C0195@UNIVSCVM.BITNET (Gregory E. Gilbert) (12/09/89)
Recently there was a posting on VALERT-L about a new virues, WDEF. In the
alert it is mentioned that:
(stuff deleted)
"Jeff Shulman, the author of Virus Detective 3.1, recommends adding the
following search string to detect the virus:
CREATOR=ERIK & Resource WDEF & Any
Virus Detective can also be used to remove the virus ......"
Where or to what do we add the "following search string". Please
pardon my ignorance.
Greg
Postal address: Gregory E. Gilbert
Computer Services Division
University of South Carolina
Columbia, South Carolina USA 29208
(803) 777-6015
Acknowledge-To: <C0195@UNIVSCVM>shulman@uunet.UU.NET (Jeff Shulman) (12/10/89)
C0195@UNIVSCVM.BITNET (Gregory E. Gilbert) writes: >Recently there was a posting on VALERT-L about a new virues, WDEF. In the >alert it is mentioned that: >(stuff deleted) >"Jeff Shulman, the author of Virus Detective 3.1, recommends adding the >following search string to detect the virus: >CREATOR=ERIK & Resource WDEF & Any >Virus Detective can also be used to remove the virus ......" >Where or to what do we add the "following search string". Please >pardon my ignorance. >Greg These instructions only apply to VirusDetective 3.x 1. Select VirusDetective from the DA menu. 2. Click the Modify Search Strings button. 3. Type Creator=ERIK & Resource WDEF & Any ; For finding WDEF, etc. 4. Click the Add button. 5. Click the Save button. 6. That's it! Specific instructions can be found both in the VD doc file, online docs and is going to be mailed out to registered users early this week. I will also be posting a file full of the latest search strings that you can read in by clicking Read from File instead of steps 3 & 4, and I will be posting VD 3.1a that has this string already built in (NO code modifications were made). If you are a registered user and you still need more assistance don't hesitate to contact me either electronically or by phone. Jeff Shulman VirusDetective Author As usual, this is *me* speaking and no other organization. uucp: ...rutgers!yale!slb-sdr!shulman CSNet: SHULMAN@SDR.SLB.COM Delphi: JEFFS GEnie: KILROY CIS: 76136,667 AppleLink: KILROY
dplatt@coherent.com (12/12/89)
> "Jeff Shulman, the author of Virus Detective 3.1, recommends adding the > following search string to detect the virus: > > CREATOR=ERIK & Resource WDEF & Any > > Virus Detective can also be used to remove the virus ......" > > Where or to what do we add the "following search string". Please > pardon my ignorance. Assuming that you have a relatively recent version of VirusDetective, you can open the desk accessory, click the "Modify Search Strings" button (or enter command-M), type the above string into the one-line field near the bottom of the search-string dialog box, click the "Add" button to add the string to the working search criteria, and then click the "Save" button to record the new criteria in the desk accessory's long-term memory (in the System file). You can then search disks, or individual Desktop files, using the buttons in the desk accessory's main window. If you're hunting for the WDEF virus, you should _not_ do so under MultiFinder... run in the "uni-Finder" environment, launch an application program (almost any will do), and then invoke VirusDetective from within that application. You should _not_ be running the Finder (multi- or uni-) if you wish to remove the WDEF virus from your Desktop file. Disinfectant 1.4 is now available, by the way... it, also, can find and eliminate WDEF. - -- Dave Platt VOICE: (415) 493-8805 UUCP: ...!{ames,apple,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303
gford%nunki.usc.edu@usc.edu (Greg Ford) (12/19/89)
Sure enough, my Mac II had WDEF on it. It's first attack (on four partitions) was December 9. Funny thing was, immediately prior to my discovery of this virus, my Mac II had been experiencing these same symptoms of slow-closing windows. In fact, it was common for the mouse-depression lines in the go-away box of the window to take up to 5 seconds to appear and for the window to close. This follows what has been said about the virus earlier. The other problem I had (which has now gone away since erradication 5 days ago) was that when opening a large file from the HD (Rodime, 140 Meg, Internal), it would often crash during the read, and MacBugs would say it was damaged. This scared me because I haven't done a backup since September (I know, I know no flames please), and this crash was coupled with the sound that the HD makes when it starts up (you Rodime people know what I mean - that click, and spinning sound). Anyway, the problem has gone away, and those same files open fine now that WDEF is gone. Anyone else had this problem? As a side note, every single Mac on campus is infected near as I can tell. One lab with ~80 macs was infected in all 10 macs I randomly sampled. I gave the lab-room operator a copy of Disinfectant 1.5, but he (get this) was unsure what to do with it. I hope they've cleaned it up. If this thing (WDEF) passes from disk to disk just by inserting an infected disk into a mac, can you imagine the headache created by users who have they're own disks? The whole lab can become reinfected in one day. What a mess. ******************************************************************************* * Greg Ford GEnie: G.FORD3 * * University of Southern California Internet: gford%nunki.usc.edu@usc.edu * *******************************************************************************
JS05STAF@MIAMIU.BITNET (Joe Simpson) (01/13/90)
Miami University in Oxford,Ohio has been visited by the WDEF virus. An instance was detected and eradicated with GateKeeper Aid 1.0.1.
MOSES@urvax.urich.edu (02/07/90)
I have been away from my office and my macintosh network for three months and when I come back and read my bitnet messages I see there is a new virus call WDEF. Can I get some info on this. What virus detectors can I use to check out my network? How can it be eradicated? What are its characteristics? Please send your response directly to me. Thanks a bunch. Salonge Crenshaw University of Richmond Richmond, VA 23173 Bitnet: Moses@URvax Phone : 804-289-8861