rbc@lanl.gov (Robert B. Calhoun) (08/22/90)
I suspect that my Mac II is infected with a new virus. I have tried cleaning it with Virex 2.7, which removed a WDEF virus from the desktop but this fails to stop the problem. Symptoms are as follows: Files disappear from the finder display, but don't actually seem to be gone. I can't access them, but an attempt to copy a file with the same name as a deleted file gives a "duplicate file name" error. No disk space has been freed up. The attack is concentrated on the system folder and the utilities folder, with little damage elsewhere. Documents don't seem to be affected much but applications, cdevs, and inits are. Files seem to disappear in reverse alphabetical order. The computer hasn't had any hardware problems that I know of, so I suspect a virus. Virex 2.7 doesn't see it; I think it may be possible that I have a virus designed to avoid detection by Virex. A Virex scan turns up nothing after the first removal of WDEF virus, and "record/scan" option picked up nothing unusual...except that the last run said The following files were removed from the "Record/Scan" file. Finder !DeskPict Appleshare Laserwriter etc. Although the system file and finder are gone, the computer boots ok. It is as if files are deleted on a high level but still exist at a very low level so that the mac can still start itself. (I can still print, without a Laserwriter file). At this point I'm pretty tempted to re-initialize the disk. Has anyone experienced something like this before? If it is a virus, it is a pretty damn nasty one. Possible sources: many people use this computer so their are many possible sources of contamination. I'm not trying to incriminate any applications, but I downloaded the following things from the info-mac archives at sumex-aim, stanford. giffer 1.06 dT calculator (DA) several gif files (apollo,astronaut,monument valley) programmer's key init dinosaurs hypercard stack nuke snake (a game) binhex 4.0 lunar lander (a game) some gif package which included giffer 1.0 and documentation. I think that is it, but I can't really look back and see anymore! :-( Any advice would be appreciated. Thanks, Robert Calhoun
daf@cs.brown.edu (David A. Fedor) (08/22/90)
In article <60814@lanl.gov> rbc@lanl.gov (Robert B. Calhoun) writes:
I suspect that my Mac II is infected with a new virus. I have tried
cleaning it with Virex 2.7, which removed a WDEF virus from the
desktop but this fails to stop the problem. Symptoms are as follows:
Files disappear from the finder display, but don't actually seem to be
gone. I can't access them, but an attempt to copy a file with the
same name as a deleted file gives a "duplicate file name" error. No
disk space has been freed up... Files seem to disappear in reverse
alphabetical order.
...It is as if files are deleted on a high level but still exist at a
very low level so that the mac can still start itself. (I can still
print, without a Laserwriter file).
People! This is NOT a virus. These are the classic symptoms of a
damaged catalog tree file. Unfortunately, I do not know of any
programs which will fix this automatically. I'm planning to write
such a beast, but not for a little while... things are too busy right now.
I'm going to directly help Robert, through email or by phone, since I
do know how to manually fix this problem. If anybody else has this
problem, feel free to mail me and I'll see what I can do.
If this does happen to you... DON'T initialize the disk. Your files are
there, completely intact, so unless you've got a very recent backup of
your entire volume, it would probably be a waste of time. As Robert noticed,
the mac can still function totally normally even when it can't find
the files to display them in a finder window. The same thing will
happen if you lose an application this way - clicking on a datafile
will bring up your app just like normal.
Anyway... I hope very few people get this problem... if you do, let me know.
Of course, if someone would like to write the program, I'll be glad to supply
the technical information... :-)
-Dave Fedor
daf@cs.brown.edu or, on bitnet, daf@browncsjalden@eleazar.dartmouth.edu (Joshua M. Alden) (08/23/90)
In article <60814@lanl.gov> rbc@lanl.gov (Robert B. Calhoun) writes: >I suspect that my Mac II is infected with a new virus. I have tried >cleaning it with Virex 2.7, which removed a WDEF virus from the >desktop but this fails to stop the problem. Symptoms are as follows: >Files disappear from the finder display, but don't actually seem to be >gone. I can't access them, but an attempt to copy a file with the >same name as a deleted file gives a "duplicate file name" error. No >disk space has been freed up. The attack is concentrated on the >system folder and the utilities folder, with little damage elsewhere. >Documents don't seem to be affected much but applications, cdevs, and >inits are. Files seem to disappear in reverse alphabetical order. Here in the Consultants' Office we've seen this problem 4 or 5 times. It's a weird problem, all right. Re-building the Desktop doesn't help, and you can't find the files with some disk utilities, but it definitely thinks they're there if you try to replace them with something which has the same name. You can't fix it by re-installing the System. So far, the only solution I've found (I do software repair to hard drives) is to recover the files using a reliable recovery utility like SUM, re-initialize or re-format (I re-format), and copy the data back. Note that if you have more than one System, after this operation you may have trouble, even if the dominant System was installed properly before. I generally give 'em a new System via the Installer before I copy their data back. I don't think this is a virus. I've seen it once a month or so for about 4 months, and I think I'd see it more than that if it were a virus. Also, since it's been around at least that long, heads wiser than mine would have noticed it and analyzed it by now. Note also that were it a virus, copying data out and back wouldn't get rid of it, and that does seem to solve the problem. Let me amend that; I don't think my occurrences were a virus. It's possible that a virus is coincidentally duplicating what I saw. But I would look for other solutions before you decide that it's a virus. -Josh. -- /--------------------------------------------------+-------------------------\ |Josh Alden, Consultant, Kiewit Computation Center | HB 48, Dartmouth College| | Private mail: Joshua.Alden@dartmouth.edu | Hanover, NH 03755 | | Virus mail: Virus.Info@dartmouth.edu | (802) 295-9073 |
dwal@ellis.uchicago.edu (David Walton) (08/23/90)
In article <60814@lanl.gov> rbc@lanl.gov (Robert B. Calhoun) writes: >I suspect that my Mac II is infected with a new virus. I have tried [Various descriptions of files missing and such] >Although the system file and finder are gone, the computer boots ok. >It is as if files are deleted on a high level but still exist at a >very low level so that the mac can still start itself. (I can still >print, without a Laserwriter file). As a rule of thumb, don't point the finger at viruses (especially un- discovered ones) until you've exhausted other possibilities; most problems are caused by other things. In your case, I'd say check to see if your missing files are invisible. If you can't find System/Finder on your disk and you're still able to boot from it, there's probably an invisible copy of them lying around, or a visible copy buried deep in your directory tree somewhere. To find invisible files, you can use a utility like SUM II, ResEdit, or FEdit+, all of which will allow you to reset the file's information to make it visible again (mail me if you don't know how). If you don't have these utilities, you can at least see if they are out there by using Microsoft Word 4.0's "Open any file" command (shift-Open), which will display files of all types in the open dialog box. If you don't have Word, then I'm sure there are other utilities for doing this (suggestions, anyone?). And, of course, you can find a lost System/Finder (one buried in a subfolder somewhere) by using Find File. You may also want to try just rebuilding your desktop file and see if that recovers the missing files. Do this by restarting your machine and holding down the command and option keys until you get an alert asking you if you "really want to rebuild the desktop on <insert disk name here>." You'll get this for each volume that's mounted at startup; you'll only want to click OK for your boot disk. Finally, I suggest that you get a copy of Disinfectant 2.1 and scan your disks for viruses. I don't know how effective Virex is, but I do know that Disinfectant is one of the best (in my mind, _the_ best) detection/removal program for known viruses. John Norstand just released version 2.1 a few days ago, so it's possible that you have one of the new viruses that the update was designed to catch. I can't think of anything else to try off the cuff; your symptoms are admittedly rather wierd. I'm sure that others in this group will have other suggestions. And of course, it is possible that your problems are in fact caused by a virus, so you should clearly take whatever measures you can to guard against further infections, and to root out any you may already have. -- David Walton Internet: dwal@midway.uchicago.edu University of Chicago { Any opinions found herein are mine, not } Computing Organizations { those of my employers (or anybody else). }
userDJMA@mts.ucs.UAlberta.CA (Douglas James Martin) (08/23/90)
In article <60814@lanl.gov>, rbc@lanl.gov (Robert B. Calhoun) writes: >Files disappear from the finder display, but don't actually seem to be >gone. I can't access them, but an attempt to copy a file with the >same name as a deleted file gives a "duplicate file name" error. No >disk space has been freed up. The attack is concentrated on the Sure sounds to me like some misbegotten soul has been "kind" enough to play with the "invisible" bits on your files. Lots of programs can be used to set/unset those bits (I think resedit will, I know Disktop and other d/a's of similar functionality can). Douglas Martin Printing Services University of Alberta 1-403-492-4246 (work) 1-403-439-1939 (home)
cy@dbase.A-T.COM (Cy Shuster) (08/23/90)
I would certainly try the new Norton Utilities for Macintosh. As a beta tester, I found it to fix all kinds of catalog problems. --Cy-- cy@dbase.a-t.com
Adam.Frix@p2.f200.n226.z1.FIDONET.ORG (Adam Frix) (08/25/90)
David A. Fedor writes in a message ... DAF> These are the classic symptoms of a damaged catalog tree file. DAF> Unfortunately, I do not know of any programs which will fix DAF> this automatically... Norton Utilities tries like hell to fix this problem, although so far it comes up a hair short. --Adam-- -- Adam Frix via cmhGate - Net 226 fido<=>uucp gateway Col, OH UUCP: ...!osu-cis!n8emr!cmhgate!200.2!Adam.Frix INET: Adam.Frix@p2.f200.n226.z1.FIDONET.ORG