I converted the Disk Dup+ files to Disk Copy 4.2 image files using ShrinkWrap 2.1 - Only SW2.1 or earlier can create Disk Copy 4.2 files that are byte compatible with actual Disk Copy 4.2 images (without requiring a hardware floppy disk) and creates Tag checksums, missing in other disk image progs. The results here were, the desktop data/db is intact from their respective 1986 & 1989 originals. The 2.2 Tour disk image even retains its Finder Comments in the Get Info window.

Success.

Top
2013, July 29 - 1:21pm
(Reply to #19) #20
mrdav's picture
mrdav
Online
Joined: 2011 Dec 3

That is impressive, MikeTomTom! Thank you.

Top
2013, October 28 - 10:47pm
#21
mrdav's picture
mrdav
Online
Joined: 2011 Dec 3

The installer in the disc image of Carmen Sandiego Math Detective is infected with the 666-A virus

Top
2013, October 28 - 11:42pm
(Reply to #21) #22
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

@mrdav: Do you mean the installer on the hybrid Mac/PC CD image has 666-A?

Top
2013, October 28 - 11:55pm
(Reply to #22) #23
mrdav's picture
mrdav
Online
Joined: 2011 Dec 3

---> Do you mean the installer on the hybrid Mac/PC CD image has 666-A? <---

Yes

Top
2013, October 29 - 11:12pm
(Reply to #23) #24
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

Thats a problem then, whole CD needs de-lousing, rebuilding & re-upping. I have real problems accessing that &^%*$#! 4shared site so I'm unable to help out.

I'll place a heads-up on the CSD page tho'.

[Edit] I've added the link to the clean copy in the CSD page and removed the heads-up from the page. Thanks for finding the good copy and hosting it, mrdav.

Top
2014, September 18 - 2:19pm
#25
themacmeister's picture
themacmeister
Offline
Joined: 2009 Oct 26

MTT & mrdav -> You both RULE !!!

Top
2015, April 8 - 12:59pm
#26
mrdav's picture
mrdav
Online
Joined: 2011 Dec 3

SoundDiver 3.0 Alt Authorizer in Emagic_SoundDiver_3.sit on page
http://macintoshgarden.org/apps/sounddiver-roland-xp-and-jv is infected with nVIR

Top
2015, April 15 - 10:50pm
(Reply to #26) #27
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

  SoundDiver 3.0 Alt Authorizer in Emagic_SoundDiver_3.sit

Have replaced this file with a cleaned copy - got rid of hidden OSX files & other surprises while at it. Cleaned out nVIR with Virex 1st, then Disinfectant which found dormant nVIR in 3 other files, so cleaned those too.

Top
2016, February 21 - 7:56pm
#28
256mbps's picture
256mbps
Offline
Joined: 2016 Feb 11

http://macintoshgarden.org/games/1000-games

Anybody able to repair this one?

Top
2016, February 21 - 11:55pm
(Reply to #28) #29
mrdav's picture
mrdav
Online
Joined: 2011 Dec 3

themacmeister says that it is not really a virus. See comment on http://macintoshgarden.org/apps/bmug-revelations

Top
2016, February 22 - 12:42am
(Reply to #30) #30
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

Hmmmm.... Not really a virus - because its a Trojan. I wonder what's worse? The few classic Mac viruses are really lame, with the exception of 666, which can be pretty annoying.

But (256mbps) as far as cleaning this particular file goes, I am reluctant to do it because its on a CD compilation of archived files. This would introduce new anomalies, such as the system writing to an opened (read/write) CD image, destroying the original integrity of the image.

I think its probably best to just to note on the page that the image contains possible harm and should be treated with care (I see that this has already been done).

i.e.; Remove any viruses/trojans as you pull them off of the image, but leave the CD image itself, unchanged.

Top
2016, February 21 - 8:01pm
#31
256mbps's picture
256mbps
Offline
Joined: 2016 Feb 11

got rid of hidden OSX files & other surprises while at it.

This made me think, what about cleaning OSX/other "goodies" from items, and making them more clean? Can we start something like this, too?

Top
2016, July 2 - 12:33pm
#32
mrdav's picture
mrdav
Online
Joined: 2011 Dec 3

LightWave 5: First download LightWave3D 5.0. The following files are infected with the 666-A virus.

Patch to Revision D
Modeler [k] patch
LightWave [k] patch

I have yet to check the other downloads on the page.

EDIT: The other downloads on the page come up clean.

Top
2016, July 3 - 4:25am
(Reply to #32) #33
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

   LightWave 5: First download LightWave3D 5.0. The following files are infected with the 666-A virus.

Patch to Revision D
Modeler [k] patch
LightWave [k] patch

I've cleaned those files and re-uploaded.

Top
2016, July 3 - 7:54am
(Reply to #34) #34
mrdav's picture
mrdav
Online
Joined: 2011 Dec 3

Thanks MikeTomTom

Top
2016, July 2 - 1:32pm
#35
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

LightWave 5: First download LightWave3D 5.0. The following files are infected with the 666-A virus.

Yurk. That page is a bit of a mess, too. I'll clean that file and re-up it tomorrow, if nobody does the honors, beforehand.

Top
2017, April 8 - 12:57pm
#36
mrdav's picture
mrdav
Online
Joined: 2011 Dec 3

Winfire has alerted us to the StarDust virus in Secrets of the Pyramids

EDIT: I have found a clean replacement copy and will upload it very soon

Top
2018, March 21 - 12:59am
#37
melomac's picture
melomac
Offline
Joined: 2018 Feb 26

Hi. It turns out I am a Mac malware enthusiast. Would you please be so kind to share infected files with me? A direct message, with the infected archive, in a Zip password protected file, would be, just, awesome. Thank you!

Top
2018, March 21 - 1:36am
(Reply to #37) #38
mrdav's picture
mrdav
Online
Joined: 2011 Dec 3

Sorry, but I get rid of infected files. I don't know about other people. If you want copies of old Mac viruses you can find plenty on the CD Freaks’ Macintosh Archives from the Internet Archive. They are all safely kept in sit or cpt wrappers.

Top
2018, March 21 - 3:46am
(Reply to #38) #39
melomac's picture
melomac
Offline
Joined: 2018 Feb 26

Thank you for replying. It's fun to hear about FMA too (zOMG site is still up), I have all of them already, and way more.

I left the message just in case, as I'd be glad to play with "vintage" samples and, why not, unknown variants!

Top
2018, June 21 - 7:52pm
#40
Corak's picture
Corak
Offline
Joined: 2014 Aug 26

Pathways into Darkness 1st floppy of v2.0 had been infected with nVIR virus.
http://macintoshgarden.org/games/pathways-darkness
revisions view
Fixed and replaced downloads. Added virused floppy image to separate folder named "!virused"

[Edit by MTT] Removed link to Revisions. Reason: Only logged-in viewers can access. Others would get page errors on clicking link.

Top
2018, June 22 - 12:02am
#41
MikeTomTom's picture
MikeTomTom
Offline
Joined: 2009 Dec 7

@Corak: How are you getting virus readings on this software? Disinfectant and Virex come up clean for me (even on the image in "!virused"). All disks in the original uploads and yours checked clean, mounted and unmounted.

The original uploader states that the disk image in question had been infected but cleaned by him before uploading. And that also checks out as true, by me.

Top
2018, June 22 - 9:24am
#42
SkyCapt's picture
SkyCapt
Offline
Joined: 2017 Jan 11

http://macintoshgarden.org/games/indiana-jones-and-the-emperors-tomb

Not a virus, but acts like malware due to what must be a bug in OS X. Since repairing this game, I've created two more major groups of my increasingly larger hard disk images, to find that indeed the nastiness disappeared.

-----

And lucky me to own the last comment on the Pathways Into Darkness page. But, I run ClamAV and Virex 6.1 to check for both new and old malware on all my disks and have stayed clean, never got a thing from PiD the CD version probably.

Top
2018, June 22 - 10:24am
#43
mrdav's picture
mrdav
Online
Joined: 2011 Dec 3

@Corak: I have also tested the disk images that were on the Pathways into Darkness page before you replaced them. I found no virus in the mounted images from before. Given that both MikeTomTom and myself have found no virus (not sure if SkyCapt has tested this too), I conclude that somehow you got a false positive when you tested the disk contents. Also, the files in the new download have lost the resource forks that make it possible to directly mount the disks with Disk Copy: this will cause considerable difficulty for the average user on a Classic Mac. Because of this, and more importantly my conclusion that the original uploads are virus-free, I am therefore restoring the page to its previous state. However, I thank you for your desire to improve what we have here.

FYI to retain the resource forks in the zip archive on the original page you can inflate it using MacZip on a Classic Mac.

Top
2018, June 22 - 3:47pm
#44
Corak's picture
Corak
Offline
Joined: 2014 Aug 26

@mrdav
I was reported about that virus on our site Old-Games.RU, when we decided to add Mac platform there, analyzed data from floppy (i dont use antivirus scanners, first i had another clean .img images of v2.0 and compared them to .dsk images there) and found code segments of original virus, then removed it:
http://picua.org/img/2018-06/22/ydoakydgduwdqrvh2t9mbf8er.png
http://picua.org/img/2018-06/22/3c5gekoxfofjr85oqwi5ptqy9.png
Maybe it's inactive, but virus code still there.

Top
2018, June 23 - 4:15am
(Reply to #44) #45
Daxeria's picture
Daxeria
Offline
Joined: 2009 Apr 8

Makes sense. Computers don't bother to overwrite data that you delete from a floppy or HDD unless there's something lined up to replace it with. They just mark that space as available for reuse.

I don't see any chance of reinfection from the deleted data, but it would be nice to replace the formerly infected image with a mint, unmodified original if possible.

Top
2020, April 18 - 5:41pm
#46
OpenSourceMac's picture
OpenSourceMac
Offline
Joined: 2019 Jan 21

Comic Life download 1.5.2 https://macintoshgarden.org/apps/comic-life-1x has a Bitcoin mining trojan (according to Windows 10).

Top
2020, April 18 - 6:33pm
(Reply to #46) #47
fogWraith's picture
fogWraith
Offline
Joined: 2009 Oct 23

Fetched the file from the official but dead source, using the internet archive, same file.
Sent both original and "fresh" file up to VirusTotal who both seem to have the file hash since years back, both files have different filenames compared to what VirusTotal reports due to the hash and old data (does it even scan?)

Sent the file off to various different "online scanners" and the ones that do scan, report nothing out of the ordinary, the ones that seem to scan (and awfully fast at that) has at least one warning with different names for the virus / malware / trojan / something.

Ran them (both on the dmg files and mounted content) through the scanners locally and there are no reports of anything bad.

False positive or not, perhaps someone else may have different set of tools and is able to find anything on this particular file?

Top
2020, April 18 - 8:32pm
(Reply to #47) #48
OpenSourceMac's picture
OpenSourceMac
Offline
Joined: 2019 Jan 21

Not sure. I just happened to be on Windows 10 and Defender called it a MacOS Trojan for Bitcoin mining and deleted it.

Top
2020, April 20 - 10:57pm
(Reply to #47) #49
adespoton's picture
adespoton
Offline
Joined: 2015 Feb 15

Do you have the VT link? I can check and see if this is legit, an FP, or a hash collision.

Top
2020, April 19 - 1:23am
(Reply to #46) #50
mrdav's picture
mrdav
Online
Joined: 2011 Dec 3

It is highly unlikely to have a virus. Firstly, I am running the paid full version of Sophos which did not flag any problem. Secondly, the copy of 1.5.2 was downloaded from the old publisher website (via Wayback Machine) and it is unlikely that they would have provided an infected version.

Top
2020, April 19 - 11:26am
(Reply to #49) #51
fogWraith's picture
fogWraith
Offline
Joined: 2009 Oct 23

Pretty much what I thought, I even went as far as to inspect most of the contents of the executable manually, couldn't find anything out of the ordinary there either that would raise my suspicion of it being infected with anything.

Makes you wonder about these online services as well, has the big players paid them off to play on fear, submit and buy their engines Tongue

Top
‹ Previous topic: Pangea's early software now Free Next topic: List of downloads on external hosts which still need to be moved to internal server ›