Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!uwm.edu!ux1.cso.uiuc.edu!tank!eecae!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: jap2_ss@uhura.cc.rochester.edu (The Mad Mathematician) Newsgroups: comp.virus Subject: The not-so-new virus (Mac) Message-ID: <0008.8910251154.AA23552@ge.sei.cmu.edu> Date: 25 Oct 89 03:02:34 GMT Sender: Virus Discussion List Lines: 47 Approved: krvw@sei.cmu.edu I am the one who first posted about the possibly new virus. I will give all the information I have here. I believe I hae finally gotten some infected software. There was a great deal of confusion at first as what exactly was happening. I was a consultant once, and as such am called upon to assist the present consultants with tasks they are new at. We had been having a problem with disks crashing at an alarming rate, all showing identical symptoms. They are these: The Chooser becomes unable to find any printer resources. The System and most system software gets writeen to, in an as yet unknown manner. Their sizes may or may not change. Other applications are written to, and documents created with them become unreadable. The Desktop gets damaged, causing the message "This disk needs minor repairs. Do you want to fix it?" to come up on bootup. By this stage the only recourse is to copy documents off with something like Deskzap and reformat the disk, replacing all the software. If the disk is repaired, it actually may seem that way, but ususally is ruined, even to the point of unusability. No virus detection programs identify a virus, except perhaps SAM Anti Virus Clinic, and even that doesn't always work. It _may_ be a NVIR variant that is self-modifying, but it does not create the nVIR resource. It does go through Vaccine, but Gatekeeper stops it cold. The reported STR 801 resource was an error by me. Please ignore this. There appeared to be a second virus also running around for a while. The sysmptoms were: Macwrite had its name changed to Macwite or Macwight. The ICN resource for the application was changed to show Macwite instead of the parallel lines. That's all we could find. We have found no other examples since the first three or four disks. I am of the opinion that someone modified one copy using something like Resedit, then shared it. That is all the information I can recall at this time. As I said, I believe I have found an infected disk, and will be sending copies of an infected application at the earliest opportunity, hopefully tommorrow. Thank you for your patience. Joseph Poutre (The Mad Mathematician) jap2_ss@uhura.cc.rochester.edu Understand the power of a single action. (R.E.M.)