jap2_ss@uhura.cc.rochester.edu (Joseph Poutre) (09/30/89)
This is a followup to my earilier report. I will try to give more details from my and others investigations. The virus definatly attacks Macwrite. It adds a str ID 801 and modifies the icon to say Macwite instead of the standard application icon. The application increases in size by 104 bytes, 56 in the string. they are added in sector 014F, according to Fedit Plus 1.0. It also attacks the system, in an unknown fashion. I was able to induce it to do something by repeated Get Infos. This may be a counter towards a more fatal outcome. Some of the disks have crashed after giving the This is not a Macintosh disk. Shall I initialize it? warning. This happens almost immediatly after attempts to print. The chooser is unable to find printer resources, and claims there are none. When the File locked, Lock, Bozo and File Protect bits are set, the virus apparently cannot infect. It doesn't appear able to attack a disk write protected by the corner tab, either. Tommorrow I will be performing further experimenets, and will upload exact locations for the added code, and probably the string listing, too. No anti-virus program has been able to find it, including Interferon, Virus Rx, Anti-pan, and Disinfectant 1.2. If this is recognized by anyone, please email me ASAP at the address below with devirusing help. If not, I will try to do everything I can. Thank you for your time and effort. The Mad Mathematician jap2@uhura.cc.rochester.edu Understand the power of a single action. (R.E.M.)
milbouma@uunet.UU.NET (milbouma) (10/03/89)
>No anti-virus program has been able to find it, including Interferon, >Virus Rx, Anti-pan, and Disinfectant 1.2. If this is recognized by anyone, >please email me ASAP at the address below with devirusing help. I tried to e-mail but the message bounced. I do not recognize the virus by your description, but if it is new then no one will including the antiviral apps that you mention. I can recommend Symantec's new antiviral package, SAM, which will flag any abnormal writes from an application (like Vaccine if you're familiar with it, but better than Vaccine). SAM will at least protect your machines from getting infected and also has a Virus scanner program that scans for known viruses and can also repair irreplaceable apps that are infected. Part of the protection init also will ask you if you want to scan a floppy for known viruses whenever you insert one. I also recommend that you contact Symantec and give them a copy of your virus so they can update their Virus scanner program. Symantec can be contacted at (408) 253-9600, (800) 441-7234. Please keep the net posted on further developments with this virus. I would especially be interested to know if the SAM INIT flags infection attempts by the virus. Thanks (I do not work for Symantec)
chrisj@cs.utexas.edu (Chris Johnson) (10/05/89)
In article <0004.8910041115.AA07054@ge.sei.cmu.edu> eplrx7!milbouma@uunet.UU.NE T (milbouma) writes: >I can recommend Symantec's new antiviral package, SAM, which will flag >any abnormal writes from an application (like Vaccine if you're >familiar with it, but better than Vaccine). SAM will at least protect >your machines from getting infected and also has a Virus scanner >program that scans for known viruses and can also repair irreplaceable >apps that are infected. Part of the protection init also will ask you >if you want to scan a floppy for known viruses whenever you insert >one. Of course, as an alternative to SAM, you can save yourself a lot of money and go with GateKeeper 1.1.1, which has not only been stopping viruses around the world 6 months longer than SAM (and all the other johnny-come-lately commercial systems), but is completely free. Furthermore, I gather that GateKeeper is significantly more configurable than SAM insofar as it maintains a privilege list which can be easily viewed and edited (I've never used SAM, so I don't speak from first-hand experience on this point, but people assure me that it's a *very* important difference in practice). If you need telephone support, though, SAM is clearly better for you... the closest thing to interactive support available with GateKeeper is email. GateKeeper doesn't provide a virus-scanner, but with Disinfectant available (also for free) it's not much of a problem. One other thing that makes GateKeeper unique in the world of Macintosh anti- virus systems is that it keeps a log file that details exactly what virus related operations have been attempted, when, by whom and against whom. GateKeeper 1.1.1 (as well as Disinfectant) is available from most archive sites, including a local system, ix1.cc.utexas.edu in the microlib/mac/virus directory. Well, happy virus hunting no matter what system you choose, - ----Chris (Johnson) - ----Author of GateKeeper