HyperActive Software

Home What's New Who We Are What We Do Solutions Resources

We make software for humans. Custom Mac, Windows, iOS and Android solutions in HyperCard, MetaCard, and RunRev LiveCode

Resources...



The Viruses

MerryXmas

Merry2Xmas and other clones

HC 9507 ("Pickle")

Antibody

Blink

Independance Day

Wormcode

3 Tunes

Dukakis

 

Eliminating and preventing viruses

Vaccine
Download Bill Swagerty's free utility and wipe out HyperCard viruses

False Positives
Why commercial virus software can give "false positive" reports

Inoculation
preventing specific viruses from getting in

The "set" trap
guarding against future viruses

 

Free virus detection service

Virus Detection
Do you think you have a virus?

The Viruses

MerryXmas

MerryXmas was the first documented HyperCard virus, and was the only prevalent HyperCard virus for many years. When an infected stack is opened, the virus script copies itself to the Home stack. From there, it spreads to every other stack that is opened. Unopened stacks are not affected, but it still does not take long for most of the stacks on a hard drive to contract the virus. The original intent of MerryXmas was to simply propagate, but because of a typing error, the virus can sometimes copy parts of other stack scripts along with its own virus code. This causes stacks to behave unexpectedly or sometimes to error. In certain circumstances, MerryXmas also causes HyperCard to quit (but not crash) without any notification.

Merry2Xmas and other clones

In recent years, some unoriginal young people have thought it clever to change a word or two of the MerryXmas virus scripts so that any inoculations or virus utilities no longer catch them. These cheap clones have been released to the public at an alarming rate, and there are now so many of them that it would be impossible to know what they all are. In all respects, the clones are identical to MerryXmas with the exception of a name change. Some of these include "Merry2Xmas", "Lopez", "CrudShot", as well as some very vulgar variations that don't bear repeating. The behavior of all these clones is similar or identical to that of MerryXmas, with the exception of "CrudShot" which is destructive and attempts to delete stacks.

HC 9507 "Pickle"

In 1995, HyperActive Software verified this virus and reported it to the community and to commercial virus software companies. The HC 9507 virus causes the word "Pickle" to be typed at the cursor insertion point, or in the message box if the cursor is not in a field. It reads the system clock and if the date and time meet certain criteria, it crashes your Mac comprehensively, which means you will lose any unsaved work. In certain rare cases, it can also corrupt selected XCMDs in a stack, which means that virus recovery for these stacks cannot be completely successful. The HC 9507 virus differs from most other HyperCard viruses in that it attempts to bypass the message hierarchy while spreading its infection. In addition, stacks are infected on a random basis anywhere on your hard drive, and do not need to be opened to become infected.

Antibody

In January 1997, HyperActive Software verified this HyperCard virus and reported it to the community. This largely benign virus does no overt damage. It spreads from stack to stack, checking for and eradicating the MerryXmas virus wherever found, and then installs MerryXmas inoculation scripts into infected stacks. In other words, it is a virus that eradicates another virus. Still, because it is self-propagating and works without the user's knowledge, it is a virus in its own right. And like any virus, it's scripts can interfere with or block a stack's native scripts, causing unexpected behaviors.

The virus installs itself into your Home stack script, and spreads to your other stacks from there. In addition, it looks to see if there are any stacks in use and eradicates any MerryXmas it may find in those stacks, installing inoculation scripts as it goes. The inoculation scripts are legitimate, if a bit wordy. The virus does not spread to any stacks in use, only to stacks you open and to your Home stack. It is possible that in the case of a locked Home stack, the virus may trigger an error dialog when it can't write to the Home script, and any handlers running in the current stack will abort. This isn't usually damaging, but it may temporarily stop functionality of the current stack.

Note that if you are using a Home script inoculation for Antibody, the inoculation will not prevent any "stacks in use" from receiving MerryXmas inoculation strings from the virus. If you open a stack infected with Antibody and you have stacks in use, MerryXmas inoculation strings will be inserted into those stacks. Since the inoculations do no damage and are not part of the virus, there is no adverse effect. If you notice a stack script with inoculations you did not put there yourself, you can either leave them alone or delete them.

Blink

The Blink virus was reported by several members of the HyperCard Mailing List in August, 1998. This virus installs itself into the background scripts of a stack. It spreads to the Home stack script and populates itself in other stacks from there, much as MerryXmas does. Before January 1, 1999, the virus simply spreads. After that date, infected stacks will "blink" once every second as the card window is hidden and then reshown repeatedly. The virus does not attempt to do any damage, and is mainly a nuisance.

The virus inserts an "idle" handler which polls for the date and time, and which controls the blinking. If the targeted script already has an "idle" handler before it becomes infected, the virus's handler will not execute from that stack. Inoculation is simple, since the virus checks only for a single character in the Home stack script to see if it should propagate.

Independance Day

Brought to our attention in July, 1997, the Independance Day virus (note the misspelling) is a poorly-written virus whose intent is to delete random lines of code from the Home stack script and from the scripts of the current stack, background, and card. Before July 4, 1997 it merely copied itself to other stacks. Since that date, it attempts script deletions.

Because the virus is so poorly written, a script error is generated whenever the virus tries to execute. This serves as a convenient alert and allows you delete the offending code immediately. However, even if the script error did not occur, the scripts are so inept that the intended damage could never occur. In other words, this virus is harmless and is nothing more than a badly-written nuisance.

However, the self-replicating features of the virus do work, and you will find the virus script at the top of your Home stack script if it becomes infected. Soon after installing itself, the virus will unsuccessfully attempt to delete scripts and will abort with the scripting error that alerts you to its presence. When removing the virus, look for an "openCard" script flagged with the comment "Independance Day" and delete the next 74 lines down to and including the line that ends with "end checkLine".

The HyperActive Software "set" handler trap will catch this virus before it installs itself into your Home stack. You can also prevent the virus from trying to install itself by inserting an inoculation string into your Home stack script. The inoculation string will not prevent the script error from occuring if you open an infected stack, but it will prevent the virus from reproducing and spreading to your Home stack, or to other stacks.

Wormcode

Wormcode was posted to the usenet group "comp.sys.mac.hypercard" on 2/19/00, in a stack called "Font Preview". The script propagates by standard methods, spreading from the carrier stack to the Home stack script, and to other stacks from there. The virus triggers on an "openstack" message, so any stack containing a valid openstack handler will not become infected, as long as it does not pass the "openstack" message on to HyperCard. The virus looks for its signature in the Home stack as the very last line of the Home stack script, so if you (or a script) add lines below the virus, it will reinstall itself into your Home stack again (though any duplicate copies will never run.) Aside from spreading and possibly duplicating itself in your Home stack, this virus does no damage. Be sure when installing its inoculation string that this particular inoculation is always at the very end of your Home stack script. The virus looks for an exact match of this text on the last line of the Home stack script:
end openstack --home script 2
Also be sure there are no leading hyphens before the inoculation.

3 Tunes

3 Tunes will spread but does nothing else on Macs running most international versions of the Mac OS (including the US Mac OS). However, on systems running the German Mac OS, the virus causes infected stacks to play three German folk tunes, displays unusual messages ("Hey, what are you doing?" and "Don't panic") and accompanies these messages with short sounds. It shows the tool palette and pattern palette, and re-shows them if the user closes them. On occasion it shuts down the Mac without warning. On Macs running versions of the OS that are not the German OS, the virus does nothing aside from propagate.

Dukakis

Dukakis is a rare virus that infects the Home stack, and spreads to other stacks from there. When its viral code is executed, Dukakis simply displays the message "Greetings from the HyperAvenger! I am the first HyperCard virus ever. I was created by a mischievous 14 year old, and am completely harmless. Dukakis for preseident in '88. Peace on earth and have a nice day." The virus then deletes itself. Since Dukakis is designed to self-destruct, it is almost never seen anymore.

The Viruses | Eliminating Viruses | HyperActive Virus Detection Service