c60a-3ez@web-3f.berkeley.edu (Cyrus Harmon) (11/17/88)
I am a programmer for a lab in San Francisco and we obtained a 60 Meg tape backup from CMS. The thing works fine but the problem is that our system somehow became infected with Scores. Using interferon and ResEdit I was able to wipe out the infection, but now the tape backup program won't run properly. So, I looked at the original disk and found that it is COMPLETELY infected. So, it appears that since I just copied the tape backup program onto our hard disk and didn't use the floppy for much of anything, CMS is the source of the virus. If I can prove that the last modification of the system took place before I purchased program can CMS be held responsible for the damage to our system and the time that it took to rid the system of the virus? Has anyone else had similar problems with CMS? Also, I would appreciate if someone could mail something on how to properly transfer files from unix to the mac. I use the unix systems at UCB and would like to be able to ftp programs from remote sites, save them at UCB then transfer them to a MAC with a 1200 bps modem. Thanks. -Cyrus Harmon -c60a-3ez@web-3e.berkeley.edu
alexis@ccnysci.UUCP (Alexis Rosen) (11/18/88)
In article <17119@agate.BERKELEY.EDU> c60a-3ez@web-3f.berkeley.edu (Cyrus Harmon) writes: >I am a programmer for a lab in San Francisco and we obtained a >60 Meg tape backup from CMS. The thing works fine but the problem is >that our system somehow became infected with Scores. [...] So, it appears that >since I just copied the tape backup program onto our hard disk and didn't >use the floppy for much of anything, CMS is the source of the >virus. If I can prove that the last modification of the system >took place before I purchased program can CMS be held responsible >for the damage to our system and the time that it took to rid the >system of the virus? Has anyone else had similar problems with >CMS? Well, I usually like CMS, but that is just inexcusably sloppy. What's more, if it really is them, they should know better, because this is NOT the first time. They distributed via their bbs, until recently, a beta release of their tape backup software. It had an inactive nVIR virus in it. I should stress that it WAS NOT INFECTED OR INFECTIOUS since their CODE 1 resource was LOCKED and therefore immune to nVIR. Nevertheless, they knew nVIR was getting around on their systems and should have taken sufficient precautions so that SCORES couldn't get in. Really, how much effort does it take to keep Vaccine in your system folder??? ---- Alexis Rosen alexis@dasys1.UUCP or alexis@ccnysci.UUCP Writing from {allegra,philabs,cmcl2}!phri\ The Big Electric Cat uunet!dasys1!alexis Public UNIX {portal,well,sun}!hoptoad/
cy@dbase.UUCP (Cy Shuster) (11/22/88)
In article <17119@agate.BERKELEY.EDU> c60a-3ez@web-3f.berkeley.edu (Cyrus Harmon) writes: >I am a programmer for a lab in San Francisco and we obtained a >60 Meg tape backup from CMS. The thing works fine but the problem is >that our system somehow became infected with Scores. [...] So, it appears that >since I just copied the tape backup program onto our hard disk and didn't >use the floppy for much of anything, CMS is the source of the >virus. Unfortunately, we discovered nVIR in CMS's disk formatting software recently as well. Not only is a locked disk from a vendor the last place you'd think to look, but in cleaning up after a virus many people go back to format their disk! It's easy to spot, though: ResEdit will show the nVIR resource if their program is infected. And, it did no damage that we can see: it looks like it was designed to call Macintalk and say "Don't Panic" every 1,000th invocation. Call CMS if you need a fresh copy of the formatting software. It's the worst nightmare of those of us sending out commercial releases, so we continue to take every precaution. Remember, if you boot from a floppy, you've got no Vaccine running! (unless you installed it there, too). --Cy--
cy@dbase.UUCP (Cy Shuster) (11/22/88)
P.S. Virus RX didn't detect it, either; it DID detect when it itself became infected, though... --Cy--
alexis@ccnysci.UUCP (Alexis Rosen) (11/23/88)
In article <479@dbase.UUCP> cy@dbase.UUCP (Cy Shuster) writes: >Unfortunately, we discovered nVIR in CMS's disk formatting software recently >as well. Not only is a locked disk from a vendor the last place you'd think >to look, but in cleaning up after a virus many people go back to format their >disk! It's easy to spot, though: ResEdit will show the nVIR resource if their >program is infected. And, it did no damage that we can see: it looks like it >was designed to call Macintalk and say "Don't Panic" every 1,000th invocation. In his followup, Cy implies that this infected his disk. This seems odd to me, because when I discovered this infection (see my article from a few days back) I noticed one saving grace: All of CMS's CODE resources were protected and locked, and thus immune to infection. The file still gets a bunch of nVIR resources, but they're stillborn- not infectious. Cy, are you SURE that the CMS software infected you? When I got bitten by nVIR I found it first in the CMS stuff and I would have thought that CMS was responsible... except that I hadn't run the program in ages. This caused me to dig deeper until I turned up the true vector, an international system I had on a floppy. ---- Alexis Rosen alexis@dasys1.UUCP or alexis@ccnysci.UUCP Writing from {allegra,philabs,cmcl2}!phri\ The Big Electric Cat uunet!dasys1!alexis Public UNIX {portal,well,sun}!hoptoad/
kehr@felix.UUCP (Shirley Kehr) (11/23/88)
In article <479@dbase.UUCP> cy@dbase.UUCP (Cy Shuster) writes:
<Unfortunately, we discovered nVIR in CMS's disk formatting software recently
<as well. Not only is a locked disk from a vendor the last place you'd think
<to look, but in cleaning up after a virus many people go back to format their
<disk! It's easy to spot, though: ResEdit will show the nVIR resource if their
<program is infected. And, it did no damage that we can see: it looks like it
<was designed to call Macintalk and say "Don't Panic" every 1,000th invocation.
What happens if you don't have Macintalk?
Shirley Kehr
cy@dbase.UUCP (Cy Shuster) (12/01/88)
In article <1015@ccnysci.UUCP> Alexis Rosen writes: >Cy, are you SURE that the CMS software infected you? ...the true vector >[was] an international system... I just retried it to verify (for CMS's sake, as well as net accuracy) and yes, it was the CMS software that came with it: "CMS Util (to 80MB) v3.4" Size: 96,247 bytes Created: Thu, Jun 23, 1988, 10:42 PM Modified: Thu, Aug 25, 1988, 11:11 AM Version: Copyright 1987, 1988 CMS enhancements, Inc. With Vaccine installed, I launched the application from the original floppy, and it hung after drawing the menu bar: Vaccine had detected a problem, was unable to put up an alert, but was polling the keyboard for a "y" to allow the infection, or "n" to disallow it (read Vaccine's instructions via the Control Panel!). I typed "n" (gulp!), and the (CMS) program then continued its initialization sequence. There was some confusion in the recent MacWeek article about how this nVIR was "renaming" files to "Throw Me In The Trash": their experience differed from ours. Here's what happened to us: my colleague Paul Springer noticed an nVIR resource in an application on his hard disk. I gave him Virus RX to run, from a locked floppy (but still booted from the hard disk). It did not detect any problems. Paul then copied the Virus Rx application to his hard disk, and launched it from there (without rebooting). He immediately got an alert saying "An infection attempt has been made on Virus Rx. If this program is not on a locked disk the name will be changed to 'Throw Me In The Trash'. Please do so." He was returned to Finder, and the Virus Rx application had indeed been renamed. (Virus Rx version 1.0A2, Sun, Apr 24, 1988, 6:00 PM, 41,151 bytes). So while the bad news is that it didn't detect the nVIR when run from a locked floppy as directed, Virus Rx *does* detect when any modi- fications are attempted to it, so running it from your hard disk has that potential benefit. Paul painstakingly tracked down the source by determining the earliest modification date of any infected application, and then trying to remember what had changed at that time. My sympathies to CMS: hopefully, through information sharing like this over the net, we can minimize future infections. DISCLAIMER: My opinions only. --Cy--
fons@uxh.cso.uiuc.edu (12/03/88)
To add more fuel to the fire, a friend of mine at the University of Illinois recently purchased a cms pro 60 from Hardware House and with it came CMS Utility to 80MB. I came over to his apartment the night he unpacked the machine and indeed just about everything on his machine was infected by nVir. (He had a bunch of public domain programs that I though initially was the problem-but his CMS source disk was infected-and it was LOCKED). It must have come from the company in that manner. Note that the CMS utility disk has a copy of the system and the Finder on it hence it CAN infect ones hard disk (resource locking on the code segment of the utility program itself is irrelevent). In any case CMS sent a new version of the program (he had 3.4) and CMS sent a new copy v4.0. Needless to say, I promptly checked the program for him and it was NOT infected-perhaps they have learned their lesson. Paul Fons University of Illinois Coordinated Science Laboratory 1101 W. Springfield Av. Urbana, Illinois 61801 U.S.A. email: Fons@uiucvmd.bitnet or... Fons@uxh.cso.uiuc.edu