ajq@mace.cc.purdue.edu (John O'Malley) (12/09/89)
In article <3270@hub.UUCP> 6600pete@hub.UUCP (Pete Gontier) writes: > In article <1886@accuvax.nwu.edu> jln@accuvax.nwu.edu (John Norstad) writes: >>The WDEF virus infects the invisible "Desktop" files used by the >>Finder. > >Now think about this: a WDEF can do anything it damn well pleases; it can >write a file or draw a window or both. It's doubtful, but I may have discovered a symptom of the WDEF virus. A few days ago I posted a note describing a problem I had on my Mac II with font sizes not showing up in the appropriate menu typeface. (Even installed font sizes showed up in Chicago 12 plain on pull-down menus of some programs when in MultiFinder.) Skeptical about Eradicator!, I downloaded it and installed it on my Mac II. Sure enough, it beeped three times after the Mac was restarted. But now my font size menu problem seems to have gone away. Font sizes now appear on menus correctly (in Chicago 12 plain when uninstalled, outline when installed). Not being a programmer, I don't know if my problem could have been related in any way to the Desktop file. But the problem went away immediately after I installed Eradicator!. Comments? > Programmers crawl the Desktop file all the time. WDEF's do NOT belong > there. My officemate has a Mac SE, and even though we're networked, we share floppies often. Eradicator! reportedly bombs on 68000s, so I instead looked in his Desktop file with ResEdit. It *did* have a "WDEF = 0" resource. He didn't have any font menu problems. Once the Desktop was rebuilt, WDEF was gone. >Norstad tells me in mail he's already got a fix in Disinfectant 1.4 for this >thing. So what should people do who manage both Mac SE labs and Mac II labs? Put Eradicator! on only the II's? We have a Mac dedicated to virus-checking in our II lab (a public lab), but that Mac is, unfortunately, an SE. Should I just wait for Disinfectant 1.4? -John --- John O'Malley / Macintosh / Purdue University / (317) ajq@mace.cc.purdue.edu / Specialist / Computing Center / 494-1787
gwk@mentor.cc.purdue.edu (Tom Arnold) (12/09/89)
In article <3676@mace.cc.purdue.edu> ajq@mace.cc.purdue.edu (John O'Malley) writes: >[...] Eradicator! reportedly bombs on 68000s, so I instead >looked in his Desktop file with ResEdit. It *did* have a "WDEF = 0" >resource. He didn't have any font menu problems. Once the Desktop was >rebuilt, WDEF was gone. I bounced this idea off of John, now I'm curious about what others think. Instead of trying to obtain a copy of Eradicator!, wouldn't it be simpler to just rebuild the DeskTop at boot (ie: hold down the option & command keys during startup)?? Maybe this is too simplistic... John pointed out that there are some drawbacks, like losing GetInfo information for example. When rebuilding the DeskTop it only keeps things it "thinks" it'll use, so sometimes one can lose icons some applications did use. This results in a generic icon in place of the original. Double edged sword, I guess. >John O'Malley / Macintosh / Purdue University / (317) >ajq@mace.cc.purdue.edu / Specialist / Computing Center / 494-1787 Tom Arnold !(a Mac Specialist) Purdue University gwk@mentor.cc.purdue.edu
shadow@ronin.us.cc.umich.edu (Joe Mullaney) (12/09/89)
Hi, I'm here at the University of Michigan. I have found the WDEF on every desktop file that I have examined. I couldn't tell you if it is a real virus or not, but it is definately here. I found out about WDEF before I found out about Eradicator, and have not het downloaded it. Has anyone figured out if this thing does anything but copy itself from disk to disk? -Joe
dplatt@coherent.com (Dave Platt) (12/09/89)
In article <3676@mace.cc.purdue.edu> ajq@mace.cc.purdue.edu (John O'Malley) writes: > It's doubtful, but I may have discovered a symptom of the WDEF virus. > > A few days ago I posted a note describing a problem I had on my Mac II > with font sizes not showing up in the appropriate menu typeface. (Even > installed font sizes showed up in Chicago 12 plain on pull-down menus > of some programs when in MultiFinder.) > > Skeptical about Eradicator!, I downloaded it and installed it on my > Mac II. Sure enough, it beeped three times after the Mac was restarted. > > But now my font size menu problem seems to have gone away. Font sizes now > appear on menus correctly (in Chicago 12 plain when uninstalled, outline > when installed). This might very well be related to WDEF. We don't yet understand all of its effects; some of them may be rather chaotic. The commonest symptom of WDEF infection seems to be crashes during "Save" operations. > So what should people do who manage both Mac SE labs and Mac II labs? Put > Eradicator! on only the II's? We have a Mac dedicated to virus-checking > in our II lab (a public lab), but that Mac is, unfortunately, an SE. > Should I just wait for Disinfectant 1.4? In the short term, you can disinfect your SEs' hard disks by using VirusDetective with the added search-string that Jeff Shulman has recommended (Creator=ERIK & Resource WDEF & Any). Run VirusDetective under an application _other_ than the Finder, and leave it in the "Disinfect floppies when inserted" mode... and ensure that your users run their diskettes through before inserting them into any other SE. [And, of course, cut a P/O for the shareware fee if you haven't done so already... Jeff does good work and deserves support]. You can certainly wait for Disinfectant 1.4, if you prefer. However, I'd recommend that you clean up ASAP... don't wait unless you absolutely must. There's reason to believe that the WDEF virus causes crashes during Save operations in a number of popular applications... and this is a really lousy thing to have occurring during the last week or two of the fall academic quarter, when so many term papers must be finished and printed. A new version of Eradicator! may appear in the near future... one which would run correctly on an SE or Plus. If one is released, I'm sure it will be posted to comp.sys.mac or comp.binaries.mac quite quickly. -- Dave Platt VOICE: (415) 493-8805 UUCP: ...!{ames,apple,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303
kaufman@Neon.Stanford.EDU (Marc T. Kaufman) (12/09/89)
Yet another reason to use the Desktop Manager. Too bad Apple is supressing its use for other than Appleshare servers (well, at least strongly recommending that people don't use it). Marc Kaufman (kaufman@Neon.stanford.edu)
hammen@csd4.csd.uwm.edu (Robert J. Hammen) (12/09/89)
In article <1989Dec9.074425.18666@Neon.Stanford.EDU> kaufman@Neon.Stanford.EDU (Marc T. Kaufman) writes: >Yet another reason to use the Desktop Manager. Too bad Apple is supressing >its use for other than Appleshare servers (well, at least strongly recommending >that people don't use it). I was wondering about this. How susceptible is a Mac running the Desktop Manager? Particularly if the none of the attached HD's have "real" Desktop files? Not being intimately familiar with how the Desktop Manager handles floppies, wouldn't it still be possible for floppies to become infected? Desktop Manager will be "officially" supported in 7.0. Too bad it's been such an "unofficial" hack for too long (though Apple is starting to come around - they fixed Finder 6.1.4 so that it now will close the Desktop DB and Desktop DF files). It works so much better than the "old" desktop file... unless you have a ton of downloadable PostScript fonts (file copies become very slow, until you eventually crash the machine). Robert
macman@wpi.wpi.edu (Christopher Silverberg) (12/10/89)
Organization: Worcester Polytechnic Institute, Worcester ,MA Keywords: TA> Instead of trying to obtain a copy of Eradicator!, wouldn't it be TA> simpler to just rebuild the DeskTop at boot (ie: hold down the TA> option & command keys during startup)?? Maybe this is too TA> simplistic... John pointed out that there are some drawbacks, like TA> losing GetInfo information for example. When rebuilding the TA> DeskTop it only keeps things it "thinks" it'll use, so sometimes TA> one can lose icons some applications did use. That sounds reasonable to me. I usually rebuild my desktop when I do my backups, and I've never had a problem with lost icons. And the Get Info box is of no value to me. (at least on my hard drive). But IS this a viable solution? Anyone?-- ============================================================================== (.) (.) | Chris Silverberg, WPI Box 719 | BBS Sysop: Main Street U.S.A u | USENET: macman@wpi.wpi.edu | 2400 baud - (508) 832-7725 \___/ | BITNET: macman@wpi.bitnet | Fido: 322/575 - Second Sight BBS
borton@fwi.uva.nl (Chris Borton) (12/10/89)
hammen@csd4.csd.uwm.edu (Robert J. Hammen) writes: >In article <1989Dec9.074425.18666@Neon.Stanford.EDU> kaufman@Neon.Stanford.EDU (Marc T. Kaufman) writes: >>Yet another reason to use the Desktop Manager. Too bad Apple is supressing >>its use for other than Appleshare servers (well, at least strongly >>recommending that people don't use it). >I was wondering about this. How susceptible is a Mac running the Desktop >Manager? Particularly if the none of the attached HD's have "real" Desktop >files? Not being intimately familiar with how the Desktop Manager handles >floppies, wouldn't it still be possible for floppies to become infected? The DeskTop manager builds and references its own database files instead of the DeskTop file on volumes larger than 1.4M (FDHD). So, the answer to your question is yes. I personally have been using the DeskTop Manager for months and love it. I occasionally lose a document/application connection, but the second try at double-clicking works every time. The speed improvement on file copying is dramatic (imagine "Updating the DeksTop file" flashing by so quickly you don't have time to read it). -cbb Chris Borton borton@fwi.uva.nl Mac Developer & AppleTalk Network Administrator, University of Amsterdam CS
ralph@cbnewsj.ATT.COM (Ralph Brandi) (12/10/89)
In article <41538@improper.coherent.com> dplatt@coherent.com (Dave Platt) writes: >A new version of Eradicator! may appear in the near future... one which >would run correctly on an SE or Plus. If one is released, I'm sure it >will be posted to comp.sys.mac or comp.binaries.mac quite quickly. I believe that the new version is already out. I saw it today on CompuServe. I didn't download it, but I'm sure someone trustworthy like John Norstad will be posting it in the next day or two. -- Ralph Brandi ralph@lzfme.att.com att!lzfme!ralph Work flows toward the competent until they are submerged.
aloh@volcano.Berkeley.EDU (Andy Loh) (12/10/89)
I downloaded WindChooser 1.12 from comp.binaries.mac and installed it. It started fine with NeXT windows, etc. But after looking at it via the control panel, Vaccine (version 1.0) went off when I tried to close the control panel window. Even when I denied permission, strange things happened to my screen. As was mentioned in an earlier posting, the title bar and menu font changed from Chicago 12 plain to some small, weird font. In addition, the font for the name of the disk changed to Chicago 12 plain. If I click on the disk icon, it changes back to normal, but if I click on the menus, it still stays in that weird font. Is this normal for WindChooser, or it is that WDEF virus? I didn't even change anything in the control panel. I have a 512Ke, system 6.0.3, control panel 3.1, and inits: Moire, Vaccine, and REZ. By the way, REZ didn't see anything. Any suggestions? Andy Loh (aloh@ocf.berkeley.edu)
allbery@ncoast.org (Brandon S. Allbery) (12/11/89)
In article <282@fwi.uva.nl> borton@fwi.uva.nl (Chris Borton) writes: >In article <1989Dec9.074425.18666@Neon.Stanford.EDU> kaufman@Neon.Stanford.EDU (Marc T. Kaufman) writes: >>Yet another reason to use the Desktop Manager. Too bad Apple is supressing >>its use for other than Appleshare servers (well, at least strongly >>recommending that people don't use it). The DeskTop manager builds and references its own database files instead of the DeskTop file on volumes larger than 1.4M (FDHD). So, the answer to your question is yes. Where can I get this? Is it on one of the System Software disks in some hidden spot, or do I have to buy something, or ??? ++Brandon -- Brandon S. Allbery allbery@NCoast.ORG, BALLBERY (MCI Mail), ALLBERY (Delphi) uunet!hal.cwru.edu!ncoast!allbery ncoast!allbery@hal.cwru.edu bsa@telotech.uucp *(comp.sources.misc mail to comp-sources-misc[-request]@backbone.site, please)* *Third party vote-collection service: send mail to allbery@uunet.uu.net (ONLY)* expnet.all: Experiments in *net management and organization. Mail me for info. -- Brandon S. Allbery allbery@NCoast.ORG, BALLBERY (MCI Mail), ALLBERY (Delphi) uunet!hal.cwru.edu!ncoast!allbery ncoast!allbery@hal.cwru.edu bsa@telotech.uucp *(comp.sources.misc mail to comp-sources-misc[-request]@backbone.site, please)* *Third party vote-collection service: send mail to allbery@uunet.uu.net (ONLY)* expnet.all: Experiments in *net management and organization. Mail me for info.
ajq@mace.cc.purdue.edu (John O'Malley) (12/12/89)
Christopher Silverberg writes: >Tom Arnold writes: >TA> Instead of trying to obtain a copy of Eradicator!, wouldn't it be >TA> simpler to just rebuild the DeskTop at boot (ie: hold down the >TA> option & command keys during startup)?? > >But IS this a viable solution? Anyone?-- Rebuilding the Desktop will certainly rid that particular disk of the WDEF virus. But your Desktop will be left susceptible to reinfection ... and you only need to insert an infected disk to get the virus again. John Norstad has said not to use the current version of Eradicator! since it's too buggy for any Mac system. I'm looking forward to an updated version. Meanwhile, we can check disks ahead of time with Disinfectant 1.4. -John --- John O'Malley / Macintosh / Purdue University / (317) ajq@mace.cc.purdue.edu / Specialist / Computing Center / 494-1787
wiseman@tellab5.TELLABS.COM (Jeff Wiseman) (12/12/89)
In article <5737@mentor.cc.purdue.edu> gwk@mentor.cc.purdue.edu (Tom Arnold) writes: >I bounced this idea off of John, now I'm curious about what others think. >Instead of trying to obtain a copy of Eradicator!, wouldn't it be simpler >to just rebuild the DeskTop at boot (ie: hold down the option & command keys >during startup)?? Maybe this is too simplistic... John pointed out that >there are some drawbacks, like losing GetInfo information for example.... I have seen this commonly mentioned on the net that when rebuilding the desktop you loose your getinfo information. However, in the last year or so, I don't remember anybody mentioning that there is a way around this problem. If you take a trusty copy of ResEdit and open your desktop file, you will find that there is a single resource in there that contains all of the GetInfo texts (please forgive me, I have the name of the resource at home and not with me but it is not too hard to find which one it is just by poking around). Anyway, do a copy and paste the resource into another file just to hold it for awhile. Then rebuild your desktop and afterward go back and get your resource and cut and paste it back into the desktop. I have done this several times and it seems to work ok. I think that one of the side effects is that if the resource is big, it stays big but the desktop operations in general still speed up. I got the info on how to do this from my LaCie Silverling manual. If anyone knows whether or not there are any significant side effects in this proceedure, I would be interested in hearing about it. Especially with the potential of a new "nasty" resource floating around! -- Jeff Wiseman: ....uunet!tellab5!wiseman OR wiseman@TELLABS.COM
jmunkki@kampi.hut.fi (Juri Munkki) (12/12/89)
If you are unwilling to use the INIT that I posted, you could try a very simple cure to the problem by installing Apple's WDEF 0 from the System file to the Desktop file. You could try to make it locked so that the virus will not replace it with its own copy. Disclaimer: I don't have a copy of the WDEF virus, since our university appears to be free of it, but the above method should work, if the information posted here is correct and my theory on how the virus works is correct. I recommend trying my init. If you discover that it works, please let me know. I'll write a new one, if you have problems with the current version. At least I'll be prepared when the virus arrives in Finland. _._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._._ | Juri Munkki jmunkki@hut.fi jmunkki@fingate.bitnet I Want Ne | | Helsinki University of Technology Computing Centre My Own XT | ^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^
lrccon@ux.acss.umn.edu (Philip Arny) (12/12/89)
Please tell me -- where can I get the current version of Disinfectant? I went onto CompuServe Yesterday, and couldn't find it: where do virus discussions take place there? Or, where is an FTP site that carries Ver. 1.4? Philip Arny Bio-Medical Library, U of MN