Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!purdue!haven!udel!princeton!phoenix!bskendig From: bskendig@phoenix.Princeton.EDU (Brian Kendig) Newsgroups: comp.sys.mac Subject: I'm not sure I believe this. (was Re: New WDEF Virus) Message-ID: <12044@phoenix.Princeton.EDU> Date: 8 Dec 89 04:00:54 GMT References: <1886@accuvax.nwu.edu> Reply-To: bskendig@phoenix.Princeton.EDU (Brian Kendig) Organization: Systems Engineering, NASA Space Station Freedom Project Lines: 74 In article <1886@accuvax.nwu.edu> jln@accuvax.nwu.edu (John Norstad) writes: >A new Macintosh virus named "WDEF" has been discovered in Belgium, >at Northwestern University, and at the University of Texas. > >The WDEF virus infects the invisible "Desktop" files used by the >Finder. Every Macintosh disk has one of these files (hard drives >and floppies). The virus spreads from Desktop file to Desktop >file, but it does not infect applications, data files, or system >files. > > ... > >You do not have to run a program for the virus to spread. Then how *does* it spread? I've learned not to get worried at the sight of what might be a bad virus. (Just look at the DataCrime virus in the IBM PC that was supposed to wipe hard drives clean on Columbus Day - nothing big ever came of that, but people panicked anyway.) Now this alleged WDEF virus comes along. First of all, how can it possibly do any damage from the DeskTop file? The DeskTop is data only - it is not run. The only way it could do damage is by persuading the Finder to go on a rampage of some sort. This would be analogous to a book that made everyone who read it immediately go out and kill someone without realizing it - not highly likely. Secondly, so what if the WDEF *is* a virus? What program would look for a WDEF in the DeskTop file? A WDEF is a Window DEFinition resource (providing those funky NeXT-style window INITs, for example.) The DeskTop is used primarily for icons and other miscellaneous Finder information. The Finder gets its WDEF resources from the System. If the Finder were to check every resource in the DeskTop file just to make sure it didn't need any of them, it would run awfully slowly. Therefore, it doesn't search for anything it doesn't need - and it certainly doesn't need WDEF's from the DeskTop, and even if it did, it certainly wouldn't switch from interpreting them as data for drawing windows to data for messing with files. Thirdly, I'd like to remind everyone that there have been three postings before this one about the virus. The first announced it. The second followed impressively quickly, and introduced 'Eradicator!' to fix it. The third was a post from someone at Stanford who *thinks* he has the virus, and has also downloaded 'Eradicator!' to fix it. Now, call me a doubting Thomas, but I find it highly unusual that (a) someone could whip up a patch that quickly after the virus was discovered, (b) the virus could spread that quickly from the three source locations (hmm...) to Stanford, and (c) that the virus appeared at Stanford at around the same time that 'Eradicator!' was introduced there. (The posted didn't say whether he downloaded 'Eradicator!' after he suspected the virus, or if he just downloaded the program to be safe and only later found traces of funny business.) Also, if the virus only affects the DeskTop file and copies itself, with no other effect on the use (as the original annoucement stated), how did the Stanford folks notice it? Does everyone at Stanford have a IIci? (I only rarely check the resources in my DeskTop file just for the heck of it. ;-) I'm not blaming anyone for anything. I'm just stating that the events thus far surrounding the 'virus' have been somewhat questionable. I will wait for more information before I set up my defenses against the WDEF virus. << Brian >> -- | Brian S. Kendig ^ Macintosh | /\ _||_ | bskendig | | Computer Engineering |\ Thought | /__\ \ / | @phoenix.Princeton.EDU | | Princeton University | \ Police | || \/ | @PUCC.BITNET | | Systems Engineering, NASA Space Station Freedom / General Electric WP3 |