Path: utzoo!attcan!uunet!aplcen!samsung!usc!apple!genbank!ames!coherent!dplatt From: dplatt@coherent.com (Dave Platt) Newsgroups: comp.sys.mac Subject: Re: I'm not sure I believe this. (was Re: New WDEF Virus) Keywords: Norstad Truth Message-ID: <41539@improper.coherent.com> Date: 9 Dec 89 06:54:03 GMT References: <1886@accuvax.nwu.edu> <12044@phoenix.Princeton.EDU> <1989Dec8.164800.8091@chinet.chi.il.us> <1044@zip.eecs.umich.edu> Reply-To: dplatt@coherent.com (Dave Platt) Organization: Coherent Thought Inc., Palo Alto CA Lines: 90 In article <1044@zip.eecs.umich.edu> ksuzuki@dip.eecs.umich.edu.UUCP (Katsu Suzuki) writes: > BUT, what can I do to defend my HD from infection? Of course, I can check > frequently, but if just inserting infected disk infect HD, trying to > check infection makes HD to be infected. Now I am so afraid of using > floppy disks. > > Exactly when will HD be infected? When floppy disk is inserted? Or when > floppy is inserted when Finder is working? I don't know well how System > and Finder access Desktop. I hope some experts answer my question and > release us from fear. Infections can occur if you're in the Finder (uni- or Multi-), or are running any other program which opens the Desktop file. I don't believe they can occur if all of your Desktop files are closed. The infection mechanism seems to require that you open at least one window. If your hard disk is infected, then other volumes (floppies, Syquests, etc.) can become infected under the above circumstances. The infection isn't a "sure thing", but it becomes increasingly likely after a fairly short period of time. If your hard disk is not infected, and you insert an infected floppy, the infection may spread to your hard disk if the above conditions are true. Once again, the infection is not certain, but is likely. The WDEF virus does not infect applications, application documents, or System files. As far as we know, it can't be contracted by downloading a program from a bulletin-board system, from comp.binaries.mac, etc. It's carried from machine to machine via floppy disks and other dismountable volumes. What you can do to disinfect and protect your system: 1) If you have a Mac II, IIx, IIcx, IIci, or SE/030, install the Eradicator! INIT. It's not perfect or foolproof, but it does appear to provide a substantial amount of protection against this virus. It will disinfect your boot volume when it installs itself, and will disinfect any newly-inserted floppies. A triple-beep means that the WDEF virus has been detected in the Desktop file. It will be removed, unless the diskette is locked... in which case the disk will be ejected or unmounted. A single beep means that Eradicator! could not read the Desktop file. This can happen if you initialize a new floppy, or run a RAMdisk installer, or pop in a backup diskette written by an application which doesn't maintain the Desktop file (e.g. DiskFit). A single beep is not a reason for alarm. Do not run Eradicator! 1.0 on a Mac Plus or SE... it will bomb during the boot sequence. The authors are working on a new version which won't have this problem. Eradicator! is actually a broad-spectrum antiviral; it will zap WDEF, and any other virus which attempts to store executable code in the Desktop file. It will not detect or remove viruses such as nVIR, which store code in the System file or in applications. 2) You can use VirusDetective, with the additional search-string recommended by Jeff Shulman (Creator=ERIK & Resource WDEF & Any). Run VirusDetective under any application _other_ than the Finder, so that the Desktop files are all closed. If VirusDetective tells you that it has found the WDEF resource, you may safely remove the viral resource from the Desktop file (note... this is NOT safe to do with other viruses such as nVIR or SCORES; these require a more complex disinfection technique). If you start up VirusDetective, then you can simply start popping floppies into your Mac... VirusDetective will scan 'em, and if they're clean (or after you remove the WDEFs) it will eject them. 3) In a pinch, you can reboot, and hold down the command and option keys before the Finder desktop is drawn... and then say "Yes" when asked if you want to rebuild the Desktop file(s) on your hard disk partition(s). Keep the command and option keys down until the Desktop files on all of your volumes have been rebuilt. You'll lose your Finder comments and perhaps some document icons... but the WDEF virus will also be removed. You can do the same for floppy disks... while in the Finder, hold down command and option, insert the disk, and OK the desktop rebuild. Eject the floppy, and repeat this sequence as necessary to cleanse all of your suspect floppies. Within the next few weeks, you can probably expect to see updated versions of the popular freeware/shareware/commercial virus detectors and disinfection tools. -- Dave Platt VOICE: (415) 493-8805 UUCP: ...!{ames,apple,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303