Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!rpi!gem.mps.ohio-state.edu!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: XRJDM@SCFVM.GSFC.NASA.GOV (Joe McMahon) Newsgroups: comp.virus Subject: Re: New virus? (Mac) Message-ID: <0005.8910041808.AA09177@ge.sei.cmu.edu> Date: 2 Oct 89 20:05:35 GMT Sender: Virus Discussion List Lines: 44 Approved: krvw@sei.cmu.edu >Subject: New virus? (Mac) I'm afraid so... >We here at the University of Rochester may have discovered a new >virus, or a variation on a theme. What it does is infect Macwrite ... (sundry details omitted) > ... Disinfectant 1.1 doesn't work, so please email me the >latest version of disinfectant to try... I'm afraid it won't help. You should send some mail to John Norstad *immediately* and let him know about it. He may request a copy of your infected files. His net address is in the Disinfectant documentation. >The virus definitely attacks Macwrite. It adds a str ID 801 and >modifies the icon to say Macwite instead of the standard application >icon. The application increases in size by 104 bytes, 56 in the >string. they are added in sector 014F, according to Fedit Plus 1.0. Actually, you should check it out with ResEdit and see what resource they get added to. Ditto for the System; look for INIT resources. There are a few that are supposed to be there, but the virus may add new ones. (more details omitted) This sounds very much like a new virus. Have you Vaccine or GateKeeper installed? Either should keep infections from spreading, unless the virus is doing its own disk I/O at the driver level (very dangerous and could lead to screwed-up disks). Things to try: - Write-protect a known-clean version of MacWrite and try running it on the infected system. - Change another application's signature (type/creator) to MacWrite's and see if the virus tries to infect it. - Name MacWrite something else and see if it is attacked. - Look at the system healp with Macsbug and and try to identify all of the resources loaded into it. This may help in tracking down the infection mechanism. I'd appreciate hearing further details; post them to me personally if you'd like. --- Joe M.