jln@accuvax.nwu.edu (John Norstad) (12/10/89)
Disinfectant 1.4 is a new release of our free Macintosh virus detection and repair utility. Version 1.4 detects and repairs infections by the new WDEF virus (see below). In version 1.4 we no longer refer to the various clones of the nVIR B virus by name. We refer to them simply as generic "clones of nVIR B." All references to the individual clone names have been removed from both the document and the reports generated by the program. We feel that the creators of these clones do not deserve the publicity they receive when they see the names they have chosen in print, especially since some of the names are offensive. Disinfectant 1.4 is available now via anonymous FTP from site acns.nwu.edu [129.105.49.1]. It has also been posted to comp.binaries.mac, info-mac, and CompuServe, and should be available from those sources soon. The following text is extracted from the new section on WDEF in Disinfectant's online document. It describes what we know to date about this new virus. The WDEF virus was first discovered in December, 1989 in Belgium and in one of our labs at Northwestern University. It has also been reported at several other major US universities, so we fear that it may be widespread. We also have reason to believe that the virus has been in existence since at least mid-October of 1989. WDEF only infects the invisible RDesktopS files used by the Finder. With a few exceptions, every Macintosh disk (hard drives and floppies) contains one of these files. WDEF does not infect applications, document files, or other system files. Unlike the other viruses, it is not spread through the sharing of applications, but rather through the sharing and distribution of disks, usually floppy disks. WDEF spreads from disk to disk very rapidly. It is not necessary to run a program for the virus to spread. Although the virus does not intentionally try to do any damage, WDEF contains bugs which can cause very serious problems. In particular, one bug in the virus causes the Mac IIci to crash. We have also noticed unusually frequent crashes on infected Mac IIcxs, and severe performance problems with infected AppleShare servers. Several people have also reported frequent crashes when trying to save files, and we have two reports that the virus can damage disks. When using Disinfectant to repair WDEF infections, you must use Finder instead of MultiFinder. Under MultiFinder the Desktop files are always Rbusy,S and Disinfectant is not able to repair them. If you try to repair using MultiFinder, you will get an error message. Unfortunately, none of the current versions of the most popular virus prevention tools are effective against the WDEF virus. This includes Vaccine 1.0.1, GateKeeper 1.1.1, SymantecUs SAM Intercept 1.10, and HJCUs Virex INIT 1.12. However, by the time you read this, it is very likely that new versions of these tools will have been released. Symantec and HJC are preparing new releases of their products, and we expect that a free prevention tool or tools will also be available soon. This version of Disinfectant is being released only a few days after the discovery of the WDEF virus. We do not yet understand it as thoroughly as we do the other older viruses. We have disassembled it completely, and we understand the basic replication mechanism. We know that it can cause serious problems, and we know why it causes some of the problems. Research into the behavior and adverse effects of this virus will continue for some time. You should keep in touch with your local Mac user group or bulletin board for more information about this new virus as it becomes available. Commercial online services like CompuServe and Genie and the Macintosh trade press publications like MacWeek are also good sources of information. John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 Bitnet: jln@nuacc Internet: jln@acns.nwu.edu CompuServe: 76666,573 AppleLink: A0173