jpd@eecs.nwu.edu (Phil Draughon (ACNS)) (05/02/88)
This is my third report on the Scores virus. In my first report I revealed what Scores did, how to detect it, and how to get rid of it by hand using ResEdit. In my second report I reviewed Ferret 1.0 and KillScores, two free disinfectant programs that have appeared to get rid of Scores. In this report I describe further testing of Ferret 1.0, the new Ferret 1.1, and KillScores. IMPORTANT: Ferret 1.1 has very serious bugs! Based on my tests I recommend using KillScores instead. 1. Ferret 1.1 does NOT properly delete one of the viral resources in the system file (INIT 17), at least on my small infected test system! I found this unbelievable, so I reran my test several times, and it failed each time. Ferret 1.0 does not have this problem. 2. Ferret 1.1 does NOT properly disinfect files which contain CODE resources marked "protected". Some applications are distributed with protected CODE resources, and Scores can infect them, so this is another important bug. Ferret 1.0 also has this bug. In this case the supposedly repaired application is left in a seriously damaged state - it will bomb immediately on launch. 3. Ferret 1.1 does NOT properly disinfect locked files. This is an important bug, even though Scores can't infect locked files. The file could have been unlocked when it became infected, and then the user could have locked it later. Ferret 1.0 also has this bug. I'd like to thank Rich Holmes for first pointing out this bug. 4. Ferret 1.1 still does NOT always properly report the names of infected files. Ferret 1.0 also has this bug. To make things even worse, Ferret does not give the user any indication that anything is wrong. It leaves the user with the impression that his/her system is clean, when in fact it's still at least partially infected. I also did further testing of KillScores. KillScores had no problems with the cases above where Ferret failed - it properly disinfected all the files on my test system. In the case of locked files KillScores unlocks the file, disinfects it, and leaves it unlocked. In my second report I mentioned that CE Software's Vaccine effectively prevents infection by Scores, at least on my test system. If you are at all worried about viruses, and you should be, I strongly recommend that you get Vaccine and use it religiously. CE Software deserves all of our thanks for developing and giving away this important tool. It's not perfect protection, as the authors freely admit in the documentation, but it is effective against Scores, and I understand that it's also effective against most of the other recent Mac viruses. Once again, I must emphasize that I do not have the facilities or time to do large scale testing of many infected applications. All of my testing is done on a small floppy-only system, with only MacWrite, TeachText, and ResEdit for infected applications. So I can't guarantee that KillScores or any other program is perfect, or that I haven't made mistakes in these reports. Also, I should probably mention that all of my statements in all of my reports reflect my opinions only, and not those of my employer, Northwestern University. Finally, if you're reading this on comp.sys.mac, please note that I am NOT Phil Draughon! I'm just using his account to post this message, since my usual machine is having trouble posting notes. My real name and address are: John Norstad Academic Computing and Network Services Northwestern University Evanston, IL 60208 Bitnet: JLN@NUACC Internet: JLN@NUACC.ACNS.NWU.EDU Monday morning, May 2, 1988