Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!shadooby!ginosko!usc!sdsu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: jrk@sys.uea.ac.uk (Richard Kennaway) Newsgroups: comp.virus Subject: Re: The not-so-new virus (Mac) Message-ID: <0010.8910231202.AA07114@ge.sei.cmu.edu> Date: 11 Oct 89 17:18:24 GMT Sender: Virus Discussion List Lines: 40 Approved: krvw@sei.cmu.edu We have not seen any symptoms of the MacWrite-attacking MacWight virus at this site, but on seeing the messages about it, I started looking for STR 801 resources. I doubt if they have anything to do with the virus. A scan of my hard disc showed that something like half the MacWrite docs had STR 801 in them. There didnt seem to be any pattern in which files had STR 801 and which didnt. The STR 801s are not all the same size, BTW. Opening a file which did not have it with MacWrite4.6M had the effect of adding a STR 801. In response to a local enquiry, a colleague said: > I don't have all that many MacWrite docs. on my hard disc, but I managed > find a few that I created about two years ago. They had STR id. = 801 > resources. As far as I can remember, I haven't touched them since > Christmas '87 (other than copying the folder [that contains the folder ...] > that contains them, in the Finder, and running Disinfectant). > > I've also just looked at the MacWrite floppy that came with a new Mac+ > about two years ago. As far as I can remember this disc has been > languishing in its box since a day or two after the machine arrived: the > "Sample Memo" doc. on this disc also has a STR id. = 801 resource on it. I suspect that STR 801 is legitimately used by newer versions of MacWrite for its own inscrutable purposes. Disclaimer: only Apple or Claris can make a definitive pronouncement. Paranoid speculation follows. Maybe someone is using the Joker's trick. There could be several infected applications out there, all quietly spreading harmless-looking things like STR 801 that dont ring GateKeeper's alarms, but when they all come together in one application, the real virus is triggered... Plug for Virus Detective: with this it was easy to search for all files containing STR 700 (legitimate MacWrite resource) or STR 801. All the other virus detectors I've seen have the symptoms to look for hard-wired. I have no relationship with the author other than being a satisfied customer. - -- Richard Kennaway SYS, University of East Anglia, Norwich, U.K. Janet: kennaway@sys.uea.ac.uk uucp: ...mcvax!ukc!uea-sys!jrk