crouse@uxh.cso.uiuc.edu (09/20/88)
At the University of Illinois we are having a major virus outbreak
at this time. As of Friday (09-16-88) we have been plagued by
a new virus nVIR. At this time most of the Mac labs w/hard drives
have been infected. Now we are finding this virus as well as Sneak and
Scores in offices all over the campus. The Sneak virus attacks Laser
Prep,Laser Writer,and Image Writer files. This is a major problem we
are having to deal with across the campus. Any information about
Sneak or nVIR would be helpful. We are looking for a program that
can be installed on the system to check a disk for virii
every time one is inserted into the machine.
Any info would be helpful.
James Crouse
Mgr Union Micro Lab
Send replies to crouse@uxh.cso.uiuc.educn4gr8ag@ariel.unm.edu (09/21/88)
I'm also interested in knowing what damage the sneak and nVir viruses do to Macs...MacUser had an article about them recently stating their existance, but they didn't go into detail about their possibly destructive nature... Thanks in advance, Bob Knudson cn4gr8ag@ariel.unm.edu.uucp
thompson@uxf.cso.uiuc.edu (09/21/88)
Y'know something that would be really nice --- A program which hooks into the "disk insert" notice in System, like Soundmaster does with its sounds, which automatically runs a virus-masher over the inserted disk. We could really use something like that in our public mac-labs. Anybody know of such a beast? How hard would it be to write one?
twan@umbio.MIAMI.EDU (Tat Wan) (09/25/88)
in article <20200005@uxh.cso.uiuc.edu>, crouse@uxh.cso.uiuc.edu says: > At the University of Illinois we are having a major virus outbreak > at this time. As of Friday (09-16-88) we have been plagued by > a new virus nVIR. At this time most of the Mac labs w/hard drives > have been infected. Now we are finding this virus as well as Sneak and > Scores in offices all over the campus. The Sneak virus attacks Laser > Prep,Laser Writer,and Image Writer files. This is a major problem we > are having to deal with across the campus. Any information about > Sneak or nVIR would be helpful. We are looking for a program that > can be installed on the system to check a disk for virii > every time one is inserted into the machine. > Any info would be helpful. > > > James Crouse > Mgr Union Micro Lab > > Send replies to crouse@uxh.cso.uiuc.edu We have just discovered the SCORES virus on our Mac IIs HDs a few days ago. I also have the Interferon 3.0 program, which detects some common viruses (Scores, nVir, ...) but I don't have the documentation, so you'll have to get it from somewhere else; and Apple's Rx (which does not do much, in my opinion). We also have Vaccinne, which detects a virus's attempt to infect a file, but I'm not sure if that is 100% effective. It has shown virus infection attempts but I guess quite a few get by without being noticed. (either that or some user granted permission for the program to be infected) T.C. Wan c/o Univ of Miami Computing Facilities Coral Gables, FL ******* I was trying to email the response to you, but the mailer kept on bouncing it back, so I guess I'll just have to post. I'm not sure how I could send the programs over, though since the only sure way (?) would be over the news service... -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = twan@umbio.MIAMI.EDU <<internet>> <- should reach?? = = p758z49z@miavax.miami.edu <- other acct. = = Disclaimer: I don't claim to represent anyone except myself :-) =
macman@ethz.UUCP (Danny Schwendener) (09/25/88)
In article <46700066@uxf.cso.uiuc.edu> thompson@uxf.cso.uiuc.edu writes: > > A program which hooks into the "disk insert" notice in System, like >Soundmaster does with its sounds, which automatically runs a >virus-masher over the inserted disk. The disk-insert detection isn't difficult to implement. The problem lies in the User-friendliness and in the program chaining. First the user-friendliness: Would you be happy if you had to wait for one or two minutes each time you insert a disk? What if you're working on single-drive units? Your students will make a sit-in strike if they have to go through this hassle. The chaining: The Macintosh OS is just not conceived for passing parameters on a program startup. The only parameters that you may pass are one or several documents with the same owner ID and a flag which determines what the application should do with these documents (open or print). I don't have IM at hand, so correct me if I'm wrong. But it is possible, nevertheless, assuming that both the Disk-insert trapper INIT and the virus-tracer are specifically written for each other. The application would check on startup if any document of any type has been passed as parameter, and use the document's pathname as information about the volume to check. The INIT would have to trap a disk-insert interrupt and start the tracer program with any file (e.g. the desktop file, which is on all disks) as parameter. Hmm wait... I think there's an additional problem with this. If the disk insertion is trapped *before* the disk is normally mounted by the OS, there is no way to give any document of that disk as parameter. Could anyone check what comes first? Logically, it would be the interrupt, and in this case, you could forget about the idea. -- Danny +-----------------------------------------------------------------------+ | Mail : Danny Schwendener, ETH Macintosh Support Center | | Swiss Federal Institute of Technology, CH-8092 Zuerich | | Bitnet : macman@czheth5a UUCP : {cernvax,mcvax}ethz!macman | | Ean : macman@ifi.ethz.ch Voice : yodel three times | +-----------------------------------------------------------------------+
nakata@Jessica.stanford.edu (Lance Nakata) (09/26/88)
Can someone post Interferon 3.0 (or any later version) WITH docs to Info-Mac@Sumex-Aim.Stanford.Edu? I believe you can reach it through uunet if necessary (sumex-aim.stanford.edu!info-mac@uunet.uu.net). Thanks. Lance Nakata Info-Mac
jhf@lanl.gov (Joseph Fasel) (09/26/88)
What's with this "virii" stuff? Every dictionary I've checked indicates the plural of "virus" is "viruses". Besides that, if one were going to use a latinate plural, wouldn't it be "viri"?
alexis@dasys1.UUCP (Alexis Rosen) (09/29/88)
In article <20200005@uxh.cso.uiuc.edu> crouse@uxh.cso.uiuc.edu writes: > At the University of Illinois we are having a major virus outbreak > at this time. [...] The Sneak virus attacks Laser > Prep,Laser Writer,and Image Writer files. This is a major problem we > are having to deal with across the campus. Any information about > Sneak or nVIR would be helpful. It is virtually certain the the "Sneak" virus you are detecting does not exist. Apple printer drivers contain certain resources that Interferon considers to be indicative of a virus, but in fact are not. To make sure, simply open a shrink-wrapped System Software package and run Interferon on it. If you see the exact same "sneak" virus, you know that you are not in fact infected. If you see something else, then you have my condolences since you have discovered a brand-new Mac virus. As far as nVIR goes, there may or may not be a new version of it going around. One of the things that nVIR does is patch itself into your apps. One side effect of this is the creation of a CODE 256 resource in each infected resource file. The "harmless" nVIR creates CODE 256s which are 372 bytes long. I was recently infected by an nVIR of unknown malignance which created CODE 256s which were 422 bytes long. I strongly suggest reporting on the net if you discover any CODE 256s other than 372 bytes long. > We are looking for a program that > can be installed on the system to check a disk for virii > every time one is inserted into the machine. I doubt it. You wouldn't have any users within a week, because such checks would take a considerable length of time. Heavy user education is the only solution I am aware of. > James Crouse > Mgr Union Micro Lab ---- Alexis Rosen {allegra,philabs,cmcl2}!phri\ Writing from {harpo,cmcl2}!cucard!dasys1!alexis The Big Electric Cat {portal,well,sun}!hoptoad/ Public UNIX Best path: uunet!dasys1!alexis
msurlich@faui44.informatik.uni-erlangen.de ( scheme) (10/03/88)
In article <6725@dasys1.UUCP> alexis@dasys1.UUCP (Alexis Rosen) writes: > >As far as nVIR goes, there may or may not be a new version of it going >around. One of the things that nVIR does is patch itself into your apps. >One side effect of this is the creation of a CODE 256 resource in each >infected resource file. The "harmless" nVIR creates CODE 256s which are >372 bytes long. I was recently infected by an nVIR of unknown malignance >which created CODE 256s which were 422 bytes long. I strongly suggest >reporting on the net if you discover any CODE 256s other than 372 bytes >long. > There actually are three versions of nVIR. One beeps, one says "Don't Panic" instead, and one kills an arbitrary file in the System folder. This last probably never made it out of Europe because the "Don't Panic" version is more aggressive and able to install itself over existing versions. This is the reason why the oft-mentioned procedure of "install INIT32 and nVIR 0..7 in your System" is dangerous. All three versions, however, check for a nVIR 10 resource and do nothing when it is present. As far as I know, nVIR is currently the only virus for which an automatic removal program is available (my "KillVirus" INIT). -- -- Matthias Urlichs -- Rainwiesenweg 9 -- 8501 Schwaig 2 -- West Germany CI$: 72437,1357 -- Delphi: URLICHS -- Phone: ++49+911+574180 NetMail: m_urlichs@msn.rmi.de -- or: (reply and (h)ope
thompson@uxf.cso.uiuc.edu (10/04/88)
/* Written by macman@ethz.UUCP in uxf.cso.uiuc.edu:comp.sys.mac */ >In article <46700066@uxf.cso.uiuc.edu> thompson@uxf.cso.uiuc.edu writes: >> >> A program which hooks into the "disk insert" notice in System, like >>Soundmaster does with its sounds, which automatically runs a >>virus-masher over the inserted disk. > >The disk-insert detection isn't difficult to implement. The problem >lies in the User-friendliness and in the program chaining. > >First the user-friendliness: Would you be happy if you had to wait for >one or two minutes each time you insert a disk? What if you're working >on single-drive units? Your students will make a sit-in strike if they >have to go through this hassle. I doubt it. First, the units are all single-drive SEs with a hard drive. In general, students bring their data disks, and then just sit and work with MacWrite or Microsoft Word or whatever (all available on the hard drive) on their data disks. I've noticed that those who do bring their own APPLs in general install them on the hard drive while they're working, then delete them later. Second, they *already* have to queue up at the front of the lab to get their disks checked by the operator at the "disk-check" station. This process has not decreased lab traffic noticeably. I doubt on-line checking would do so. > >The chaining: The Macintosh OS is just not conceived for passing >parameters on a program startup. The only parameters that you may >pass are one or several documents with the same owner ID and a >... >But it is possible, nevertheless, assuming that both the Disk-insert >trapper INIT and the virus-tracer are specifically written for each >other. The application would check on startup if any document of >any type has been passed as parameter, and use the document's pathname >as information about the volume to check. The INIT would have to >trap a disk-insert interrupt and start the tracer program with >any file (e.g. the desktop file, which is on all disks) as parameter. > >-- Danny What I was thinking was more along the lines of an INIT which simply passed control to the checker. Then the checker checks *the internal drive* with no need for documents or such. Is there any way to do this? Or do I *have* to have a "pathname"? I've only seen one problem so far: what to do if a disk is inserted while within another application. So how about a check in the INIT -- do this only if in Finder (can you check that somehow? or maybe link the thing into Finder itself?) Something like this would protect the heavily-used Printer Machines (one per laserwriter, used only for printing) *much* better than the disk-check station. And the other machines would benefit as well. Unfortunately, I ain't got the time or expertise to do this. I'm just learning about programming on the Mac. And whew! What a machine! It'll take me a few years before I'm ready to fiddle with my Mac's insides via INITs. And hence the "call". - Mark Thompson "The University Neither Knows Nor erstwhile T.A. Wants To Know What I Am Saying." University of Illinois at U-C ARPANET: thompson@uxf.cso.uiuc.edu BITNET : thompson%uxf.cso.uiuc.edu@uxc.cso.uiuc.edu USMAILNET: 202 E Springfield #3B, Champaign IL 61820
IRWIN@pucc.Princeton.EDU (Irwin Tillman) (10/05/88)
In article <648@faui10.informatik.uni-erlangen.de>, msurlich@faui44.informatik.uni-erlangen.de ( scheme) writes: >>As far as nVIR goes, there may or may not be a new version of it going >>around. One of the things that nVIR does is patch itself into your apps. ... >There actually are three versions of nVIR. ... >As far as I know, nVIR is currently the only virus for which an automatic >removal program is available (my "KillVirus" INIT). Princeton University has been hit by in the last few days nVIR; we are using KillVirus to eradicate it.