Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!tut.cis.ohio-state.edu!ucbvax!pasteur!helios.ee.lbl.gov!ucsd!hub!6600pete From: 6600pete@hub.UUCP Newsgroups: comp.sys.mac Subject: Re: I'm not sure I believe this. (was Re: New WDEF Virus) Message-ID: <3270@hub.UUCP> Date: 8 Dec 89 12:31:08 GMT References: <12044@phoenix.Princeton.EDU> Sender: news@hub.UUCP Lines: 62 From article <12044@phoenix.Princeton.EDU>, by bskendig@phoenix.Princeton.EDU (Brian Kendig): > In article <1886@accuvax.nwu.edu> jln@accuvax.nwu.edu (John Norstad) writes: >>The WDEF virus infects the invisible "Desktop" files used by the >>Finder. >> ... >>You do not have to run a program for the virus to spread. > > Then how *does* it spread? > [ uninformed skepticism about the possibility of such a thing ] The Desktop file is a resource file. Finder leaves it open. MultiFinder leaves it open ALL THE TIME. Resources come from resource files in a precedence according to the order that their resource files are opened. Lots of Toolbox calls get resources, including window manager calls. A WDEF (window definition resource) 0 in the Desktop file could easily be found before the WDEF 0 in the System file, which of course is opened first and searched last for resources. The source code for WDEF 0 is easily obtainable, and therefore modifiable. Are you beginning to get the picture? Now think about this: a WDEF can do anything it damn well pleases; it can write a file or draw a window or both. And the Finder uses it! So you don't even have to run anything special to infect other disks. I don't know that this is how the virus works; however, it could easily be the case. > [ uninformed skepticism about how such a thing might be discovered ] Programmers crawl the Desktop file all the time. WDEF's do NOT belong there. > [ semi-informed doubt about propogation of a virus dpendent on the Desktop file ] I admit it, you've got me skeptical about this. Normally, the excuse for rapid virus propagation is the network. Can't be so in this case. But keep in mind that Universities, Stanford included, have a relatively high international population. A student or faculty member might have brought it a floppy from Europe on a plane, a disk could have been sent in the mail. It only takes one. Also, keep in mind that you are reading messages within three days after the REPORT of the virus. It might have been propogating for weeks without discovery. > I find it highly unusual that (a) > someone could whip up a patch that quickly after the virus was > discovered, It doesn't strike me that writing a shield for this particular virus would be all that difficult. One trap patch. No big deal. > I will wait for more information before I set up my defenses against > the WDEF virus. Well, here's your more information. Please don't make the mistake of thinking this virus is hype. So far, we haven't had any viruses of the drive- erasing type, but then again we don't know too much about this one, and it might be a time bomb... In any case, here is some final info for you: Norstad tells me in mail he's already got a fix in Disinfectant 1.4 for this thing. Can you think of a reason he'd lie about such a thing? ------------------------------------------------------------------------------- Pete Gontier | InterNet: 6600pete@ucsbuxa.ucsb.edu, BitNet: 6600pete@ucsbuxa Editor, Macker | Online Macintosh Programming Journal; mail for subscription Hire this kid | Mac, DOS, C, Pascal, asm, excellent communication skills