andrew@jhereg.Minnetech.MN.ORG (Andrew Esh) (09/01/89)
After downloading a number of files and playing aournd with them, I started MandelZot. It put up a dialog saying that the 'Safety Seal' had been broken, and that there was a possible viral infection. "Disinfectant" showed me that there was a medium sized infection on my hard disk, starting with the Finder. It occurred on the same day I downloaded from mac.binaries, and I don't think I ran any other software. I re-downloaded a few files and ran them, scanning for viri in between run, but was unable to determine which file it is. The virus is nVIR A, and can be easily cleaned up with the normal tools. I already checked Truchet, Tile, Oliver's Buttons, Sphere Demo, Menu Madness, and the Converter DA. The virus may still be hidden in those somewhere, triggering later than my test check took. The interesting thing about all of this is the MandelZot app with it's 'Safety Seal' that detects infections. Could the author of that code kindly post it so it can be incorporated into more applications? Usually my defenses are in better shape, so normally this wouldn't have infected my disk, but it was nice to receive a little extra help from an unexpected source. Thanks, MandelZot, and please post. - Andrew
jln@accuvax.nwu.edu (John Norstad) (09/01/89)
It is indeed a very good idea for programs to check themselves for virus infections and notify the user if one is found. It's good to see that more programs are now including this feature. There are some very simple things that you can do. For example, simply counting the number of CODE resources in your application periodically and comparing the count to the known expected value will catch all the currently known Mac viruses except for ANTI and MacMag. Checking the sizes of the CODE resources would also catch ANTI. (MacMag doesn't infect applications, so there's not much you can do about that one). In Disinfectant I compute two different kinds of checksums of my entire resource fork, and I have other kinds of protections against infections and tampering. This is probably going too far, and is not necessary for most programs. We should all implement our own schemes and not try to standardize on a single technique. This will make it harder for viruses to attempt to defeat the check. I'm convinced that if more programs had done this kind of simple checking two years ago when Mac viruses began to appear, they would never have spread so far and wide. My correspondence shows that viruses are still spreading very rapidly and widely, especially nVIR A and B, despite all the publicity and the availability of lots of good protection INITs and detection/repair utilities (freeware, shareware and commercial). I wish there was some way to convince Mac users that they really must protect themselves against viruses. Unfortunately, it seems that people just refuse to take the problem seriously until they get infected. Everybody should be using a protection INIT of some kind. They are really easy to install, and they're quite effective. I recommend Vaccine (free), Gatekeeper (free), or SAM Intercept (commercial). Everybody should also obtain and use at least one good detection program. I recommend Virus Rx (free), Virus Detective (shareware - $35, I think), and Disinfectant (free). I also keep hearing stories of software companies, Mac magazines, hardware companies, bulletin board operators, etc., distributing infected software. This is really inexcusable. Please folks, scan programs with one of the tools mentioned above before shipping them or putting them up on bulletin boards or archives. It only takes a few seconds of your time. I apologize for beating a dead horse, but I think this advice bears repeating at least occasionally. John Norstad Northwestern University jln@acns.nwu.edu
MIKEA@pucc.Princeton.EDU (Michael Antolovich) (09/02/89)
In article <107@jhereg.Minnetech.MN.ORG>, andrew@jhereg.Minnetech.MN.ORG (Andrew Esh) writes: > > After downloading a number of files and playing aournd with them, >I started MandelZot. It put up a dialog saying that the 'Safety Seal' had >been broken, and that there was a possible viral infection. "Disinfectant" >showed me that there was a medium sized infection on my hard disk, starting >with the Finder. It occurred on the same day I downloaded from mac.binaries, >and I don't think I ran any other software. I have just calmed down after this panic, I had just downloaded MandleZot 1hr before, but all is well. There is no sign of a virus on the files I downloaded (I missed the first Mandlezot Document file, is it there ? Can someone send me that file, if it's clean) Anyway, I suggest you check else where for the source of the virus as well. Michael.
amanda@intercon.uu.net (Amanda Walker) (09/02/89)
In article <107@jhereg.Minnetech.MN.ORG>, andrew@jhereg.Minnetech.MN.ORG (Andrew Esh) writes: > > After downloading a number of files and playing aournd with them, > I started MandelZot. It put up a dialog saying that the 'Safety Seal' had > been broken, and that there was a possible viral infection. "Disinfectant" > showed me that there was a medium sized infection on my hard disk, starting > with the Finder. It occurred on the same day I downloaded from mac.binaries, > and I don't think I ran any other software. Odd. I downloaded MandelZot from comp.binaries.mac, and it seems quite happy. GateKeeper didn't even hiccup, and Disinfectant doesn't show any problem. My guess is that something else that you downloaded was infected, not MandelZot... -- Amanda Walker InterCon Systems Corporation amanda@intercon.uu.net | ...!uunet!intercon!amanda
dce@Solbourne.COM (David Elliott) (09/03/89)
In article <1432@intercon.UUCP> amanda@intercon.uu.net (Amanda Walker) writes: >My guess is that something else that you downloaded was infected, not >MandelZot... I second this. I get stuff directly from the info-mac archives, which are currently a few weeks ahead of comp.binaries.mac, and I grab a copy of everything and try it out. I haven't seen any viruses from the stuff I got. In fact, I've never seen a virus from info-mac or sumex (these folks all do a great job). I have, on the other hand, been infected from local bbses, usually due to overworked or complacent sysops. -- David Elliott dce@Solbourne.COM ...!{uunet,boulder,nbires,sun}!stan!dce "We don't do this because we love you or like you...we don't even know you!"
allbery@NCoast.ORG (Brandon S. Allbery) (09/04/89)
As quoted from <1432@intercon.UUCP> by amanda@intercon.uu.net (Amanda Walker): +--------------- | In article <107@jhereg.Minnetech.MN.ORG>, andrew@jhereg.Minnetech.MN.ORG | (Andrew Esh) writes: | > After downloading a number of files and playing aournd with them, | > I started MandelZot. It put up a dialog saying that the 'Safety Seal' had | > been broken, and that there was a possible viral infection. "Disinfectant" | | Odd. I downloaded MandelZot from comp.binaries.mac, and it seems quite happy. +--------------- May I point out that he didn't say MandelZot had caused it, merely that it had auto-detected an already-existing infection apparently caused by some other program from c.bin.mac? This seemed pretty clear to me. ++Brandon -- Brandon S. Allbery, moderator of comp.sources.misc allbery@NCoast.ORG uunet!hal.cwru.edu!ncoast!allbery ncoast!allbery@hal.cwru.edu "Why do trans-atlantic transfers take so long?" "Electrons don't swim very fast." -john@minster.york.ac.uk and whh@PacBell.COM
MIKEA@pucc.Princeton.EDU (Michael Antolovich) (09/04/89)
In article <1989Sep4.000746.4183@NCoast.ORG>, allbery@NCoast.ORG (Brandon S. Allbery) writes: >As quoted from <1432@intercon.UUCP> by amanda@intercon.uu.net (Amanda Walker): >+--------------- >| In article <107@jhereg.Minnetech.MN.ORG>, andrew@jhereg.Minnetech.MN.ORG >| (Andrew Esh) writes: >| > After downloading a number of files and playing aournd with them, >| > I started MandelZot. It put up a dialog saying that the 'Safety Seal' had >| > been broken, and that there was a possible viral infection. "Disinfectant" >| >| Odd. I downloaded MandelZot from comp.binaries.mac, and it seems quite happy. >+--------------- > >May I point out that he didn't say MandelZot had caused it, merely that it had >auto-detected an already-existing infection apparently caused by some other >program from c.bin.mac? This seemed pretty clear to me. That's odd, it isn't so clear after readind the Subject ? Michael.
andrew@jhereg.Minnetech.MN.ORG (Andrew Esh) (09/05/89)
Thanks go to Brandon S. Allbury, for correctly interpreting my message. Apologies to the rest of you for the lack of clarity, but I was rather exercised about the condition of my hard disk, and wanted to slam a quick blast to the net before anyone else had problems. As I said before, in not so clear terms: MandelZot reported a virus, which my tools confirmed as nVIR A. I am pretty sure it came from comp.sys.mac.binaries. That is the only place I download from. I was unable to determine the exact source. The infection took place BEFORE I downloaded and ran MandelZot. I am still searching for the source of the infection. - Andrew
bytebug@dhw68k.cts.com (Roger L. Long) (09/06/89)
In article <107@jhereg.Minnetech.MN.ORG> Andrew Esh writes: > "Disinfectant" >showed me that there was a medium sized infection on my hard disk, starting >with the Finder. It occurred on the same day I downloaded from mac.binaries, >and I don't think I ran any other software. While not impossible, I find it highly unlikely that anything posted to comp.binaries.mac recently was infected. Everything posted is staged through a single machine, and I check that machine for viruses daily, using Disinfectant. In addition, while I don't always look specifically for viruses in the process of preparing postings, I'll often run Virus Detective before archiving postings. But I do this for my protection, not yours. I wouldn't want anyone to get the idea that I in any way guarantee that postings from c.b.m. are virus-free. While I won't post anything that I find infected, and I'll post a note to comp.sys.mac if I find that I've posted anything that's infected, as well as issue a cancel message for the offending article(s), to rely on anyone but yourself to keep your machine free of infection is a gamble that I wouldn't encourage anyone to take. There are too many tools available for you not to use at least one. I strongly object to Andrew's posting saying "something" he downloaded from comp.binaries.mac was infected. There's enough misdirected fear and panic associated with computer viruses - we don't need any more. So act responsibly and post concrete facts instead of vague rumors. As far as I know, nothing that's ever been posted to comp.binaries.mac has been infected. -- Roger L. Long bytebug@dhw68k.cts.com
dplatt@coherent.com (Dave Platt) (09/08/89)
In article <1432@intercon.UUCP> amanda@intercon.uu.net (Amanda Walker) writes: > Odd. I downloaded MandelZot from comp.binaries.mac, and it seems quite > happy. GateKeeper didn't even hiccup, and Disinfectant doesn't show any > problem. > > My guess is that something else that you downloaded was infected, not > MandelZot... This is very probably the case. MandelZot 2.0 was clean (virus-free) when I mailed it off to the moderator back in early July, and I doubt that it could have become infected en route... the moderator simply redistributed the BinHex-encoded StuffIt file that I mailed him. MandelZot checks itself for infection on startup, after going through the same sort of initialization process that most applications perform (calling MoreMasters a bunch of times, and initializing all of the ROM managers that it will need). The more common Mac viruses infect applications by patching some code into the manager-initialization traps (e.g. TEInit, etc.); thus, any application that calls upon these managers, and hence calls the Init routine, will become infected. This is probably what happened in the case which started this thread. An uninfected copy of MandelZot was un-stuffed and run on an infected machine; it was infected upon startup (thus breaking the seal), and the post-startup check-for-infection sounded the alarm. I'm glad to hear that the virus-detector actually works in practice... I was fairly sure that it would (based on some experiments by hand) but I hadn't actually wanted to unleash nVIR on my own system to make doubly sure! -- Dave Platt FIDONET: Dave Platt on 1:204/444 VOICE: (415) 493-8805 UUCP: ...!{ames,sun,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303
gford@nunki.usc.edu (Gregory Ford) (09/08/89)
More: I recently did an anonymous ftp to a site in Finland (honest, I don't remember which one...128.11X.XXX.XXX - I know it helps a lot, eh?) and the file I download, arcmac.ARC, an IBM ARC dearchiver, was infected with nVIR B. Luckily it didn't spread. Since I don't know the name of the system I got it from, I hope the system adminstrator reads this. And, maybe people should check their copy of arcmac.ARC. -- ******************************************************************************* * Greg Ford GEnie: G.FORD3 * * University of Southern California Internet: gford%nunki.usc.edu@usc.edu * *******************************************************************************
hv@chyde.uwasa.fi (Harri Valkama LAKE) (09/08/89)
In article <4992@merlin.usc.edu>, gford@nunki.usc.edu (Gregory Ford) writes: > More: > I recently did an anonymous ftp to a site in Finland (honest, I don't > remember which one...128.11X.XXX.XXX - I know it helps a lot, eh?) and > the file I download, arcmac.ARC, an IBM ARC dearchiver, was infected > with nVIR B. Luckily it didn't spread. Since I don't know the name of the > system I got it from, I hope the system adminstrator reads this. And, > maybe people should check their copy of arcmac.ARC. I checked our site and at least here it WAS REALLY INFECTED. So anybody who got it from here please check out that it don't spread. I removed the infected one and put a new fresh copy from Sumex available. I try (and must) be more careful for now on. SORRY and once again SORRY. -- Harri Valkama : email: hv@chyde.uwasa.fi (internet) Computer Centre, University of Vaasa : valkama@finfun (bitnet) P.O.BOX 700 : voice: +358 61 248426 SF-65101 VAASA FINLAND : site: 128.214.12.3
andrew@jhereg.Minnetech.MN.ORG (Andrew Esh) (09/09/89)
I have found the source of the nVIR infection of my machine. It was not mac.binaries. Unbeknownst to me, someone else tried out a program on my Mac, and I found nVIR all over his machine. I was able to determine that my machine had been used by looking at the output of the Logger INIT, and recalling my shutdown time. My Mac had been restarted later, while I was out. Because of all the furor over this, I must apologize to the moderator of mac.binaries, and to the net. My first thought was to alert users, so the spread could be halted immediately. I should have checked before posting, but the chance that someone else will use my machine is extremely low, occurring about once every three months. Sorry folks, just trying to protect you. The tools which helped with all this were Disinfectant, Logger, and the protection code of MandelZot 2.0. My commendations to the authors of all three. Things would have gone better if I had had Vaccine or Guardian running, but I had replaced my system files without re-innoculating them. I could also have used something like DiskLock to keep the Butthead from using my disk. With all that's going on, sometimes its tough to be right. - Andrew