DUCKENFP@carleton.edu (Paul Duckenfield (Consultant, User Services)) (02/21/90)
>From: wcpl_ltd@uhura.cc.rochester.edu (Wing Leung) >Subject: More about WDEF > Can someone tell me is WDEF an illegal string in the resource code? > How about the program called WDEF uploaded in comp.binaries.mac? > In fact, I've found some WDEF code in system version 6.0.3 > Please tell me more about this resource code. WDef is a system resource which (basically) tells the Mac how to draw its windows. There are several programs in the FREE/SHAREware market which change how the window appear on your Macs screen. They make it look like a NeXT or MS Windows or some other form other than the "standard Apple"-look. They take advantage of the WDef resource in the SYSTEM file. The virus WDef is a little trickier. It infects the invisible DESKTOP file in the root directory of any disk. You can't seem this file, but it is there, keeping track of all your files. That is the difference between WDef SYSTEM resource and WDef DESKTOP resource (for the layman). Incidentily, I have heard reports that it is possible (although not easy) for someone to rename the WDef virus's resource to CDef. Potentially this will create another virus, exactly the same as the first except for the name, which can propogate quickly as well. Anyone know anything about this? Paul Duckenfield CC User Services Micro Consultant DUCKENFP@Carleton.Edu
XRJDM@SCFVM.GSFC.NASA.GOV (Joe McMahon) (02/22/90)
Paul Duckenfield <DUCKENFP@carleton.edu> writes: > ... Another problem which we have had to deal with is recurring >system crashes on our AppleShare servers even after the eradication of >WDef. Although WDef if "officially" gone thanks to Disinfectant v1.6, >the servers still seem to crash regularly. It appears that WDef, like >polio can be cured, but it leaves lasting damage. The only solution I >have found is to delete the unused DESKTOP file on all server volumes... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By all means do that. The virus will still write to this file (if you've allowed your client machines access to it) and will be lurking there, waiting for you to boot the server from a floppy. When you do that, the AppleShare Desktop Manager INIT is bypassed and you have a new source of infection. Also, be warned that rebooting from a floppy will cause the Desktop file to be *rebuilt* on the server! You will have to remove it again. Paul also notes/asks: > Incidentily, I have heard reports that it is possible >(although not easy) for someone to rename the WDef virus's resource to >CDef. Potentially this will create another virus, exactly the same as >the first except for the name, which can propogate quickly as well. >Anyone know anything about this? Doubtful. I don't have my handy copy of Inside Mac right here at the moment, but as I recall, the calling sequences are quite different. I believe that there would be trouble (i.e., crash/hang) if you tried it. However, if the viral WDEF does its infections directly, it might be able to spread itself before the crash occurs. I don't think that it would spread as fast as WDEF, because the behavior of the Mac would take such a sudden turn for the worse that almost anyone would become suspicious. Also, if you're running GK Aid or Eradicate'em, you're already protected against anything which looks even remotely executable in the Desktop file. --- Joe M.
zben@umd5.umd.edu (Ben Cranston) (02/23/90)
DUCKENFP@carleton.edu(Paul Duckenfield (Consultant, User Services)) writes: > WDef is a system resource which (basically) tells the Mac how > to draw its windows. There are several programs in the FREE/SHAREware > market which change how the window appear on your Macs screen. They > make it look like a NeXT or MS Windows or some other form other than > the "standard Apple"-look. They take advantage of the WDef resource in > the SYSTEM file. > Incidentily, I have heard reports that it is possible > (although not easy) for someone to rename the WDef virus's resource to > CDef. Potentially this will create another virus, exactly the same as > the first except for the name, which can propogate quickly as well. > Anyone know anything about this? In the same way WDEF resources define the behaviour of windows, CDEF resources define the behaviour of "controls" (pushbuttons, scroll bars, etc). While it would not be possible to just retype the WDEF as a CDEF, it would certainly be possible to write a virus that would live in a CDEF resource (or for that matter any other executable resource type). IMHO the real problem is that Finder opens these resource files and leaves them in the search chain, relying on them not to contain any resources that might mask the real resources in the Finder and System files. If Finder were to ensure that these files are in the search chain only when the Desktop resources are being fetched, these viruses would not be possible. - -- Sig DS.L ('ZBen') ; Ben Cranston <zben@Trantor.UMD.EDU> * Network Infrastructures Group, Computer Science Center * University of Maryland at College Park * of Ulm
vronay%castor.usc.edu@usc.edu (Iceman) (02/23/90)
Understanding how WDEF works can tell you bunches about the current state of viruses on the Mac. First, it is important to note that the mac is susceptible to computer viruses due to the large number of trap-dispatched routines built into the computer. These so-called "toolbox routines" provide the programmer with all of the code s/he needs to create the Macintosh look and feel. Now, since this code can change for different version of the Mac, the routines are accessed through a trap-dispatch mechanism. Basically, each routine has a number, and you call that number instead of the actual routine. The built-in trap dispatcher will then look up the location in memory of the trap and start executing. Some virus and most anti-virus programs work by rewriting these trap addresses, so that instead of calling the built-in ROM code, they call the call the virus/anti-virus code instead. This code will usually eventually call the ROM routine as well - perhaps after asking for permission to execute a suspiscious instruction. WDEF goes one step up in this. It first removes all of the patches on toolbox routines it wants to use. This effectively disables any anti-virus code that was there. Next, it figures out what machine you are running on and patches the traps back to what it thinks they should be for that machine. (BTW, this is why WDEF initially crashed the new machines - it didn't know the proper patches for them). It then copies itself, and set the traps back to what they were before it started, leaving the anti-viral software totally unaware that anything happenned. - -ice ================================ reply to: iceman@applelink.apple.com AppleLink: ICEMAN disclaimer: (not (apples-opinion-p (opinions 'ice))) => T ================================