jpd@eecs.nwu.edu (Phil Draughon (ACNS)) (04/26/88)
Scores Report 2 Sent on Monday 4/25/88 to comp.sys.mac. ------------------------------------------------------------------ This is my second report on the Scores virus. The important good news is there are now two free disinfection programs called KillScores and Ferret 1.0. I didn't write either one of them. They seem to work fine, so there's no need for me to write another one. I'm also happy to report that CE Software's Vaccine 1.0 is effective against Scores. There's not much new to report about the virus itself. KillScores and Ferret 1.0 were posted on AppleLink over the weekend of April 16. I discovered them shortly after posting my first report on Monday the 18th. I believe they are also available on CompuServe, but I haven't checked. Both of these programs were written specifically to eradicate the Scores virus. They can also be used to simply check for the virus, without changing anything on your disk. I tested both Ferret and KillScores on my small infected test system, and on some large uninfected ones. Both of them worked on my small infected system. They removed all traces of the virus and repaired the system folder and all the damaged applications correctly. They both also correctly reported that several large systems with nearly full 20 and 80 megabyte hard drives were uninfected. A word of warning, however. My small test system only contains infected versions of TeachText, ResEdit, and MacWrite. I don't have the facilities or the time to do large scale testing of lots of infected applications. Also, I don't have the source code for either of the programs. So I can't guarantee that either of them is perfect, or that they won't damage your files. KillScores has a better user interface than Ferret 1.0, although neither one is very good. Ferret 1.0 also seems to have a problem properly reporting the names of the infected files. This only works some of the time. KillScores does a much better job of telling you exactly what it's doing. The important thing is that both of these programs seem to work, and the authors deserve our thanks. Larry Nedry wrote Ferret 1.0, and KillScores is the work of the MacPack/Apple Corps of Dallas task force, headed by Howard UpChurch. Getting rid of a virus is very tricky, even with the help of a disinfection program like KillScores or Ferret 1.0. I managed to make mistakes using them during my tests, and ended up with a system that was still infected! I recommend that you carefully follow the steps below to make sure that you've really eradicated all traces of the virus. Step 1. Make a startup disk containing just a system folder and a copy of the disinfection program (KillScores and/or Ferret 1.0). For the safest results the system folder should be copied as is from a locked original Apple system release disk. The only files you really need in your system folder are System and Finder. Make sure your system folder doesn't contain any non-Apple INITs, CDEVs, or other miscellaneous crap. Step 2. Restart your machine using the startup disk you just made. Step 3. Make a backup copy of the startup disk you just made. Step 4. Run the disinfection program on all the hard drives and floppies in your collection, including the backup copy you just made. Don't run any other programs or boot from any other disks until you're done disinfecting, or you might get reinfected. Use Finder, not MultiFinder (I've only tested under Finder. The programs might work OK under MultiFinder too, but I don't know). Step 5. Shut down your system and restart using some other (disinfected) startup disk. Step 6. Immediately erase the startup disk you made in step 1 and used to disinfect your system. The backup disk you made is free from infection, and it contains a copy of the disinfection program that you can use again if you need it. For the safest results you should try to make sure that all the files you copy to your startup disk in step 1 are uninfected. That's why I recommend using your original locked Apple release disk. I have, however, tested both KillScores and Ferret 1.0 with infected startup disks, and they seem to work OK. To double check, you can run both KillScores and Ferret 1.0. The program you run first should disinfect your disk, and the one you run second should report that the disk is free of infection. I've also tested CE Software's Vaccine 1.0 with Scores. It seems to be effective against the initial attempt at infection. In all my tests my vaccinated system bombed whenever I attempted to run an application infected with Scores, and my system was not infected. I've tried this with the "expert display" option both on and off, and with the "always compile MPW INITS" option both on and off. I've seen bombs with ID=02 and ID=25. I don't know why the system bombs instead of presenting Vaccine's usual dialog box or tiny icons. I'd like to correct an error in the first report. When fixing an infected application with ResEdit, you should replace bytes 16-23 of CODE resource 0 by bytes 4-11 of CODE resource nnnn, not by bytes 2-9. Bytes are numbered starting with 0. I apologize if this caused anybody any grief. I'd also like to thank Dave Lavery and Howard Upchurch for their early work on the Scores virus. I used their results as a starting point for my own research, and I should have given them credit in my first report. I've discovered several more interesting facts about Scores, including more attacks on VULT and ERIC, an explanation for why some applications don't get infected, and several bugs in the virus. There also may be a few problems with the disinfection algorithm I presented in the first report. The details aren't important now, so I won't describe them. It has been reported that the virus contains some sort of special code designed to fool ResEdit. This isn't true, although I have had ResEdit crash inexplicably on an infected system. Please note that I am NOT Phil Draughon! I'm just using his account to post this message, since my usual machine is having trouble posting notes. My real name and address are: John Norstad Academic Computing and Network Services Northwestern University Evanston, IL 60208 Bitnet: JLN@NUACC Internet: JLN@NUACC.ACNS.NWU.EDU
ephraim@think.COM (ephraim vishniac) (04/26/88)
In article <10330004@eecs.nwu.edu> jpd@eecs.nwu.edu (Phil Draughon (ACNS)) writes: > >Scores Report 2 > >Sent on Monday 4/25/88 to comp.sys.mac. >------------------------------------------------------------------ >This is my second report on the Scores virus. The important good >news is there are now two free disinfection programs called >KillScores and Ferret 1.0. I didn't write either one of them. >They seem to work fine, so there's no need for me to write another >one. I'm also happy to report that CE Software's Vaccine 1.0 is >effective against Scores. There's not much new to report about the >virus itself. For news about the virus, see MacWEEK for Tuesday, April 26. There's an article headlined "Scores virus prompts FBI investigation." It turns out that the target programs were two proprietary programs developed by Electronic Data Systems, Dallas TX, and used at various government agencies. The virus is believed to have been circulating since March 1987. "According to one source, both Apple and the FBI know the identity of the programmer who wrote the virus more than a year ago." No motivation for the attack is given. >KillScores and Ferret 1.0 were posted on AppleLink over the weekend >of April 16. I discovered them shortly after posting my first >report on Monday the 18th. I believe they are also available on >CompuServe, but I haven't checked. Ferret 1.1 is now available; I picked it up from Mass Mac and Electric so I imagine it's on plenty of local boards by now. It ran very smoothly on my (uninfected) file system. I don't know if it corrects the problems with file name display that the author of the above-cited report mentioned. Ephraim Vishniac ephraim@think.com Thinking Machines Corporation / 245 First Street / Cambridge, MA 02142-1214 On two occasions I have been asked, "Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?"