dplatt@coherent.com (Dave Platt) (06/24/89)
I recently had an interesting experience in which a network of Macs
was heavily infected by a virus, even though the Macs' owners had
installed Vaccine. The cause, it turned out, was due to the use of an
old (and arguably obsolete) version of TOPS! Y'all might want to be
alert for similar situations in your own areas.
I first found out about the infection when we had our corporate artwork
scanned at a local desktop-publishing service bureau, and converted to
EPS format. Out of curiousity, I took a look at the Mac EPS file's
resource fork, to see if it included a PICT resource. It did... and it
also had an INIT 29 resource. Uh oh. I called the service bureau and
talked to the woman who had done the scanning; she was surprised at
the infection, and said "We've got virus protection for all of our
machines".
I stopped by the service-bureau earlier this week to have our artwork
rescanned (not because I was afraid to use the infected copy, but
because I wanted it in portrait layout rather than in landscape form).
I also took along a diskette of antivirals and offered to clean up
their network; they were most willing to have me do so.
Their main network (which uses MacServe for file-sharing) was in good
shape. One application on the server's hard disk was infected by nVIR
A, but the systems were otherwise quite clean. All machines booted
with Vaccine, which was properly configured and appears to have been
effective in preventing virus-spread.
Their secondary network was another case entirely... it was _lousy_
with copies of INIT 29. Their Mass Micro file-server disk, and the
disk on the machine used for scanning, were riddled with this pest...
there must have been almost 100 infected files.
I cleaned up the infection with Disinfectant, and checked Vaccine. It
was configured with the "Always compile MPW INITs" option turned on; I
turned it off, having heard that some viruses could possibly sneak past
Vaccine when this option was selected. I then rebooted both machines
from their hard disks.
To my surprise, the Vaccine icon did not appear during startup, even
though the "Show icon" option was selected. Some fiddling with ResEdit
showed that Vaccine protection was not functioning... I could create
CODE resources without triggering an alert.
I suspected that the copies of Vaccine installed on these two machines
might have been damaged somehow, so I replaced them with a copy from
one of the MacServe client-machine startup disks, which I had
determined was functional. No good... Vaccine would not install itself
at boot time. I tried installing GateKeeper... same result... it would
not install at boot time.
At this point, a little light began to dawn. I took a look at the
System (6.0) and the other files in the System folder. Lo and behold,
the version of TOPS in use on these machines was dated 1987. Bingo.
This version of TOPS was released before Apple developed the "INIT 31"
mechanism that runs INIT resources stored outside of the System file.
The TOPS Installer program that comes with this version installs its
own version of INIT 31, which (I believe) runs the INIT resources in
INIT and RDEV (Chooser) files in the System folder.
However... the INIT 31 installed by TOPS does *NOT* run INIT resources
contained in Control Panel (cdev) files! As a result, neither Vaccine
nor GateKeeper was being installed at boot time. Vaccine showed up in
the Control Panel, but it wasn't functioning. [GateKeeper is smart
enough to keep itself out of the Control Panel display if its INIT has
not run... a nice touch, Chris!]
The fix for the problem was simple: I replaced the System files on
these machines with cleaner versions (with Apple's own INIT 31 intact),
and copied all of the fonts and desk-accessories from the old files to
the new ones. Vaccine now installs itself at boot time, and TOPS works
too. I've recommended that the service-bureau purchase a more
up-to-date version of TOPS, so that they don't run into this same
problem if they ever reinstall the out-of-date version that they're
using now.
The moral of the story: whether you're using Vaccine, GateKeeper, SAM,
or some other anti-viral shield INIT, you should double-check to make
sure that it's actually being installed at start-up time and is
providing the desired protection for your system. Simply dragging the
file into your System folder and rebooting is _not_ sufficient to
guarantee that your system is protected!
Dave Platt FIDONET: Dave Platt on 1:204/444 VOICE: (415) 493-8805
UUCP: ...!{ames,sun,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com
INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net
USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303