d9bertil@dtek.chalmers.se (Bertil Jonell) (10/06/89)
Today when I had time to check the various downloads that had been occuring during the last few days I found that the recource STR ID 801 appeared in the document Clock Doc (a word document). I double checked this by extracting it from the .sit archive again and examinig it directly (On Cue from StuffIt to ResEdit). Since Stuffit and Resedit seems to be clean from this and othe known viruses I can only assume that the virus was there when Clock Doc was packaged! What I'm wondering now is: Is it confirmed that the STR ID 801 really *is* a sign of a virus? Is there any chance that it is a legitimate resource? (I've tested making new MacWrite documents with a locked copy, They have resources this 'International Resource' and a STR resource ID 701, None of them have had a STR ID 801) Clock Doc comes with the SuperClock! 3.5 INIT Recently posted to the comp.binaries.mac newsgroup. I'm sorry for causing constenation by proclaming Moria as a possible source, (Frankly, That .sit archive had been deleted so I couldn't check it, But since the known infected machines both had Superclock 3.5 installed within the last few days, Moria hav dropped off the list of prime suspects) - -bertil- Bertil K K Jonell @ Chalmers University of Technology, Gothenburg NET: d9bertil@dtek.chalmers.se VOICE: +46 31 723971 / +46 300 61004 "Don`t worry,I`ve got Pilot-7" SNAILMAIL: Box 154,S-43900 Onsala,SWEDEN (Famous last words) "GOOD DEEL ON SLIGHTLY USED CRANE" - Orson Scott Card 'The Abyss'
chrisj@cs.utexas.edu (Chris Johnson) (10/10/89)
In article <0009.8910062006.AA22699@ge.sei.cmu.edu> d9bertil@dtek.chalmers.se ( Bertil Jonell) writes: >Today when I had time to check the various downloads that had been occuring >during the last few days I found that the recource STR ID 801 appeared >in the document Clock Doc (a word document). I double checked this by Actually, the file *type* is 'WORD', but it's not a Microsoft Word document. The 'WORD' document type is specific to MacWrite files. Actual MS Word documents have a type of 'WDBN' and a creator of 'MSWD'. The creator for MacWrite files is 'MACA' (short for MacAuthor). >extracting it from the .sit archive again and examinig it directly >(On Cue from StuffIt to ResEdit). Since Stuffit and Resedit seems to be >clean from this and othe known viruses I can only assume that the virus >was there when Clock Doc was packaged! Incorrect assumption. First it must be established that there *is* a virus. >What I'm wondering now is: Is it confirmed that the STR ID 801 really *is* >a sign of a virus? Is there any chance that it is a legitimate resource? STR 801 *is* a legitimate resource in (at least) MacWrite versions 4.5 & 4.6. It's also likely to be valid in files created by versions as early as 3.0, and as late as 5.x. To quote from an old copy of Tech. Note #12 (February 20, 1986) "Disk Based MacWrite Format: "FONT MAPPING - In the document's resources is a resource of type STR with the ID #801. It contains a mapping of fonts to font resource IDs and information on real fonts. This resource begins with a word...." >(I've tested making new MacWrite documents with a locked copy, They have > resources this 'International Resource' and a STR resource ID 701, I think you mean STR 700 -- I don't know of any MacWrite format that uses a STR with an ID of 701. If you're curious, STR 700 contains the fifteen most commonly used letters in whatever language MacWrite happens to be set-up for. It's used as an encryption/decryption key for MacWrite's nibble-wise text compression scheme. >None of them have had a STR ID 801) Clock Doc comes with the >SuperClock! 3.5 INIT Recently posted to the comp.binaries.mac >newsgroup. I'm sorry for causing constenation by proclaming Moria as >a possible source, (Frankly, That .sit archive had been deleted so I >couldn't check it, But since the known infected machines both had >Superclock 3.5 installed within the last few days, Moria hav dropped >off the list of prime suspects) >- -bertil- > >Bertil K K Jonell @ Chalmers University of Technology, Gothenburg In conclusion, STR 801 is nothing to worry about, (1) because it's supposed to be there, and (2) because, *in and of itself*, it couldn't transmit a virus since no known program, and certainly no portion of the Mac Toolbox or OS, is going to try to load a STR resource into memory and execute it. All in all, from the evidence listed above, there's no reason to believe there's *any* form of virus present. Cheers, - ----Chris (Johnson) - ----Author of GateKeeper
isle@eleazar.dartmouth.edu (Ken Hancock) (10/11/89)
In article <0009.8910062006.AA22699@ge.sei.cmu.edu> d9bertil@dtek.chalmers.se ( Bertil Jonell) writes: [Garbage about finding a STR 801 resource in SuperClock 3.5 documentation] Since when does a STRING RESOURCE become a virus? Get real, folks. Ken Ken Hancock '90 | E-mail: (BITNET/UUCP/INTERNET) Computer Resource Center Consultant | isle@eleazar.dartmouth.edu - -------------------------------------+-------------------------------------- DISCLAIMER? I don't get paid enough to worry about disclaimers.