Paul Cozza@BBN.COM (08/20/90)
Two new Macintosh viruses have been uncovered in the last week or so. Here is
information about them for SAM users.
1) A second strain of the Garfield (or MDEF) virus has appeared. It does not do
anything intentionally malicious. It does add MDEF resources to system files
and applications. In advanced or custom mode, SAM 2 will alert you to this
virus's attempt to change and add MDEF resources. Denying these attempts
prevents the resource from spreading. You can enter one of the following 2
virus definitions with Virus Clinic to detect this virus by name.
To specifically detect this strain of Garfield, enter this definition (I am
repeating the definition previously posted by Karim Esmail of Symantec here):
Virus Name: Garfield
Resource Type: MDEF
Resource ID: 0
Resource Size: 532
Search String: 2F3C4D4445464267487A (hexadecimal)
Search Offset: 304
Alternately, you can enter a definition to detect both strains of Garfield (and
delete any earlier Garfield definition you may have entered). If you choose
this option, scans may take slightly longer (though the difference will
probably be unnoticeable), but you will have entered a definition capable of
catching some future Garfield strains:
Virus Name: Garfield
Resource Type: MDEF
Resource ID: 0
Resource Size: Any
Search String: A9A92F0CA9AA2F0CA9B0 (hexadecimal)
Search Offset: Any
2) A second virus, named CDEF, has also appeared. It also does not do anything
intentionally malicious. It adds CDEF resources to desktop files only. This
virus will NOT spread if SAM 2.0 is running (even in the Basic level). A
feature of SAM 2.0, called Desktop Guardian, prevents code in desktop files
from executing while the Finder is running. So this CDEF virus will not execute
and can thus not spread while SAM 2.0 is active.
If you encounter this virus and you have SAM configured to standard level or
higher, SAM will also alert you to the presence of the CDEF virus when the
desktop file is opened. SAM will give a "Code in desktop file (CDEF)" alert at
that time. By stopping the open of the infected desktop file, you can cause the
Finder to rebuild the desktop and eliminate the virus.
To detect this virus by name, enter the following virus definition in Virus
Clinic:
Virus Name: CDEF
Resource Type: CDEF
Resource ID: 1
Resource Size: 510
Search String: 45463F3C0001487A0046A9AB (hexadecimal)
Search Offset: 420
Paul Cozza
SAM Author
Nets: levin@bbn.com | "How does a mouse let me move the cursor anywhere
or {...}!bbn!levin | I want?" "What are address busses?" "How do
pots: (617)873-3463 | icons work?" --Time-Life Bookslevin@BBN.COM (Joel B Levin) (08/22/90)
In article <44100@apple.Apple.COM> Paul Cozza@BBN.COM writes:
[about SAM 2 and some new viruses]
Well, Paul wrote it and I posted it at his request. In my attempt to
attribute authorship properly, I munged the header of the article,
erroneously making it appear that Paul posted from (and possibly for)
Bolt Beranek and Newman Inc. This is not correct; Paul has no
connection with BBN (that I know of), and BBN has nothing to do with
the article or its contents. Please do not try to reply to Paul at
bbn.com.
I regret any confusion this may have caused.
/JBL
=
Nets: levin@bbn.com | "How does a mouse let me move the cursor anywhere
or {...}!bbn!levin | I want?" "What are address busses?" "How do
pots: (617)873-3463 | icons work?" --Time-Life Books