Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!apple!sun-barr!texsun!newstop!sun!improper!dplatt From: dplatt@coherent.com (Dave Platt) Newsgroups: comp.sys.mac Subject: Re: VIRUS OUTBREAK in MAC BINARIES! Message-ID: <32733@improper.com> Date: 7 Sep 89 22:06:22 GMT References: <20982.24F8D5E1@cmhgate.FIDONET.ORG> <697@anagld.UUCP> <123914@sun.Eng.Sun.COM> <945@mrsvr.UUCP> <107@jhereg.Minnetech.MN.ORG> <1432@intercon.UUCP> Reply-To: dplatt@coherent.com (Dave Platt) Organization: Coherent Thought Inc., Palo Alto CA Lines: 38 In article <1432@intercon.UUCP> amanda@intercon.uu.net (Amanda Walker) writes: > Odd. I downloaded MandelZot from comp.binaries.mac, and it seems quite > happy. GateKeeper didn't even hiccup, and Disinfectant doesn't show any > problem. > > My guess is that something else that you downloaded was infected, not > MandelZot... This is very probably the case. MandelZot 2.0 was clean (virus-free) when I mailed it off to the moderator back in early July, and I doubt that it could have become infected en route... the moderator simply redistributed the BinHex-encoded StuffIt file that I mailed him. MandelZot checks itself for infection on startup, after going through the same sort of initialization process that most applications perform (calling MoreMasters a bunch of times, and initializing all of the ROM managers that it will need). The more common Mac viruses infect applications by patching some code into the manager-initialization traps (e.g. TEInit, etc.); thus, any application that calls upon these managers, and hence calls the Init routine, will become infected. This is probably what happened in the case which started this thread. An uninfected copy of MandelZot was un-stuffed and run on an infected machine; it was infected upon startup (thus breaking the seal), and the post-startup check-for-infection sounded the alarm. I'm glad to hear that the virus-detector actually works in practice... I was fairly sure that it would (based on some experiments by hand) but I hadn't actually wanted to unleash nVIR on my own system to make doubly sure! -- Dave Platt FIDONET: Dave Platt on 1:204/444 VOICE: (415) 493-8805 UUCP: ...!{ames,sun,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303