[comp.virus] WDEF A

@sun.acs.udel.edu:salamon@sun.acs.udel.edu (salamon) (01/10/90)

I hope I am not saying something that everyone already knows about,
but Newark Hall is infected with the Mac virus WDEF A.  It is a very
infective virus.  I took my work disk home inserted it into my mac
Plus and then went to open Disinfectant and by the time I ran it my
hard drive was infected, and I'm sure it wasn't infected before.

Even if it doesn't do any damage (am I right about this?) I find that
to be very obnoxious.

       **  **                          |   /Andrew/
         /\       HAVE A NICE DAY!     |   self-styled Bleydion op Rhys
       \____/                          |   salamon@sun.acs.udel.edu
                                       |

ACSH@UHUPVM1.BITNET (James N. Bradley) (02/07/90)

Today, while I was disinfecting a Macintosh IIx with Disinfectant 1.6
I got a report saying that the desktop was infected at 3:36 p.m. on
2/6.

Now, it just happened that it WAS 3:36 p.m. while I was doing the
disinfecting.

I was using a locked disk which checked clean both with Disinfectant
1.6 and Gatekeeper Aid.

Since the locked disk was clean, it couldn't have infected the HD,
right?  The person involved swears that no other disks had been in his
drives today.

Any ideas?
Jim Bradley
Acknowledge-To: <ACSH@UHUPVM1>

dplatt@coherent.com (02/11/90)

+ Today, while I was disinfecting a Macintosh IIx with Disinfectant 1.6
+ I got a report saying that the desktop was infected at 3:36 p.m. on
+ 2/6.
+
+ Now, it just happened that it WAS 3:36 p.m. while I was doing the
+ disinfecting...
+
+ Since the locked disk was clean, it couldn't have infected the HD,
+ right?  The person involved swears that no other disks had been in his
+ drives today.

The time-of-infection which Disinfectant reports is the "last modification
time" for the infected file.  This information is often useful when
you try to track down a virus which infects applications, since most
applications do not modify themselves when they are run... and hence
the "last modification time" of the application will often be the time
at which the virus infected the program.

However, the Desktop file is modified _very_ frequently by the
Finder...  it may be modified any time you launch a new application,
or drag an application from one disk/folder to another, or change any
file's Get Info... comments.  For this reason, the "last modification
time" on the Desktop file is _not_ a reliable indicator of when your
system was first infected.

BTW, there's no reason (as far as I know) to install Gatekeeper Aid on the
locked Disinfectant disk... as long as you keep the disk locked, no virus
will be able to infect it.
- --
Dave Platt                                             VOICE: (415) 493-8805
  UUCP: ...!{ames,apple,uunet}!coherent!dplatt   DOMAIN: dplatt@coherent.com
  INTERNET:       coherent!dplatt@ames.arpa,  ...@uunet.uu.net
  USNAIL: Coherent Thought Inc.  3350 West Bayshore #205  Palo Alto CA 94303