D1660@AppleLink.Apple.COM (SoftPlus, Paul Cozza,PRT) (08/19/90)
For SAM 2.0 Users: Two new Macintosh viruses have been uncovered in the last week or so. Here is information about them for SAM users. 1) A second strain of the Garfield (or MDEF) virus has appeared. It does not do anything intentionally malicious. It does add MDEF resources to system files and applications. In advanced or custom mode, SAM 2 will alert you to this virus's attempt to change and add MDEF resources. Denying these attempts prevents the resource from spreading. You can enter one of the following 2 virus definitions with Virus Clinic to detect this virus by name. To specifically detect this strain of Garfield, enter this definition (I am repeating the definition previously posted by Karim Esmail of Symantec here): Virus Name: Garfield Resource Type: MDEF Resource ID: 0 Resource Size: 532 Search String: 2F3C4D4445464267487A (hexadecimal) Search Offset: 304 Alternately, you can enter a definition to detect both strains of Garfield (and delete any earlier Garfield definition you may have entered). If you choose this option, scans may take slightly longer (though the difference will probably be unnoticeable), but you will have entered a definition capable of catching some future Garfield strains: Virus Name: Garfield Resource Type: MDEF Resource ID: 0 Resource Size: Any Search String: A9A92F0CA9AA2F0CA9B0 (hexadecimal) Search Offset: Any 2) A second virus, named CDEF, has also appeared. It also does not do anything intentionally malicious. It adds CDEF resources to desktop files only. This virus will NOT spread if SAM 2.0 is running (even in the Basic level). A feature of SAM 2.0, called Desktop Guardian, prevents code in desktop files from executing while the Finder is running. So this CDEF virus will not execute and can thus not spread while SAM 2.0 is active. If you encounter this virus and you have SAM configured to standard level or higher, SAM will also alert you to the presence of the CDEF virus when the desktop file is opened. SAM will give a "Code in desktop file (CDEF)" alert at that time. By stopping the open of the infected desktop file, you can cause the Finder to rebuild the desktop and eliminate the virus. To detect this virus by name, enter the following virus definition in Virus Clinic: Virus Name: CDEF Resource Type: CDEF Resource ID: 1 Resource Size: 510 Search String: 45463F3C0001487A0046A9AB (hexadecimal) Search Offset: 420 Paul Cozza SAM Author