Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!accuvax.nwu.edu!jln From: jln@accuvax.nwu.edu (John Norstad) Newsgroups: comp.sys.mac Subject: Re: I'm not sure I believe this. (was Re: New WDEF Virus) Keywords: Norstad Truth Message-ID: <1975@accuvax.nwu.edu> Date: 9 Dec 89 15:32:47 GMT References: <1886@accuvax.nwu.edu> <12044@phoenix.Princeton.EDU> <1989Dec8.164800.8091@chinet.chi.il.us> <1044@zip.eecs.umich.edu> <41539@improper.coherent.com> Sender: news@accuvax.nwu.edu Reply-To: jln@accuvax.nwu.edu (John Norstad) Organization: Northwestern Univ. Evanston, Il. Lines: 58 Unfortunately, we have received two reports of serious problems with version 1.0 of the Eradicator! INIT that I posted a few days ago, even on 68020 and 68030-based machines. So I recommend that you do not use it. We received source code for the INIT from the authors in Belgium yesterday, and we are working on what we hope will be a more reliable version, and one that will also work on 68000-based Macs. I think it's worth briefly repeating what we know about this thing so far. We have completely disassembled it, we've tested it and watched it spread. It is definitiely a real virus. It has been reported in Belgium and at Northwestern Univ, Univ of Texas, Stanford Univ, Univ of New Mexico, and now the Univ of Michigan. It spreads from Desktop file to Desktop file. It doesn't infect applications, documents, or system files. It gets past all of the currently popular protection INITs, including Vaccine, GateKeeper, SAM Intercept, and Virex INIT. Note of the current detection/ repair programs can detect it, except for Virus Detective (when properly configured with a new search string). Even though the WDEF virus does not INTENTIONALLY try to do any damage, it contains serious bugs which DO CAUSE DAMAGE. Here's the damage that we've seen or heard reports of so far: 1. It causes Mac IIcis to crash always. We know why. 2. It probably causes portables to crash, but we haven't tested this yet. 3. Several people have observed significantly more frequent crashes on Mac IIcxs, especially when trying to save files, and especially in MS Word 4.0. We have heard enough reports of this to be fairly confident that it is indeed the virus that is causing the crashes, but we don't yet know why. 4. We have two reports of damaged floppy disks on infected systems. In fact, here at NU that was how the virus was discovered: my coworker Albert Lunde was helping a user try to recover a damaged floppy, and he saw the string "WDEFVIRUS" on the disk. We are not yet positive that the virus caused this damage, but two independent reports are enough to cause us concern. 5. We know that the virus can cause serious performance problems on AppleTalk networks with AppleShare servers. We have been able to duplicate the problem, but we do not yet understand why it happens or in exactly what set of circumstances. To summarize: It is definitely a virus. It appears to be widespread. It causes damage unintentionally. We thoroughly understand the basic replication mechanism. We understand some of the damage it can cause, but we're still trying to figure out some of the other damage it can cause. Research on this continues. The authors of all of the various anti-virus programs and packages are working together on the Internet, together with other experts. We'll keep you posted as we know more. I will be releasing a new version of my Disinfectant program (1.4) early next week to detect and remove this new WDEF virus. John Norstad Northwestern University jln@acns.nwu.edu