dplatt@coherent.com (Dave Platt) (12/19/89)
In article <25144@cup.portal.com> Armadillo@cup.portal.com (Russ Armadillo Coffman) writes: > I always delete the Desktop file after rebooting to save over 100K disk > space, but now it's important to do so, I'd guess, as a previously dormant, > but infected, Desktop file would immediately infect the floppy you booted > from, no? Si? -Russ Correct. The Desktop file on your hard disk can act as a reservoir for a "latent" copy of WDEF, even if you're running the Desktop Manager. The latent virus can become active and infect other disks any time that you boot from a volume that doesn't have the Desktop Manager in its System folder. A note to AppleShare administrators: it has been confirmed that the WDEF virus can spread from an infected AppleShare client to an AppleShare server under the following conditions: 1) The client is given "Make changes" access to a server volume (that is, to the server volume's root directory), AND 2) The server volume has a real "Desktop" file in it. Under these conditions, an infected client will spread the virus to the Desktop file on the server volume. If the server's Desktop file is large, this infection process will result in _lots_ of disk activity on the server, and will apparently cause the client to "lock up" for quite some time (10-30 seconds isn't unusual). The infected server will not, normally, be infectious itself. There are two reasons: [1] the server is usually running the Desktop Manager, and won't be accessing its own Desktop files, and [2] other, uninfected clients won't access the server's Desktop file either... their Finders will use the AFP desktop-access calls, which the server will answer using Desktop Manager information. The infected server can become infectious any time it's booted from a floppy or other volume that doesn't use the Desktop Manager. I'd recommend that AppleShare administrators do either or both of the following: [1] manually delete the Desktop file from their published volumes, and/or [2] remove "Make changes" permission from the root directory of the published volume, except for a small number of users who can be trusted to log in only from well-disinfected machines. Concerning TOPS: we believe that a WDEF infection can spread from a TOPS server to a TOPS client if [1] a published volume's Desktop file is infected, AND [2] the client mounts the root directory of the infected volume. Under these conditions, the client's Finder will open the infected Desktop file on the TOPS server, and can cause the client's volumes to become infected. It appears that the WDEV virus cannot spread from a TOPS client to a TOPS server. -- Dave Platt VOICE: (415) 493-8805 UUCP: ...!{ames,apple,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303