troxell@INLOTTO.DEN.MMC.COM (Pete Troxell) (12/08/89)
This is being cross-posted from comp.sys.mac. The original article is by John Norstad of Northwestern University: A new Macintosh virus named "WDEF" has been discovered in Belgium, at Northwestern University, and at the University of Texas. The WDEF virus infects the invisible "Desktop" files used by the Finder. Every Macintosh disk has one of these files (hard drives and floppies). The virus spreads from Desktop file to Desktop file, but it does not infect applications, data files, or system files. The virus does not intentionally try to do any damage. In fact, it doesn't do anything except spread from disk to disk. Due to a bug, the virus causes Mac IIcis to crash. We have also noticed unusually frequent crashes on infected Mac IIcxs, and severe performance problems with infected AppleShare servers. There are also other bugs in the virus which could cause problems. You do not have to run a program for the virus to spread. Unlike most of the other Mac viruses, the WDEF virus is not spread via the sharing and distribution of programs, but rather via the sharing and distribution of disks, usually floppy disks. You can eliminate the virus from a disk by rebuilding the desktop file (hold down the Command and Option keys while booting or while inserting a floppy). Jeff Shulman, the author of Virus Detective 3.1, recommends adding the following search string to detect the virus: Creator=ERIK & Resource WDEF & Any Virus Detective can also be used to remove the virus - click on the "Remove" button whenever the search string is matched. This only works if you are not using MultiFinder, and if you are running some program other than the Finder. Don't try this with the other viruses - Virus Detective can only repair WDEF infections, not infections by the other known Macintosh viruses. As far as we know, Virus Detective is the only virus-fighting tool which can detect the new WDEF virus. Unfortunately, the virus manages to avoid detection by all of the popular protection INITs, including Vaccine 1.0.1, GateKeeper 1.1.1, SAM Intercept 1.10, and Virex INIT 1.12. Disinfectant 1.3, Virus Rx 1.5, SAM Virus Clinic 1.10, and Virex 2.12 also all fail to detect the virus. We expect that many of the virus-fighting programs mentioned above will be updated soon to deal properly with the new WDEF virus. John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 jln@acns.nwu.edu - -- Peter Troxell NET: ncar!dinl!troxell ARPA: Troxell@Dockmaster.ARPA US-MAIL: Martin Marietta I&CS, MS XL8058, P.O. Box 1260, Denver, CO 80201-1260 Phone: (303) 971-7928