jrk@sys.uea.ac.uk (Richard Kennaway) (10/12/89)
We have not seen any symptoms of the MacWrite-attacking MacWight virus at this site, but on seeing the messages about it, I started looking for STR 801 resources. I doubt if they have anything to do with the virus. A scan of my hard disc showed that something like half the MacWrite docs had STR 801 in them. There didnt seem to be any pattern in which files had STR 801 and which didnt. The STR 801s are not all the same size, BTW. Opening a file which did not have it with MacWrite4.6M had the effect of adding a STR 801. In response to a local enquiry, a colleague said: > I don't have all that many MacWrite docs. on my hard disc, but I managed > find a few that I created about two years ago. They had STR id. = 801 > resources. As far as I can remember, I haven't touched them since > Christmas '87 (other than copying the folder [that contains the folder ...] > that contains them, in the Finder, and running Disinfectant). > > I've also just looked at the MacWrite floppy that came with a new Mac+ > about two years ago. As far as I can remember this disc has been > languishing in its box since a day or two after the machine arrived: the > "Sample Memo" doc. on this disc also has a STR id. = 801 resource on it. I suspect that STR 801 is legitimately used by newer versions of MacWrite for its own inscrutable purposes. Disclaimer: only Apple or Claris can make a definitive pronouncement. Paranoid speculation follows. Maybe someone is using the Joker's trick. There could be several infected applications out there, all quietly spreading harmless-looking things like STR 801 that dont ring GateKeeper's alarms, but when they all come together in one application, the real virus is triggered... Plug for Virus Detective: with this it was easy to search for all files containing STR 700 (legitimate MacWrite resource) or STR 801. All the other virus detectors I've seen have the symptoms to look for hard-wired. I have no relationship with the author other than being a satisfied customer. - -- Richard Kennaway SYS, University of East Anglia, Norwich, U.K. Janet: kennaway@sys.uea.ac.uk uucp: ...mcvax!ukc!uea-sys!jrk
jap2_ss@uhura.cc.rochester.edu (The Mad Mathematician) (10/25/89)
I am the one who first posted about the possibly new virus. I will give all the information I have here. I believe I hae finally gotten some infected software. There was a great deal of confusion at first as what exactly was happening. I was a consultant once, and as such am called upon to assist the present consultants with tasks they are new at. We had been having a problem with disks crashing at an alarming rate, all showing identical symptoms. They are these: The Chooser becomes unable to find any printer resources. The System and most system software gets writeen to, in an as yet unknown manner. Their sizes may or may not change. Other applications are written to, and documents created with them become unreadable. The Desktop gets damaged, causing the message "This disk needs minor repairs. Do you want to fix it?" to come up on bootup. By this stage the only recourse is to copy documents off with something like Deskzap and reformat the disk, replacing all the software. If the disk is repaired, it actually may seem that way, but ususally is ruined, even to the point of unusability. No virus detection programs identify a virus, except perhaps SAM Anti Virus Clinic, and even that doesn't always work. It _may_ be a NVIR variant that is self-modifying, but it does not create the nVIR resource. It does go through Vaccine, but Gatekeeper stops it cold. The reported STR 801 resource was an error by me. Please ignore this. There appeared to be a second virus also running around for a while. The sysmptoms were: Macwrite had its name changed to Macwite or Macwight. The ICN resource for the application was changed to show Macwite instead of the parallel lines. That's all we could find. We have found no other examples since the first three or four disks. I am of the opinion that someone modified one copy using something like Resedit, then shared it. That is all the information I can recall at this time. As I said, I believe I have found an infected disk, and will be sending copies of an infected application at the earliest opportunity, hopefully tommorrow. Thank you for your patience. Joseph Poutre (The Mad Mathematician) jap2_ss@uhura.cc.rochester.edu Understand the power of a single action. (R.E.M.)