troxell@INLOTTO.DEN.MMC.COM (Pete Troxell) (12/08/89)
This is being cross-posted from comp.sys.mac. The original article is
by John Norstad of Northwestern University:
A new Macintosh virus named "WDEF" has been discovered in Belgium,
at Northwestern University, and at the University of Texas.
The WDEF virus infects the invisible "Desktop" files used by the
Finder. Every Macintosh disk has one of these files (hard drives
and floppies). The virus spreads from Desktop file to Desktop
file, but it does not infect applications, data files, or system
files.
The virus does not intentionally try to do any damage. In fact,
it doesn't do anything except spread from disk to disk.
Due to a bug, the virus causes Mac IIcis to crash. We have also
noticed unusually frequent crashes on infected Mac IIcxs, and
severe performance problems with infected AppleShare servers.
There are also other bugs in the virus which could cause problems.
You do not have to run a program for the virus to spread.
Unlike most of the other Mac viruses, the WDEF virus is not spread
via the sharing and distribution of programs, but rather via the
sharing and distribution of disks, usually floppy disks.
You can eliminate the virus from a disk by rebuilding the desktop
file (hold down the Command and Option keys while booting or while
inserting a floppy).
Jeff Shulman, the author of Virus Detective 3.1, recommends adding
the following search string to detect the virus:
Creator=ERIK & Resource WDEF & Any
Virus Detective can also be used to remove the virus - click on
the "Remove" button whenever the search string is matched. This
only works if you are not using MultiFinder, and if you are
running some program other than the Finder. Don't try this with
the other viruses - Virus Detective can only repair WDEF
infections, not infections by the other known Macintosh viruses.
As far as we know, Virus Detective is the only virus-fighting tool
which can detect the new WDEF virus.
Unfortunately, the virus manages to avoid detection by all of the
popular protection INITs, including Vaccine 1.0.1, GateKeeper
1.1.1, SAM Intercept 1.10, and Virex INIT 1.12.
Disinfectant 1.3, Virus Rx 1.5, SAM Virus Clinic 1.10, and Virex
2.12 also all fail to detect the virus.
We expect that many of the virus-fighting programs mentioned above
will be updated soon to deal properly with the new WDEF virus.
John Norstad
Academic Computing and Network Services
Northwestern University
2129 Sheridan Road
Evanston, IL 60208
jln@acns.nwu.edu
- --
Peter Troxell
NET: ncar!dinl!troxell
ARPA: Troxell@Dockmaster.ARPA
US-MAIL: Martin Marietta I&CS, MS XL8058, P.O. Box 1260,
Denver, CO 80201-1260
Phone: (303) 971-7928