Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!gatech!ncar!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: ut-emx!chrisj@cs.utexas.edu (Chris Johnson) Newsgroups: comp.virus Subject: Re: New Mac Virus Not In 'Moria' But in SuperClock3.5! Message-ID: <0007.8910231202.AA07114@ge.sei.cmu.edu> Date: 10 Oct 89 15:51:33 GMT Sender: Virus Discussion List Lines: 65 Approved: krvw@sei.cmu.edu In article <0009.8910062006.AA22699@ge.sei.cmu.edu> d9bertil@dtek.chalmers.se ( Bertil Jonell) writes: >Today when I had time to check the various downloads that had been occuring >during the last few days I found that the recource STR ID 801 appeared >in the document Clock Doc (a word document). I double checked this by Actually, the file *type* is 'WORD', but it's not a Microsoft Word document. The 'WORD' document type is specific to MacWrite files. Actual MS Word documents have a type of 'WDBN' and a creator of 'MSWD'. The creator for MacWrite files is 'MACA' (short for MacAuthor). >extracting it from the .sit archive again and examinig it directly >(On Cue from StuffIt to ResEdit). Since Stuffit and Resedit seems to be >clean from this and othe known viruses I can only assume that the virus >was there when Clock Doc was packaged! Incorrect assumption. First it must be established that there *is* a virus. >What I'm wondering now is: Is it confirmed that the STR ID 801 really *is* >a sign of a virus? Is there any chance that it is a legitimate resource? STR 801 *is* a legitimate resource in (at least) MacWrite versions 4.5 & 4.6. It's also likely to be valid in files created by versions as early as 3.0, and as late as 5.x. To quote from an old copy of Tech. Note #12 (February 20, 1986) "Disk Based MacWrite Format: "FONT MAPPING - In the document's resources is a resource of type STR with the ID #801. It contains a mapping of fonts to font resource IDs and information on real fonts. This resource begins with a word...." >(I've tested making new MacWrite documents with a locked copy, They have > resources this 'International Resource' and a STR resource ID 701, I think you mean STR 700 -- I don't know of any MacWrite format that uses a STR with an ID of 701. If you're curious, STR 700 contains the fifteen most commonly used letters in whatever language MacWrite happens to be set-up for. It's used as an encryption/decryption key for MacWrite's nibble-wise text compression scheme. >None of them have had a STR ID 801) Clock Doc comes with the >SuperClock! 3.5 INIT Recently posted to the comp.binaries.mac >newsgroup. I'm sorry for causing constenation by proclaming Moria as >a possible source, (Frankly, That .sit archive had been deleted so I >couldn't check it, But since the known infected machines both had >Superclock 3.5 installed within the last few days, Moria hav dropped >off the list of prime suspects) >- -bertil- > >Bertil K K Jonell @ Chalmers University of Technology, Gothenburg In conclusion, STR 801 is nothing to worry about, (1) because it's supposed to be there, and (2) because, *in and of itself*, it couldn't transmit a virus since no known program, and certainly no portion of the Mac Toolbox or OS, is going to try to load a STR resource into memory and execute it. All in all, from the evidence listed above, there's no reason to believe there's *any* form of virus present. Cheers, - ----Chris (Johnson) - ----Author of GateKeeper