jln@acns.nwu.edu (04/10/90)
Archive-name: disinfectant/v1.7 Original-posting-by: jln@acns.nwu.edu Original-subject: Disinfectant 1.7/New ZUC Virus (Mac) Archive-site: acns.nwu.edu [129.105.49.1] Reposted-by: emv@math.lsa.umich.edu (Edward Vielmetti) Disinfectant 1.7 ================ April 2, 1990 Disinfectant 1.7 is a new release of our free Macintosh virus detection and repair utility. Version 1.7 recognizes the new ZUC virus. Thanks to Don Zucchini and Francesco Giagnorio for discovering and reporting this new virus. The ZUC Virus ============= The ZUC virus was first discovered in Italy in March, 1990. It is named after the discoverer, Don Zucchini. ZUC only infects applications. It does not infect system files or data files. Applications do not have to be run to become infected. ZUC was timed to activate on March 2, 1990. Before that date it only spread from application to application. After that date, approximately 90 seconds after an infected application is run, the cursor begins to behave unusually whenever the mouse button is held down. The cursor moves diagonally across the screen, changing direction and bouncing like a billiard ball whenever it reaches any of the four sides of the screen. The cursor stops moving when the mouse button is released. The behavior of the ZUC virus is similar to that of a desk accessory named Bouncy. The virus and the desk accessory are different, and they should not be confused. The desk accessory does not spread, and it is not a virus. ZUC does spread, and it is a virus. ZUC has two noticeable side effects. On some Macintoshes it causes the desktop pattern to change. It also often causes long delays and an unusually large amount of disk activity when infected applications are opened. ZUC can spread over a network from individual Macintoshes to servers and from servers to individual Macintoshes. Except for the unusual cursor behavior, ZUC does not attempt to do any damage. Vaccine is not effective against ZUC. GateKeeper 1.1.1, however, is effective against ZUC. ZUC does not change the last modification date when it infects a file, so you cannot use the last modification dates in the Disinfectant report to trace the source of a ZUC infection. Other Changes in Version 1.7 ============================ Some people have used ResEdit to add a copy of the standard system WDEF 0 resource to Desktop files in an attempt to inoculate their disks against the WDEF virus, even though we do not recommend this practice. Version 1.6 incorrectly reported that such Desktop files were infected by an unknown strain of WDEF. This problem has been fixed in version 1.7. Some of the nVIR clones have offensive names. These names appeared in plain text in various resources in Disinfectant version 1.6, and caused concern for some people who discovered them using ResEdit or a file editor. Version 1.7 encodes the resources so that the names do not appear in plain text. Version 1.6 contained an error which could cause crashes, hangs, unexpected error messages, or other unusual behavior in some circumstances. The error is corrected in version 1.7. How to Get a Copy of Version 1.7 ================================ Disinfectant 1.7 is available now via anonymous FTP from site acns.nwu.edu [129.105.49.1]. It will also be available soon on sumex-aim, rascal, comp.binaries.mac, CompuServe, Genie, Delphi, BIX, MacNet, America Online, Calvacom, AppleLink, and other popular sources for free and shareware software. Macinstosh users who do not have access to bulletin boards, networks, user groups, or online services may obtain a copy of Disinfectant by sending a self-addressed stamped envelope and an 800K floppy disk to the author at the address below. John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 Bitnet: jln@nuacc Internet: jln@acns.nwu.edu CompuServe: 76666,573 AppleLink: A0173