HyperActive Software

Home What's New Who We Are What We Do Solutions Resources

We make software for humans. Custom Mac, Windows, iOS and Android solutions in HyperCard, MetaCard, and RunRev LiveCode


The Viruses


Merry2Xmas and other clones

HC 9507 ("Pickle")



Independance Day


3 Tunes



Eliminating and preventing viruses

Download Bill Swagerty's free utility and wipe out HyperCard viruses

False Positives
Why commercial virus software can give "false positive" reports

preventing specific viruses from getting in

The "set" trap
guarding against future viruses


Free virus detection service

Virus Detection
Do you think you have a virus?

Eliminating and preventing viruses

Vaccine - Wipe out HyperCard viruses

HC Icon Download Vaccine 4.3 for Macintosh HyperCard

NOTE for search engine visitors: Vaccine is a Macintosh-only program. It will not open or run under Windows. In addition, Vaccine will only check files that have been created with Apple Computer's HyperCard program -- it will not detect or protect your computer against any other Macintosh viruses.

Vaccine is a free HyperCard virus utility written by Bill Swagerty that will inspect all the stacks on your hard drive, or any part of it, for most HyperCard viruses. Vaccine 4.3, new as of 5/6/00, has been rewritten and updated to include virus checking and eradication routines for all the recently-discovered viruses, including Antibody, Independance Day [sic], Blink, and Wormcode. Besides finding and eliminating HyperCard viruses in your stacks, it will offer to compact each stack to eliminate free space (which can reduce the "false positive" reports from other virus checkers) and it can lock your Home stack against future attacks if you choose. The Preferences card allows you full control over Vaccine's mode of operation, and reporting features have been updated as well. This is an excellent utility, and because it is HyperCard-based, it is able to use a more reliable detection method than commercial virus utilities. Vaccine will eliminate MerryXmas, all MerryXmas clones, HC 9507 (Pickle), Antibody, Blink, and Wormcode, and will check for and alert you to the presence of Independance Day. This utility is highly recommended for every stack-owner's arsenal.

Why commercial virus software can give "false positive" reports

In order to understand why a virus program would tell you your stack had a virus when it does not, you need to know a little about how HyperCard stores its data. All HyperCard objects, including its scripts, are stored in the stack's data fork. When an object is deleted from the stack, HyperCard does not really remove that piece from the data fork. Instead, it puts special "markers" around the object so that HyperCard knows to ignore that object in the future. This leaves what HyperCard calls "free space" in the stack -- that is, space that is not used but which has not yet been actually removed from the file. This free space takes up room on your disk but is never accessed for use.

To remove this free space, HyperCard provides a menu item called "Compact Stack". Compacting the stack actually rewrites the stack into a new file on disk, leaving out the unused parts, and thus removing this free space. The new file is given the original stack name, the old one is deleted, and in most cases the user never knows anything has been replaced. The process of removing free space is important, since it can prevent a stack with too much garbage in it from becoming corrupted. Once the unused portions are removed, the stack is also likely to respond faster.

However, HyperCard is not perfect when it removes unused portions of a script and sometimes it can miss a few lines here and there, although it leaves them with the "markers" attached so they are not used. Even after multiple compactions, there may be bits of unused scripts hiding in the data fork. This doesn't hurt anything and is really of no consequence, except to commercial virus checkers.

Commercial virus checkers have no choice but to read the entire data fork of a file when they are doing their examinations. Occasionally they will come across a stack where a previous virus has been removed and the stack has been compacted, but there are still bits of unused virus scripts scattered around in the data fork. HyperCard does not see these bits and they do nothing, but they can trigger the commercial utilities, which do not know whether the pieces of code they find are used by HyperCard or not. In these cases, the commercial virus utilities will flag the stack as infected, even though it really is not.

Vaccine, being a HyperCard stack itself, does not see the unused bits of script that may be hiding in the data fork. Vaccine can only see the scripts that HyperCard sees, which are the ones that are functional. Because of this, Vaccine's detection of HyperCard viruses is more reliable than that of commercial utilities.

If a commercial virus checker tells you that you have a HyperCard virus in your stacks, try running Vaccine to confirm it. We have manually checked scores of conflicting virus reports in files uploaded to America Online, and in all cases Vaccine has always been right. (Note that Vaccine does not detect Dukakis or 3 Tunes, so you will have to trust your commercial software on those. These two viruses are very rare, though.)

Inoculation - preventing specific viruses from getting in

(You can download both the virus scripts below as a text file.)

If you want to avoid contracting a specific virus, you can often add inoculations to your Home stack script. These inoculations are just short pieces of script that trick a virus into thinking you are already infected. Since all viruses to date look for an existing infection before trying to spread themselves around, installing inoculation scripts in your Home stack is one way to keep the common viruses at bay.

To use an inoculation, you add a line of text (called a "string") to your Home stack script. Each particular virus looks for a particular string to see if it should install itself or not. If that string is in your Home stack script, the virus will believe it has already done its dirty work and will not spread. You do not need a complete handler for inoculation. The presence of the particular text characters the virus is looking for is enough.

Below are some inoculation strings you can add to your Home stack script which will prevent some HyperCard viruses from attacking your stacks. Copy the entire block below and paste it into your Home stack for protection. You will notice that some viruses look for several different variations; in particular, all the MerryXmas varieties need three different strings each to completely inoculate your stacks.

-- if the script of home contains -- pickle
-- ¶ -- blink [Option-7, the paragraph sign]
-- Independance Day -- Independance Day (sic)
--on idle --merryxmas
--on openbackground --merryxmas
--on closebackground --merryxmas
--on idle --merry2xmas
--on openbackground --merry2xmas
--on closebackground --merry2xmas
--on idle --Lopez
--on openbackground --Lopez
--on closebackground --Lopez
--on idle --crudshot
--on openbackground --crudshot
--on closebackground --crudshot
--on openstack --merryxmas antibody
end openstack --home script 2

Copy these text strings exactly, including the hyphens, when installing the inoculations. Do not add hyphens to the last line, which is the inoculation for Wormcode, since this virus looks for an exact match of the entire line. Also make sure that the last line really is the last line in your Home stack script; Wormcode looks for it there. (If you have already installed these inoculations and have since added handlers or comments underneath them, you will probably want to move the inoculation block down to the end of your Home stack script so the Wormcode inoculation will work.)

If your browser does not display the paragraph sign for the "blink" inoculation above, you will have to edit it manually. The inoculation for Blink is a single character, which you can enter by typing Option-7.

Remember, every virus has its own "trigger" and you will only prevent those viruses for which you have provided the proper corresponding string.

We highly recommend that you install at least the "Pickle" and "CrudShot" inoculations, since these two viruses are destructive and cause loss of data.

Setting a trap - preventing other script-based viruses

The best way to prevent the spread of any virus is to lock your Home stack in the Finder. If you do not want to do this, then you may want to use a "set" trap handler.

This approach uses a generic handler which you place in the stack script of your Home stack. This handler's function is to monitor HyperCard activity and warn you when anything tries to change the script of your Home stack without your knowledge. This effectively stops the spread of any script-based virus that relies on the message hierarchy to propagate itself, which is most of them. The following handler will notice any script activity that tries to change your Home stack, warn you, and allow you to stop the activity before it happens. This script has been widely tested and does not interfere with most other HyperCard scripts (but see note below,) although on 68K Macs it may slow down HyperCard somewhat. On a PPC Mac there is little noticeable performance hit. Use your judgment as to whether you want to implement this prevention or not. The advantage to using this handler in an unlocked Home stack is that it will catch and warn you of all message-based viruses, including any new ones that may appear in the future.

Note that the HC 9507 (Pickle) virus is not message-based, and this trap will not intercept it. Your best bet for Pickle is to install the inoculation string.

To implement the "set" trap, copy the following script and paste it into your Home stack script:

on set -- virus block
   if param(1) = "script" and param(3) contains "home" then
     answer "Another stack is attempting to alter" ¬
     && " the script of the Home stack. Allow alteration?" ¬
     with "Allow" or "Don't Allow"
     if it = "allow" then pass set
       put "Home stack script has not been altered." ¬
       && "Current handler has been aborted." into prompt
       if the userlevel = 5
       then put " Edit script of current stack?" after prompt
       if the userlevel < 5 then answer prompt
       else answer prompt with "Cancel" or "Edit"
       if it = "cancel" then exit to HyperCard
       edit script of this stack -- allows removal of virus
       exit to HyperCard
     end if
   else pass set
end set

Be aware that some stacks change your Home scripts legitimately. If you are installing AddColor from the Color Tools stack, for example, your Home scripts are altered to support this external. In general, if you receive a warning from the set trap handler and you are installing legitimate HyperCard software, you can probably allow the alteration to continue. If you have any doubts, of course, it is safer to stop the activity.

Note: A bug in versions of HyperCard 2.2 or less causes this script to error whenever it triggers. You can still use this script under these versions since the error message will also abort any virus activity, but you will have to remember to check the current stack scripts manually for viruses if you receive a "can't understand 'set'" error message. For best results, use this script with HyperCard version 2.3 or higher.

Additionally, this script can interfere with any other script that sets the location of the "ask" or the "answer" window. When either of these window locations is set, the "set" trap script will error. This is due to a problem in HyperCard; however, these commands are fairly rare in most stacks and are not often encountered.

The Viruses | Eliminating Viruses | HyperActive Virus Detection Service