michael@crash.cts.com (Mike Durler) (10/29/88)
Hi everyone... Recently, by some unknown reason, (I'm not sure what was the source of the bug) my Macintosh Plus computer was infected by one of those stupid virus programs. I had some virus detective programs available so I was able to remove the bad resources, but when I did, it destroyed the program so I would have to replace it with a new copy. At last count, the virus that I had infected 73 programs on my hard disk. What I need to ask is would someone please post (in BinHex 4.0 format) any good vaccine or virus detector programs that could help me from getting in this situation again. Also, could anybody specify any "known" programs that are actually virus programs in disguise. I've heard of a couple of these and I don't want to infect my hard disk any more. You can post your message either to me in private mail, or to the net in the "comp.binaries.mac" newsgroup. Though, posting it in the newsgroup might be better because it will get better distribution. Thanks in advance... Mike Durler (..!sdcsvax!crash!michael) -- =============================================================================== ! Mike E. Durler {hplabs!hp-sdd, akgua, sdcsvax, nosc.mil}!crash!michael | | ARPA: crash!michael@nosc.ARPA and at grocery shevles everywhere... | | | | "Will the person owning Starspeeder License Number THX1138 please move | | your craft, you are parked in a no-hover zone" - "Star Tours" | ===============================================================================
macman@ethz.UUCP (Danny Schwendener) (10/31/88)
There is currently no known PD program that is explicitly a virus carrier. Sometimes a program gets infected and is uploaded to a BBS. This was the case, for example, of Stuffit 1.21, as an infected version of that program has been uploaded to a texan BBS. HOWEVER, THIS WAS A LOCAL INFECTION. This virus never made it far outside Texas, and was discovered just a few days after it was uploaded. Really important in that business is the Leitmotiv "Don't Panic". We are at the fourth nVIR wave on our site, because some institutes just don't care about disk hygiene until they are struck by a virus themselves. But then, it is already (almost) too late... There is a virus discussion list on BITNET and I encourage everybody who has access to that net to sign up. Send the following interactive message to LISTSERV@LEHIIBM1.BITNET: SUBSCRIBE VIRUS-L "Your full name" Below is a list of the virus detection/killer programs I know of, with a short description of what they're doing. I have Vaccine CDEV, Interferon,Virus-Rx, KillScores, VirusDetective, VCheck, nVIR Vaccine and Ferret,but I really only use Vaccine CDEV and Interferon as detection programs, and one of the killer programs if it really gets tough (KillScores, nVIR Vaccine). Oh, and the dukakis vaccine, of course, which you have to install only once in your Home stack. The documentation has been written by Joe McMahon and is available as Hypercard stack. By the way, Joe's address is: Code 631 Bitnet : XRJDM@SCFVM NASA/Goddard Space Flight Center CompuServe: 72330,554 Greenbelt, MD 20771 -- Danny +-----------------------------------------------------------------------+ | Mail : Danny Schwendener, ETH Macintosh Support | | Swiss Federal Institute of Technology, CH-8092 Zuerich | | Bitnet : macman@czheth5a UUCP : {cernvax,mcvax}ethz!macman | | Internet: macman@ifi.ethz.ch Voice : yodel three times | +-----------------------------------------------------------------------+ -------------------------------Text follows -------------------------------- Product name: Vaccine 1.0 Author: Don Brown, CE Software Price: Free Agreements: No fee must be charged for Vaccine and it must not be modified. Class: Automatic, general prevention. Vaccine is a CDEV and designed to provide Rpartial protection from worms and viruses.S It does this by trapping attempts to write executable resources to any file on your system. Vaccine will respond to any such attempt by displaying a dialog showing the resource type which is being added and the file to which it is being added. The user may either prevent or allow this access. --------------------------- Product name: Interferon 3.1 Author: Robert Woodhead Price: Free (optional donation; see details) Agreements: Copyrighted, but permission given to reproduce and distribute. Class: Manual, general detection. File deletion. Interferon 3.1 is a Rsearch, report and destroyS application. It recognizes the known viruses, and can delete files which are deemed to be infected. Interferon is probably the most comprehensive of the virus-checking programs. It is set up to check likely areas for invasion by new viruses in addition to checking for known ones. --------------------------- Product name: Virus Rx Author: Apple Computer Price: Free Agreements: Copyrighted, but may be distributed freely. Class: Manual, general detection. Virus Rx scans for common symptoms of viral attack, such as INIT, RDEV, and CDEV files in the system folder, unusual CODE 0 resources, and others. It produces a report in a text file, which may be saved or printed as a record of disk status. Virus Rx does not disinfect applications or systems. Accompanying documentation recommends replacement of infected files. --------------------------- Product name: VirusDetective* Author: Jeffery S. Shulman Price: $10 Agreements: Copyrighted; permission given to distribute. Class: Manual, general detection/removal. Virus Detective* provides an anti-viral program in a desk accessory. It currently searches for Scores and nVIR infectsion, but is easily customizable to search for other resources. Version 1.2 allows you to produce a log file show the status of all files, files suspected of infection, and files not suspected of infection. --------------------------- Product name: KillScores Author: MacPack User Group, Dallas TX Price: Free Agreements: Copyrighted, but permission given to reproduce and distribute. Class: Manual, specific detection/removal. KillScores efficiently discovers and repairs applications and systems infected with the Scores virus. It does not look for nor does it remove any other type of viral infection. KillScores seems to be more effective than Ferret in cleaning up infected applications and systems. --------------------------- Product name: VCheck Author: Albert Lunde, Northwestern University Price: Free Agreements: Copyrighted. See details about distribution. Class: Manual, general protection. VCheck checks for changes in the contents of the active system folder, the boot blocks, and on all applications on all mounted volumes. It does not remove viruses, but simply warns of their possible existence by detecting RdangerousS resources. VCheck keeps a checksum file for all of the above items for comparison purposes. VCheck is written in Turbo Pascal and source is provided. --------------------------- Product Name: nVIR Vaccine Author: Mike* Scanlin Price: See details; source in May 1988 MacUser Agreements: Copyrighted; distribution restrictions unclear. Class: Manual, specific (partial) removal. nVIR Vaccine is a specific targeted at the RnVIRS virus. It removes this virusonly from applications which are infected with it. nVIR Vaccine is not an automatic program. You will have to select all of the programs to be disinfected manually. Also, nVIR Vaccine does not remove the virus from the System file. See the details for how to do this. --------------------------- Product name: Sniffer Author: Unknown Price: Free Agreements: See details Class: Manual, general detection. Sniffer is a simple application which can be customized to search for a given resource. Sniffer will scan for the selected resource, check for applications which have non-standard CODE 0 resources (a possible symptom of infection), and can rename files which are possibly infected. Sniffer does no disinfection. You must know the types and IDs of the resources which are to be looked for. --------------------------- Product name: Ferret 1.0 Author: Larry Nedry Price: Free Agreements: Copyrighted, but permission given toJdistribute. Class: Manual, specific detection/removal. Ferret 1.0 is an application which scans for and removes the Scores virus only. It scans the selected files for the Scores signature resources. It they are found, they are removed and the affected applications repaired. There have been reports that Ferret is not as good as KillScores and that version 1.1 may in fact leave viral resources applications after cleaning. --------------------------- Product name: Blood Test Author: Doug Werner, Apple Computer Price: Free Agreements: All rights reserved; not distributable. Class: Manual, specific and general detection. Blood Test looks for specific resources and reports if they are found. It can check for damaged applications (i.e., those with bad resource forks), and can also check for patched trap addresses in the system trap dispatch table. Blood Test does no disinfection; it is simply a means of detecting possible infections. --------------------------- Product name: Dukakis Vaccine Author: Ian Summerfield, Apple Computer UK Ltd. Price: Free to everyone except the originator of the virus. Agreements: No distribution restrictions. Class: Automatic, specific and general detection/prevention. Dukakis Vaccine is a HyperCard script designed to both detect the Dukakis virus and to prevent its invasion into stacks. The script is general enough to be of utility in blocking other HyperCard-only viruses. Dukakis Vaccine only monitors changes to scripts; it cannot block viral XCMDs or XFCNs. It does not remove the virus, but blocks it and alerts you to the virus's presence. ---------------------------
thecloud@dhw68k.cts.com (Ken McLeod) (11/02/88)
In article <661@ethz.UUCP> macman@ethz.UUCP (Danny Schwendener) writes: > [reviews of anti-virus programs omitted] > >Product name: Dukakis Vaccine >Author: Ian Summerfield, Apple Computer UK Ltd. >Price: Free to everyone except the originator of the virus. >Agreements: No distribution restrictions. >Class: Automatic, specific and general detection/prevention. > >Dukakis Vaccine is a HyperCard script designed to both detect the >Dukakis virus and to prevent its invasion into stacks. ^^^^^^^ ^^^^^ What the heck is the Dukakis Virus???? (I knew the campaign was negative, but this is ridiculous. :-) ) -ken -- ========== ....... =========================================== Ken McLeod :. .: uucp: {spsd, zardoz, felix}!dhw68k!thecloud ========== :::.. ..::: InterNet: thecloud@dhw68k.cts.com //// ===========================================
macman@ethz.UUCP (Danny Schwendener) (11/07/88)
In article <14467@dhw68k.cts.com> thecloud@dhw68k.cts.com (Ken McLeod) writes: > > What the heck is the Dukakis Virus???? > (I knew the campaign was negative, but this is ridiculous. :-) ) The oddity about the Dukakis Virus is that its code is 100% pure HyperTalk, and contaminates only HyperCard stacks. During the contamination, it displays "Dukakis for president" in the Message window. The original "syringue" stack appeared originally on CompuServe (SPEAKS.SIT) and was downloaded 8 times only before it was removed, but the full source has been shown and discussed on Delphi. The following vaccine script will protect your stacks from being contaminated with the "set script" trick used by the Dukakis Virus. Just paste it into your Home Stack. -- Danny ---------------------- Cut here ------------------------------- -- Note: "Duk-akis" contains a dash here to prevent the vaccine from -- detecting itself as a virus. -- Script to detect the spread of the "Duk-akis" virus. It works by -- trapping the "set" command. I havenUt seen "Duk-akis", but I should -- think that it works by setting the scripts of various objects to -- whatever they were plus an "on openStack" handler. Well, by trapping -- the "set" command, we can then find out if we are setting a script. -- If we are, then we can sort of work like "Vaccine" does; i.e., we -- prompt the user to see if he or she wants to allow the command to -- continue. If it is stopped, then all scripts are halted. -- Additionally, if the script contains the word "Duk-akis", then no -- option is given & the script is halted straight away. -- THIS SCRIPT SHOULD BE INSTALLED IN THE "HOME" STACK, -- IN THE STACK SCRIPT. -- You can test this script by making a new stack, then keying the -- following examples into the message box: -- % "Set the script of this stack to empty" -- % "Set the script of this stack to field 1" -- % "set the script of this stack to Duk-akis" (don't type the dash) -- Try it, I think you'll like it! -- This script is free to everyone apart from the person who wrote the -- "Duk-akis" virus. I just hope it affects every single stack he or -- she has or gets in the future! -- Regards to all from a truely devoted HyperCard fan, -- Ian Summerfield -- Technical Support Supervisor -- Apple Computer UK Ltd. -- CIS: 76657, 742 -- "Sysop" - AppleFone HyperCard BBS: Luton, England: 0582 584134 -- Modified slightly 8/22/88 by Joe McMahon to make sure that --"set the scriptI" (vs. "set script") doesn't slip through. -- Modified a bit more 8/29/88 by Joe McMahon to add Ian's fixes -- to prevent the vaccine from detecting itself as a virus. on set put "Duk"&"akis" into duk if the param of 1 is "script" or the param of 2 is "script" then get the params if last word of it is "to" then put it && "empty" into it put it into s if s contains duk then repeat 10 play harpsichord tempo 300 "a b c b a b c b" end repeat answer duk&&"virus detected!" with "Halt scripts" answer "Okay, you're safe now! It didn't spread." exit to HyperCard end if play harpsichord tempo 200 "e c e c e c e" answer "Warning: Script change requested" with "Show me" repeat answer s with "Allow" or "Stop!" or "Show more" if it is "Allow" then pass set else if it is "Stop!" then answer "All scripts halted!" exit to HyperCard else put the userLevel into userSafe set userLevel to 5 doMenu "New Field" get the number of card fields set rect of card field it to 0,19,512,342 set style of card field it to scrolling put the params into card field it choose browse tool wait until not the mouseClick wait until the mouseClick choose field tool click at loc of card field it doMenu "Clear Field" choose browse tool set userLevel to userSafe end if end if end repeat else pass set end set