fsteele@uga.bitnet (Frank Steele) (12/09/89)
The new WDEF virus for the Mac has infected some of the Mac labs at the University of Georgia. I've had a chance to see its effects, here are a few: If your machine is infected, WDEF slows down window updates. You may hang in the middle of trying to open or close a window. Generally, the arrows in your monitor's upper left-hand corner (denoting network connection) will show during the entire process (they usually blink) and, if you're closing a window, you may see the radial lines within the close box even long after (15-30 sec) you've clicked in it. From my understanding of the proper role of the W(indow) Def(inition) resource, this makes sense. The spooler window on an AppleShare window can take a similarly long time to update. I can't tell yet whether the virus can spread to/from AppleShare servers over the network (or only by disk contact) or whether the special desktop files, Desktop DB and DF, associated with AppleShare servers can be infected (None I've seen so far have been). Further input from others on these possibilities would be appreciated. Also, I don't think infection is automatic. I checked a floppy disk belonging to a user who had been using an infected hard drive for an hour, and the floppy was clean. Virus Detective, version 3.1, will search for the resource and will remove it. In fact WDEF is the only virus I'm aware of that Virus Detective can safely remove. Others?) Don't be intimidated by the rather lengthy dialog box telling you that removing a single resource won't necessarily remove a virus. In this case, it will. One problem I've seen is that, if you're running Symantec Anti- virals for the Mac, telling Virus Detective to remove the resource brings up an alert box disallowing you (in about five different ways) from changing any resources, then bombs the machine. Therefore, if you're using SAM, disable it until you've removed WDEF, then re-enable it. This is one of the more innocuous viruses to hit the Mac, but the unusual propagation method is going to make it extremely difficult to completely clean up, especially in an unattended environment, as many campus Mac labs are. I'll be happy to help anyone with questions as much as I can through BITNET... I'd appreciate hearing from others with additional information (Has anyone this apart and discovered whether it has a purpose beyond propagation?)... My address is FSTEELE@UGA.BITNET. Frank Steele
cayz@udel.edu (James Cayz) (01/11/90)
Sounds like those machines need some Eradicat'Em. All of the normal Internet Mac Archive sites have it on-line by now. If you can't get it from there, or the MRC, gimme a yell (x6307 (if no answer try x2335)), but it may take a few hours (maybe a day) for me to get it to you. Does anyone know of a combination Vaccine / Eradicat'Em init (ie, catches everything) that doesn't need a lot of work to set up (ie, like GateKeeper / GK Aid) ? James |James Cayz can be found via: USPS: Educational Technology Laboratory, |E-MAIL (ARPA): cayz@louie.udel.edu : 203 Willard Hall Education Building, |PHONE: +1 302 451-6307 : University of Delaware, Newark DE 19716