dplatt@coherent.com (Dave Platt) (06/24/89)
I recently had an interesting experience in which a network of Macs was heavily infected by a virus, even though the Macs' owners had installed Vaccine. The cause, it turned out, was due to the use of an old (and arguably obsolete) version of TOPS! Y'all might want to be alert for similar situations in your own areas. I first found out about the infection when we had our corporate artwork scanned at a local desktop-publishing service bureau, and converted to EPS format. Out of curiousity, I took a look at the Mac EPS file's resource fork, to see if it included a PICT resource. It did... and it also had an INIT 29 resource. Uh oh. I called the service bureau and talked to the woman who had done the scanning; she was surprised at the infection, and said "We've got virus protection for all of our machines". I stopped by the service-bureau earlier this week to have our artwork rescanned (not because I was afraid to use the infected copy, but because I wanted it in portrait layout rather than in landscape form). I also took along a diskette of antivirals and offered to clean up their network; they were most willing to have me do so. Their main network (which uses MacServe for file-sharing) was in good shape. One application on the server's hard disk was infected by nVIR A, but the systems were otherwise quite clean. All machines booted with Vaccine, which was properly configured and appears to have been effective in preventing virus-spread. Their secondary network was another case entirely... it was _lousy_ with copies of INIT 29. Their Mass Micro file-server disk, and the disk on the machine used for scanning, were riddled with this pest... there must have been almost 100 infected files. I cleaned up the infection with Disinfectant, and checked Vaccine. It was configured with the "Always compile MPW INITs" option turned on; I turned it off, having heard that some viruses could possibly sneak past Vaccine when this option was selected. I then rebooted both machines from their hard disks. To my surprise, the Vaccine icon did not appear during startup, even though the "Show icon" option was selected. Some fiddling with ResEdit showed that Vaccine protection was not functioning... I could create CODE resources without triggering an alert. I suspected that the copies of Vaccine installed on these two machines might have been damaged somehow, so I replaced them with a copy from one of the MacServe client-machine startup disks, which I had determined was functional. No good... Vaccine would not install itself at boot time. I tried installing GateKeeper... same result... it would not install at boot time. At this point, a little light began to dawn. I took a look at the System (6.0) and the other files in the System folder. Lo and behold, the version of TOPS in use on these machines was dated 1987. Bingo. This version of TOPS was released before Apple developed the "INIT 31" mechanism that runs INIT resources stored outside of the System file. The TOPS Installer program that comes with this version installs its own version of INIT 31, which (I believe) runs the INIT resources in INIT and RDEV (Chooser) files in the System folder. However... the INIT 31 installed by TOPS does *NOT* run INIT resources contained in Control Panel (cdev) files! As a result, neither Vaccine nor GateKeeper was being installed at boot time. Vaccine showed up in the Control Panel, but it wasn't functioning. [GateKeeper is smart enough to keep itself out of the Control Panel display if its INIT has not run... a nice touch, Chris!] The fix for the problem was simple: I replaced the System files on these machines with cleaner versions (with Apple's own INIT 31 intact), and copied all of the fonts and desk-accessories from the old files to the new ones. Vaccine now installs itself at boot time, and TOPS works too. I've recommended that the service-bureau purchase a more up-to-date version of TOPS, so that they don't run into this same problem if they ever reinstall the out-of-date version that they're using now. The moral of the story: whether you're using Vaccine, GateKeeper, SAM, or some other anti-viral shield INIT, you should double-check to make sure that it's actually being installed at start-up time and is providing the desired protection for your system. Simply dragging the file into your System folder and rebooting is _not_ sufficient to guarantee that your system is protected! Dave Platt FIDONET: Dave Platt on 1:204/444 VOICE: (415) 493-8805 UUCP: ...!{ames,sun,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303