Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: dmg@lid.mitre.org (David Gursky)
Newsgroups: comp.virus
Subject: RE: How does one disinfect nVIR from an Appletalked network
Message-ID: <0001.8909181146.AA03502@ge.sei.cmu.edu>
Date: 15 Sep 89 13:51:54 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 51
Approved: krvw@sei.cmu.edu

To answer your question literally, one Mac at a time....

1)  Get a copy of Disinfectant 1.2.  This detects and removes all known
    versions of nVIR.  Also get a copy of Gatekeeper 1.1.1.  Both of these are
    available from the Info-Mac archives on SUMEX-AIM.STANFORD.EDU.

    When you finally get Disinfectant, and de-Binhex it and de-Stuffit, make
    sure the diskette you keep it on is write-protected!!!  This is very
    important; a virus cannot infect an application on a write-protected
    diskette!

2)  Pick any Mac on your LAN, and run Disinfectant on the disk.  This will list
    all the infected files.  Here you have two options:

    a)  Throw out all the infected files and restore them from the original
        master diskettes *or*

    b)  Use the disinfect feature of Disinfectant to remove nVIR from the
        infected applications.

    a is the more effective treatment, but b may be a more practical solution.

3)  Once the disk is "clean", put a copy of Gatekeeper in the System Folder,
    and reboot the machine.  Gatekeeper is a cdev that detects attempts to
    infect applications and System files.  I refer you to the documentation
    that accompanies Gatekeeper for instructions on how it works, in depth.

4)  Repeat steps 1 through 3 for each Mac.  After this, you may wish to check
    floppy disks you have around for infection, but that is up to you.

As to your other questions, Disinfectant not only detects and kills
nVIR, but the various strains of it (such as MEV#, AIDS, nFLU, and so
on), as well as Scores, INIT 29, ANTI, and MacMag.  In short, it
detects and kills all known Mac viruses.

As far as tracing the source, well, that can be a hard thing to do.
You can look at the time the infected files were last modified, and
this should give you some form of a "traceback", but it is not a
certainty that you will be able to garner the source of the infection
from it.

Lastly, you ask about prgrams that can continually monitor for signs
of infection.  Gatekeeper is such an application.  Other tools that do
this are Vaccine (also available on the SUMEX archive), and SAM (a
commercial application written by Paul Cozza and published by
Symantec, and a very good application from what I understand).

David Gursky
Member of the Technical Staff, W-143
Special Projects Department
The MITRE Corporation