Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!csd4.csd.uwm.edu!srcsip!jhereg!andrew
From: andrew@jhereg.Minnetech.MN.ORG (Andrew Esh)
Newsgroups: comp.sys.mac
Subject: Re: VIRUS OUTBREAK in MAC BINARIES!
Summary: The source has been found.
Message-ID: <124@jhereg.Minnetech.MN.ORG>
Date: 8 Sep 89 22:16:21 GMT
References: <20982.24F8D5E1@cmhgate.FIDONET.ORG> <697@anagld.UUCP> <123914@sun.Eng.Sun.COM> <945@mrsvr.UUCP> <107@jhereg.Minnetech.MN.ORG> <1432@intercon.UUCP> <32733@improper.com> <4992@merlin.usc.edu>
Reply-To: andrew@jhereg.Minnetech.MN.ORG (Andrew Esh)
Organization: Minnetech Consulting, Inc., Mpls, MN
Lines: 22


	I have found the source of the nVIR infection of my machine.  It was
not mac.binaries.  Unbeknownst to me, someone else tried out a program on my
Mac, and I found nVIR all over his machine.  I was able to determine that
my machine had been used by looking at the output of the Logger INIT, and
recalling my shutdown time.  My Mac had been restarted later, while I was out.
	Because of all the furor over this, I must apologize to the moderator
of mac.binaries, and to the net.  My first thought was to alert users, so the
spread could be halted immediately.  I should have checked before posting,
but the chance that someone else will use my machine is extremely low,
occurring about once every three months.  Sorry folks, just trying to
protect you.
	The tools which helped with all this were Disinfectant, Logger,
and the protection code of MandelZot 2.0.  My commendations to the
authors of all three.
	Things would have gone better if I had had Vaccine or Guardian
running, but I had replaced my system files without re-innoculating them.
I could also have used something like DiskLock to keep the Butthead from
using my disk.
	With all that's going on, sometimes its tough to be right.

						- Andrew