johnsonr@ncar.UCAR.EDU (JOHNSON RICHARD J) (02/01/90)
swenson@pythagoras.Stanford.EDU (Norman Swenson) writes: ] I have noticed something suspiciously virus-like on my Mac II. .. ] Fearing an imminent disk crash, I backed up my hard disk to another. ] While the files were copying over, I got a veto message from Gatekeeper. ] I decided to check my disk using Disinfectant 1.5 and found that Drawover ] (part of Adobe Illustrator) was infected with nVir B. I disinfected that ] file, and all my disks then scanned clean. The veto message you got probably had nothing to do with the nVIR B infection. (However, if you'd tried to run Drawover before disinfecting it, you probably would have gotten a message about nVIR B.) ] However, whenever I try to open the Illustrator folder on the backup ] disk, I get the following veto message: 'Gatekeeper has vetoed an ] attempt by Finder to violate "Res(other)" privileges against Desktop. ] [AddResource(ADBS,0)]'. I have isolated the behavior to the Adobe ] Separator 2.0 program. Yup. ADoBe Separator uses ADBS for it's creator signature. Sadly, the Mac OS also uses a resource called ADBS for the Apple Desktop BuS. The latter is executable code, while the signature resource isn't. GateKeeper blocks unprivileged attempts to add executable resources to file, and is obviously mistaking the totally harmless signature resource for a nasty virus. Stupid GateKeeper :-) The solution here is to simply not use applications that use resource names as their application signatures. Stupid Adobe :-) ] Why would opening a folder require adding a resource to the desktop ] file? The Finder keeps track of which icons to display for which files. To do that it stores the icons, signature resources, etc. in the DeskTop file. If the Finder discovers an unknown file in a folder, it will attempt to add that file's identifying info to the DeskTop. ] And why did Gatekeeper veto it on one disk, but not the other? I dunno. The Finder is often mysterious to the semi-initiated (like me). Perhaps an expert can take the rest of the questions? ] Norm ] swenson@isl.stanford.edu | Richard Johnson johnsonr@spot.colorado.edu | | CSC doesn't necessarily share my opinions, but is welcome to. | | Power Tower...Dual Keel...Phase One...Allison/bertha/Colleen...?... | | Space Station Freedom is Dead. Long Live Space Station Freedom! |
alexis@rascal.ics.utexas.edu (Alexis Rosen) (02/04/90)
swenson@pythagoras.Stanford.EDU (Norman Swenson) writes: >I have noticed something suspiciously virus-like on my Mac II. I was First the good news. This is almost certainly not a virus. To make sure, find out if the file signature of ADoBe Separator is ADBS. If it is, you're fine. Otherwise, you might have a problem. >getting a "Serious disk error" message from Microsoft Word and garbage >in my files when using the editor in TeXtures. Fearing an imminent >disk crash, I backed up my hard disk to another. While the files were >copying over. I got a veto message from Gatekeeper (ver 1.1.1, w >Gatekeeper Aid). I decided to check my disk using Disinfectant 1.5... > ...However, whenever I try to open the Illustrator folder on the backup >disk, I get the following veto message: 'Gatekeeper has vetoed an >attempt by Finder to violate "Res(other)" privileges against Desktop. >[AddResource(ADBS,0)]'. I have isolated the behavior to the Adobe >Separator 2.0 program. When I remove it from that folder, I do not >get the message. When I put it back, I don't get the message the >first time I open the folder, but I do every time after that. I made >a copy of the folder on another disk, and at first I got the same >behavior, but after I rebooted it went away on the second disk. I >looked at both desktop files using resedit; one had the ADBS resource >in it, the other did not. Is this normal behavior, or could it be due >to a virus that Disinfectant 1.5 is not catching? Why would opening a >folder require adding a resource to the desktop file? And why did >Gatekeeper veto it on one disk, but not the other? I've seen this coming ever since the GK-Aid INIT was released- but then again, I anticipated WDEF in a message about seven months ago, and all of this revolves around one concept- file signatures that look like code, and vice versa (I can't claim any great genius on this, though- I got the idea from seeing C. Weber's FKEY Manager program cause crashes on Cmd-Shift-0... anyone else remember that?). To answer your questions (as best as I can from your description), the Adobe Separator utility has a file signature which happens to have the exact same four bytes as a type of executable resource that lives in the system file. Now while I've never seen the GateKeeper-Aid, I'm pretty certain I know exactly what it does- it prevents any resource which looks like executable code to the Mac OS from going into the Mac desktop. This is a well-defined list which includes (not surprisingly) WDEF. So what happened was, when Separator was put on your hard disk, you didn't have GK-Aid, and so the Separator bundle (signature ADBS) was added to your desktop (as it should have been). When you tried to open the folder containing Separator for the first time, on your other disk, you were running GK-Aid. At that point, the Finder wanted to add the bundle resource 'ADBS' to the second disk's Desktop file, and GateKeeper vetoed it. In summary, everything is OK (as long as I'm right that Separator's signature is 'ADBS'). GK and the Finder are both behaving as they should. The folks at Adobe get the programming-fools-of-the-week award for picking such a bad signature. Nothing to shoot them over, though. If you just override GK long enough for the signature to get into the desktop file, it will stop bothering you (the Finder only adds a bundle once). Hope this helps (and I _really_ hope it's right)-- Alexis Rosen alexis@panix.uucp {apple,cmcl2}!panix!alexis DISCLAIMER: IF A NEW VIRUS TRASHES YOUR DISK, DON'T BLAME ME.