jln@acns.nwu.edu (12/15/89)
Disinfectant 1.5 ================ December 14, 1989 Disinfectant 1.5 is a new release of our free Macintosh virus detection and repair utility. Shortly after the release of version 1.4, a new strain of the WDEF virus was discovered. Version 1.5 has been configured to recognize the new strain. Version 1.5 also contains code to detect and repair other strains of WDEF which may exist but have not yet been reported. Disinfectant 1.5 is available now via anonymous FTP from site acns.nwu.edu [129.105.49.1]. It will also be available soon on sumex-aim, comp.binaries.mac, ComuServe, Genie, Delphi, BIX, MacNet, America Online, Calvacom, and other popular sources for free and shareware software. The following text is extracted from the new section on WDEF in Disinfectant's online document. It describes what we know to date about this new virus. The description has been expanded to include new information that has recently become available. The WDEF virus was first discovered in December, 1989 in Belgium and in one of our labs at Northwestern University. Since the initial discovery, it has also been reported at many other locations throughout the United States, so we fear that it is widespread. We have reason to believe that the virus has been in existence since at least mid-October of 1989. We know of two strains, which we call "WDEF A" and "WDEF B." WDEF only infects the invisible "Desktop" files used by the Finder. With a few exceptions, every Macintosh disk (hard drives and floppies) contains one of these files. WDEF does not infect applications, document files, or other system files. Unlike the other viruses, it is not spread through the sharing of applications, but rather through the sharing and distribution of disks, usually floppy disks. WDEF may have been introduced initially via a Trojan Horse application, in a fashion similar to the way the MacMag virus was first introduced via a Trojan Horse HyperCard stack. We do not yet know if this is indeed the case, and we may never know. WDEF spreads from disk to disk very rapidly. It is not necessary to run a program for the virus to spread. The WDEF A and WDEF B strains are very similar. The only significant difference is that WDEF B beeps every time it infects a new Desktop file, while WDEF A does not beep. Although the virus does not intentionally try to do any damage, WDEF contains bugs which can cause very serious problems. We have received reports of the following problems: * The virus causes both the Mac IIci and the portable to crash. * Under some circumstances the virus can cause severe performance problems on AppleTalk networks with AppleShare servers. * Many people have reported frequent crashes when trying to save files in applications under MultiFinder. * The virus causes problems with the proper display of font styles (the outline style in particular). * We have two reports that the virus can damage disks. * We have a report that the virus causes Macs with 8 megabytes of memory to crash. * We have a report that the virus is incompatible with the "Virtual" INIT from Connectix. Even though AppleShare servers do not use the normal Finder Desktop file, many servers have an unused copy of this file anyway. If the AppleShare administrator has granted the "make changes" privilege to the root directory on the server, then any infected user of the server can infect the Desktop file on the server. This is one of the situations which can lead to the severe performance problems mentioned above. For this reason, administrators should never grant the "make changes" privilege on server root directories. We also recommend deleting the Desktop file if it exists. It does not appear that the virus can spread from an AppleShare server to other Macs on the network, however. When using Disinfectant to repair WDEF infections, you must use Finder instead of MultiFinder. Under MultiFinder the Desktop files are always "busy," and Disinfectant is not able to repair them. If you try to repair using MultiFinder, you will get an error message. Unfortunately, when the WDEF virus first appeared, none of the current versions of the most popular virus prevention tools were able to detect or prevent WDEF infections. This includes Vaccine 1.0.1, GateKeeper 1.1.1, Symantec's SAM Intercept 1.10, and HJC's Virex INIT 1.12. Chris Johnson, the author of Gatekeeper, has released "GateKeeper Aid," a free system startup document (INIT) that detects and automatically removes WDEF infections and notifies the user of the infection. GateKeeper Aid can be used together with GateKeeper or together with Vaccine to provide protection against WDEF. New versions of the commercial tools should also be released soon, and we expect that at least one other free protection tool will also be available soon. It is very important that all Mac users obtain and install GateKeeper Aid or some other WDEF protection tool. You can use Disinfectant to remove an existing infection, but if you do not install a protection tool you may very likely become infected again. In addition to the two known strains of the WDEF virus, Disinfectant will also detect and repair other strains which may exist but have not yet been reported. If an unknown strain is detected, Disinfectant places the following message in the report: ### File infected by an unknown strain of WDEF If you see this message, and if you have not already repaired the file, we would appreciate it if you would send a copy to the author. The author's addresses are at the end of this document. You may need the assistance of an expert, since the Desktop files that are infected by the WDEF virus are normally invisible. You should use ResEdit or some other file editing tool to make the file visible, then make a copy to send to us, then use the same tool to make the original file invisible again, and use Disinfectant to repair it. Send the copy to the author, then delete the copy. Please do not worry if you are not comfortable with these instructions and you do not have access to an expert. Go ahead and repair the infected file. It is more important that you rid your system of the virus than it is for us to get a copy of the unknown strain. This version of Disinfectant is being released only one week after the discovery of the WDEF virus. We do not yet understand it as thoroughly as we do the other older viruses. We have disassembled it completely, and we understand the basic replication mechanism. We know that it can cause serious problems, and we know why it causes some of the problems. Research into the behavior and adverse effects of this virus will continue for some time. You should keep in touch with your local Mac user group or bulletin board for more information about this new virus as it becomes available. Commercial online services like CompuServe and Genie and the Macintosh trade press publications like MacWeek are also good sources of information. When the WDEF virus was first discovered, the authors of most of the popular virus-fighting programs and other experts immediately began working together to analyze and test the virus. The information presented here is a compilation of our joint discoveries. The author would like to thank everybody who helped in the investigation. Particular thanks to Chris Johnson (GateKeeper), Jeff Shulman (VirusDetective), Paul Cozza (SAM), Robert Woodhead (Virex), Dave Platt, Werner Uhrig, and the Apple Virus Rx team. Thanks also to the many Mac users who sent reports of WDEF sightings and problems caused by the virus. John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 Bitnet: jln@nuacc Internet: jln@acns.nwu.edu CompuServe: 76666,573 AppleLink: A0173