Adam.Frix@p2.f200.n226.z1.FIDONET.ORG (Adam Frix) (03/21/90)
For reasons no one cares about, I was fiddling around in Disinfectant 1.6 using Symantec Tools. While in the resource fork, at sector 21, offset 97, I found the word "fuck" stuck in there. Lowercase, all by itself. Now, this sounds real strange to me--I didn't expect this in this product, and it really blew me away. Does anybody know the source/ reason for this? My main worry is that despite having gotten this copy off of CompuServe (practically guaranteed, if not absolutely guaranteed, clean), perhaps it's been altered by someone not authorized to alter it. I don't mean to spread panic, but this is the first thing that came to mind, and it's managed to stick with me. Any help is appreciated. --Adam-- -- Adam Frix via cmhGate - Net 226 fido<=>uucp gateway Col, OH UUCP: ...!osu-cis!n8emr!cmhgate!200.2!Adam.Frix INET: Adam.Frix@p2.f200.n226.z1.FIDONET.ORG
hairston@henry.ece.cmu.edu (David Hairston) (03/25/90)
[Adam.Frix@p2.f200.n226.z1.FIDONET.ORG (Adam Frix) writes:] [] For reasons no one cares about, I was fiddling around in Disinfectant [] 1.6 using Symantec Tools. While in the resource fork, at sector 21, [] offset 97, I found the word "fuck" stuck in there. Lowercase, all by [] itself. Now, this sounds real strange to me--I didn't expect this in this as you know, disinfectant looks for signatures (i.e. Hpat, nVIR etc.) and "fuck" is just another signature ... if you're _very_ concerned about tampering to disinfectant try to arrange to get a copy from the source listed in the application (i.e. norstad's home site). -dave- hairston@henry.ece.cmu.edu
hf07+@andrew.cmu.edu (Howard Haruo Fukuda) (03/25/90)
Do not panic. 'fuck' is an nVIR clone that Disinfectant 1.6 catches and removes. Because you used SUM Tools to look at the resource fork instead of a resource editor like ResEdit, you did not see what resource the string 'fuck' was in. A 'fuck' resource would mean a 'fuck' infection, I spotted it in a 'VDEF' resource. I don't know exactly, but 'VDEF' seems to be where John put information about what resources to look at to spot a virus infection ('VDEF'<=>Virus DEFinition). What you spotted was just the instructions on how to remove the virus. -Howard Internet: hf07+@andrew.cmu.edu
Michael.Burton@p3.f200.n226.z1.FIDONET.ORG (Michael Burton) (03/25/90)
Adam Frix wrote that he discovered a popular obscenity while poking around in Disinfectant: > Now, this sounds real strange to me--I didn't expect this in this > product, and it really blew me away. Does anybody know the source/ > reason for this? My main worry is that despite having gotten this > copy off of CompuServe (practically guaranteed, if not absolutely > guaranteed, clean), perhaps it's been altered by someone not > authorized to alter it. I'll betcha a nickel that the obscenity in Disinfectant is something that the program looks for when it riffles through your resource files. Very likely some existing virus adds one or more resources of that type, or by that name. (The word also holds a strange fascination to the sort of people who write viruses, so even if it's not part of an existing virus, it's the sort of thing a suspicious-minded anti-virus program might want to keep an eye out for.) Don't panic. -- Michael Burton via cmhGate - Net 226 fido<=>uucp gateway Col, OH UUCP: ...!osu-cis!n8emr!cmhgate!200.3!Michael.Burton INET: Michael.Burton@p3.f200.n226.z1.FIDONET.ORG
jln@acns.nwu.edu (John Norstad) (03/26/90)
In article <46474.260AC8B9@cmhgate.FIDONET.ORG> Adam.Frix@p2.f200.n226.z1.FIDONET.ORG (Adam Frix) writes: > For reasons no one cares about, I was fiddling around in Disinfectant > 1.6 using Symantec Tools. While in the resource fork, at sector 21, > offset 97, I found the word "fuck" stuck in there. Lowercase, all by > itself. Now, this sounds real strange to me--I didn't expect this in this > product, and it really blew me away. Does anybody know the source/ > reason for this? My main worry is that despite having gotten this copy > off of CompuServe (practically guaranteed, if not absolutely guaranteed, > clean), perhaps it's been altered by someone not authorized to alter it. > I don't mean to spread panic, but this is the first thing that came to > mind, and it's managed to stick with me. > > Any help is appreciated. As others have pointed out, this is a "signature" of one of the nVIR clones. I wondered if anybody would ever discover this, and if they did, if they would get worried/upset. I considered doing some sort of mild encryption to "hide" such stuff, but never got around to it. In any case, it's definitely nothing to worry about. John Norstad Academic Computing and Network Services Northwestern University jln@acns.nwu.edu
North_TJ@cc.cut.oz.au (03/26/90)
In article <46474.260AC8B9@cmhgate.FIDONET.ORG>, Adam.Frix@p2.f200.n226.z1.FIDONET.ORG (Adam Frix) writes: > For reasons no one cares about, I was fiddling around in Disinfectant > 1.6 using Symantec Tools. While in the resource fork, at sector 21, > offset 97, I found the word "fuck" stuck in there. Lowercase, all by > itself. If you look at the sectors either side of that one you will also find the following words (amongst others): "MEV#", "nFLU", "Jude", "INIT 29", "MacMag", and "ANTI" - all ow which are the names of viruses. I would speculate that "fuck" is the name of a little-known Mac virus. Perhaps a clone of nVIR B? Tim North --------------------------------------------------------------------------- SNAIL : Dept. Computer Engineering, Curtin University of Technology. Perth. ACSnet: North_TJ@cc.cut.oz.au ---------------------------------------------------------------------------
geoff@pmafire.UUCP (Geoff Allen) (03/26/90)
hairston@henry.ece.cmu.edu (David Hairston) writes: >if you're _very_ concerned about tampering to disinfectant try to arrange >to get a copy from the source listed in the application (i.e. norstad's >home site). I believe that the first thing Disinfectant does is check itself. If it notices anything unusual about itself, it won't run. (Is this right John?) Based on this, I think you'd have a tough time running a messed up version of Disinfectant, so it's probably not worth worrying about. -- Geoff Allen \ It's so fast, it can do an infinite loop uunet!pmafire!geoff \ in 30 seconds. bigtex!pmafire!geoff \ --Brian Bechtel on the new Mac IIfx
jdevoto@Apple.COM (Jeanne A. E. DeVoto) (04/07/90)
In article <46701.2611058F@cmhgate.FIDONET.ORG> Michael.Burton@p3.f200.n226.z1.FIDONET.ORG (Michael Burton) writes: > Adam Frix wrote that he discovered a popular obscenity while >poking around in Disinfectant: > >Very likely some existing virus adds one or more resources of that type, >or by that name. This is correct. One of the nVir clones (yet another stupid clone) uses a popular obscenity beginning with the 6th letter of the alphabet as its resource type. No need to worry about Disinfectant. > Don't panic. Uh, you *do* realize that some versions of nVir say this if MacinTalk is installed? ;-) -- ====== jeanne a. e. devoto ======================================== jdevoto@apple.com | You may not distribute this article under a jdevoto@well.UUCP | compilation copyright without my permission. ___________________________________________________________________ Apple Computer and I are not authorized | CI$: 72411,165 to speak for each other. | AppleLink: SQA.TEST
Adam.Frix@p2.f200.n226.z1.FIDONET.ORG (Adam Frix) (04/09/90)
In a message of 03/26/90, North_TJ@cc.cut.oz.au (Tim North) wrote - >I would speculate that "fuck" is the name of a little-known Mac virus. >Perhaps a clone of nVIR B? Turns out that yes, such is the name of a variant found at Stanford. Clever programmers these virus idiots, eh? sheesh. --Adam-- -- Adam Frix via cmhGate - Net 226 fido<=>uucp gateway Col, OH UUCP: ...!osu-cis!n8emr!cmhgate!200.2!Adam.Frix INET: Adam.Frix@p2.f200.n226.z1.FIDONET.ORG