[comp.sys.mac] New WDEF Virus

jln@accuvax.nwu.edu (John Norstad) (12/07/89)

A new Macintosh virus named "WDEF" has been discovered in Belgium,
at Northwestern University, and at the University of Texas.

The WDEF virus infects the invisible "Desktop" files used by the
Finder.  Every Macintosh disk has one of these files (hard drives
and floppies).  The virus spreads from Desktop file to Desktop
file, but it does not infect applications, data files, or system
files.

The virus does not intentionally try to do any damage.  In fact,
it doesn't do anything except spread from disk to disk.

Due to a bug, the virus causes Mac IIcis to crash.  We have also
noticed unusually frequent crashes on infected Mac IIcxs, and
severe performance problems with infected AppleShare servers.
There are also other bugs in the virus which could cause problems.

You do not have to run a program for the virus to spread.

Unlike most of the other Mac viruses, the WDEF virus is not spread
via the sharing and distribution of programs, but rather via the
sharing and distribution of disks, usually floppy disks.

You can eliminate the virus from a disk by rebuilding the desktop
file (hold down the Command and Option keys while booting or while
inserting a floppy). 

Jeff Shulman, the author of Virus Detective 3.1, recommends adding
the following search string to detect the virus:

    Creator=ERIK & Resource WDEF & Any

Virus Detective can also be used to remove the virus - click on
the "Remove" button whenever the search string is matched.  This
only works if you are not using MultiFinder, and if you are
running some program other than the Finder.  Don't try this with
the other viruses - Virus Detective can only repair WDEF 
infections, not infections by the other known Macintosh viruses.

As far as we know, Virus Detective is the only virus-fighting tool
which can detect the new WDEF virus. 

Unfortunately, the virus manages to avoid detection by all of the
popular protection INITs, including Vaccine 1.0.1, GateKeeper
1.1.1, SAM Intercept 1.10, and Virex INIT 1.12.

Disinfectant 1.3, Virus Rx 1.5, SAM Virus Clinic 1.10, and Virex
2.12 also all fail to detect the virus.

We expect that many of the virus-fighting programs mentioned above
will be updated soon to deal properly with the new WDEF virus.

John Norstad
Academic Computing and Network Services
Northwestern University
2129 Sheridan Road
Evanston, IL 60208

jln@acns.nwu.edu

chou@umn-cs.CS.UMN.EDU (Hsiang Chou) (12/08/89)

In article <1886@accuvax.nwu.edu> jln@accuvax.nwu.edu (John Norstad) writes:
>
>The WDEF virus infects the invisible "Desktop" files used by the
				      ^^^^^^^^^^^^^^^
>Finder.  Every Macintosh disk has one of these files (hard drives
>and floppies).  The virus spreads from Desktop file to Desktop
>file, but it does not infect applications, data files, or system
>files.


	Do you mean these include the two DATA ONLY files, "Desktop DB"
and "Desktop DF", created by the Desktop Manager? What will happen if the
virus tries to infect a disk volume such as an AppleShare volume which has
no "Desktop" file at all but the above two files? Will a new "Desktop" file
be created or some equivalent information is written to those two files?
If a "Desktop" file is created, how does the virus spread? Since the
"Desktop" file is never touched by the finder or Desktop Manager in such
volume.


>Due to a bug, the virus causes Mac IIcis to crash.  We have also
>noticed unusually frequent crashes on infected Mac IIcxs, and
>severe performance problems with infected AppleShare servers.
>There are also other bugs in the virus which could cause problems.

	It seems to me, those two files are corrupted in an infected
AppleShare volume.

>You do not have to run a program for the virus to spread.
>
>Unlike most of the other Mac viruses, the WDEF virus is not spread
>via the sharing and distribution of programs, but rather via the
>sharing and distribution of disks, usually floppy disks.

	I think the Finder must play a role here. After all who will
initiate access to the Desktop file besides the Finder.

-- 
Chih-Hsiang Chou	chou@umn-cs.cs.umn.edu
Department of Computer Science
University of Minnesota