jap2_ss@uhura.cc.rochester.edu (The Mad Mathematician) (10/07/89)
The following is a copy of the message sent ot others on our campus about the reported virus. When it first appears, it's just a form of the nVIR virus which AntiPan works very well to eradicate. But it seems to be a self modifying code which causes it to mutate to an unrecognizable form. SO, what do we do about it, you ask? Well, we have had exceedingly good success in both TAGGING and ERADICATING the virus with a program called SYMANTEC ANTI-VIRUS CLINIC. If the virus is tagged, it can be eradicated with AntiPan, or it can be eradicated with SAM, the SYMANTEC ANTI-VIRUS CLINIC. So when people bring you their disks to have checked, please run SAM on them. It's very easy, there will be instructions at the desk. Please note that no other programs could find it, including Disinfectant, Virex, Virus Rx, Virus Detective, or Interferon. Vaccine did not stop it. I will try Gatekeeper as soon as someone gives me a copy (grrr.) I will also distribute copies of an infected system at that time. This version does not show up as a resource added named nVIR, and attacked a System that was supposedly nVIR immune, and had Vaccine installed. This is not an endorsement of any of the above products. About the Macwight/Macwite situation: since the first posting I have ben unable to find any more changed copies. The STR 801 resource can be the result of a bug in Macwrite 5.0, or of a Macwrite with font information installed. However, I know of no bugs that rewrite ICN resources or application names. I will continue to search. The Mad Mathematician jap2_ss@uhura.cc.rochester.edu Understand the power of a single action. (R.E.M.)
jrk@sys.uea.ac.uk (Richard Kennaway) (10/12/89)
We have not seen any symptoms of the MacWrite-attacking MacWight virus at this site, but on seeing the messages about it, I started looking for STR 801 resources. I doubt if they have anything to do with the virus. A scan of my hard disc showed that something like half the MacWrite docs had STR 801 in them. There didnt seem to be any pattern in which files had STR 801 and which didnt. The STR 801s are not all the same size, BTW. Opening a file which did not have it with MacWrite4.6M had the effect of adding a STR 801. In response to a local enquiry, a colleague said: > I don't have all that many MacWrite docs. on my hard disc, but I managed > find a few that I created about two years ago. They had STR id. = 801 > resources. As far as I can remember, I haven't touched them since > Christmas '87 (other than copying the folder [that contains the folder ...] > that contains them, in the Finder, and running Disinfectant). > > I've also just looked at the MacWrite floppy that came with a new Mac+ > about two years ago. As far as I can remember this disc has been > languishing in its box since a day or two after the machine arrived: the > "Sample Memo" doc. on this disc also has a STR id. = 801 resource on it. I suspect that STR 801 is legitimately used by newer versions of MacWrite for its own inscrutable purposes. Disclaimer: only Apple or Claris can make a definitive pronouncement. Paranoid speculation follows. Maybe someone is using the Joker's trick. There could be several infected applications out there, all quietly spreading harmless-looking things like STR 801 that dont ring GateKeeper's alarms, but when they all come together in one application, the real virus is triggered... Plug for Virus Detective: with this it was easy to search for all files containing STR 700 (legitimate MacWrite resource) or STR 801. All the other virus detectors I've seen have the symptoms to look for hard-wired. I have no relationship with the author other than being a satisfied customer. -- Richard Kennaway SYS, University of East Anglia, Norwich, U.K. Janet: kennaway@sys.uea.ac.uk uucp: ...mcvax!ukc!uea-sys!jrk
chrisj@ut-emx.UUCP (Chris Johnson) (10/12/89)
I posted an article on this STR resource 801 in MacWrite documents business several days ago to comp.virus, but it hasn't appeared yet. Here's a short form version... You can *expect* to find two STR resources in MacWrite files created by (at least) versions 4.5 and 4.6 (probably a few other versions, too). The IDs of these resources will be 700 and 801. They belong there. To quote from an old copy of Tech. Note #12, "Disk Based MacWrite Format": "FONT MAPPING - In the document's resources is a resource of type STR with the ID #801. It contains a mapping of font resource IDs and infor- mation on real fonts...." STR 700, by the way, is a table containing the fifteen most commonly used letters in the language of the MacWrite that created the document. It's used by MacWrite for nibble-wise text compression and decompression. I hope this helps to dispell a bit of paranoia... :-) ----Chris (Johnson) ----Author of GateKeeper ----chrisj@emx.utexas.edu
jap2_ss@uhura.cc.rochester.edu (The Mad Mathematician) (10/12/89)
I should have a copy of an infected program sometime today. I will be emailing it to the following people, and any others who request it. Atul Butte atul@brownvm.bitnet atul@brownvm.brown.edu John Norstad jln@acns.nwu.edu Robert J Woodhead trebor@biar.UUCP Ken Walter ken@claris.com Paul Cozza Jeff Shulman SHULMAN@SDR.SLB.COM If your address is wrong, please correct it. Re: the Macwite virus. since my first report we have seen no other copies of this change in Macwrite. We are still trying to find one, and know it exists, but are unable to locate a copy. My copy is missing. Also, the STR 801 resource is sometimes created by Macwrite itself. However, Macwrite does not change its own name nor alter its own ICN resources, which also happened. As I said, I will send copies of infected applications as soon as I get one. Thank you for your patience. Joseph Poutre (The Mad Mathematician) jap2_ss@uhura.cc.rochester.edu Understand the power of a single action. (R.E.M.)