Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!accuvax.nwu.edu!jln
From: jln@accuvax.nwu.edu (John Norstad)
Newsgroups: comp.sys.mac
Subject: Re: VIRUS OUTBREAK in MAC BINARIES!
Message-ID: <1121@accuvax.nwu.edu>
Date: 1 Sep 89 16:51:46 GMT
References: <20982.24F8D5E1@cmhgate.FIDONET.ORG> <697@anagld.UUCP> <123914@sun.Eng.Sun.COM> <945@mrsvr.UUCP> <107@jhereg.Minnetech.MN.ORG>
Sender: news@accuvax.nwu.edu
Reply-To: jln@accuvax.nwu.edu (John Norstad)
Organization: Northwestern Univ. Evanston, Il.
Lines: 49

It is indeed a very good idea for programs to check themselves for virus    
infections and notify the user if one is found.  It's good to see that more
programs are now including this feature. 

There are some very simple things that you can do.  For example, simply
counting the number of CODE resources in your application periodically and
comparing the count to the known expected value will catch all the
currently known Mac viruses except for ANTI and MacMag.  Checking the sizes
of the CODE resources would also catch ANTI.  (MacMag doesn't infect
applications, so there's not much you can do about that one).

In Disinfectant I compute two different kinds of checksums of my entire
resource fork, and I have other kinds of protections against infections
and tampering.  This is probably going too far, and is not necessary for
most programs.

We should all implement our own schemes and not try to standardize on a
single technique.  This will make it harder for viruses to attempt to 
defeat the check.

I'm convinced that if more programs had done this kind of simple checking
two years ago when Mac viruses began to appear, they would never have spread
so far and wide.

My correspondence shows that viruses are still spreading very rapidly and
widely, especially nVIR A and B, despite all the publicity and the
availability of lots of good protection INITs and detection/repair
utilities (freeware, shareware and commercial).  

I wish there was some way to convince Mac users that they really must
protect themselves against viruses.  Unfortunately, it seems that people
just refuse to take the problem seriously until they get infected.

Everybody should be using a protection INIT of some kind.  They are really
easy to install, and they're quite effective.  I recommend Vaccine (free),
Gatekeeper (free), or SAM Intercept (commercial).  Everybody should also
obtain and use at least one good detection program.  I recommend Virus Rx
(free), Virus Detective (shareware - $35, I think), and Disinfectant (free).

I also keep hearing stories of software companies, Mac magazines, hardware
companies, bulletin board operators, etc., distributing infected software.
This is really inexcusable.  Please folks, scan programs with one of the
tools mentioned above before shipping them or putting them up on bulletin
boards or archives.  It only takes a few seconds of your time.

I apologize for beating a dead horse, but I think this advice bears
repeating at least occasionally.

John Norstad         Northwestern University      jln@acns.nwu.edu