Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!samsung!uunet!bu.edu!dartvax!eleazar.dartmouth.edu!jalden
From: jalden@eleazar.dartmouth.edu (Joshua M. Alden)
Newsgroups: comp.sys.mac.misc
Subject: Re: A possible new virus.
Keywords: mac virus Virex 2.7
Message-ID: <23839@dartvax.Dartmouth.EDU>
Date: 22 Aug 90 17:08:48 GMT
References: <60814@lanl.gov>
Sender: news@dartvax.Dartmouth.EDU
Distribution: na
Organization: Dartmouth College, Hanover, NH
Lines: 42

In article <60814@lanl.gov> rbc@lanl.gov (Robert B. Calhoun) writes:
>I suspect that my Mac II is infected with a new virus.  I have tried
>cleaning it with Virex 2.7, which removed a WDEF virus from the
>desktop but this fails to stop the problem.  Symptoms are as follows:
>Files disappear from the finder display, but don't actually seem to be
>gone.  I can't access them, but an attempt to copy a file with the
>same name as a deleted file gives a "duplicate file name" error.  No
>disk space has been freed up.  The attack is concentrated on the
>system folder and the utilities folder, with little damage elsewhere.
>Documents don't seem to be affected much but applications, cdevs, and
>inits are.  Files seem to disappear in reverse alphabetical order.

    Here in the Consultants' Office we've seen this problem 4 or 5
times.  It's a weird problem, all right.  Re-building the Desktop
doesn't help, and you can't find the files with some disk utilities,
but it definitely thinks they're there if you try to replace them with
something which has the same name.  You can't fix it by re-installing
the System.  So far, the only solution I've found (I do software repair
to hard drives) is to recover the files using a reliable recovery
utility like SUM, re-initialize or re-format (I re-format), and copy
the data back.  Note that if you have more than one System, after this
operation you may have trouble, even if the dominant System was
installed properly before.  I generally give 'em a new System via the
Installer before I copy their data back.

    I don't think this is a virus.  I've seen it once a month or so for
about 4 months, and I think I'd see it more than that if it were a
virus.  Also, since it's been around at least that long, heads wiser
than mine would have noticed it and analyzed it by now.  Note also that
were it a virus, copying data out and back wouldn't get rid of it, and
that does seem to solve the problem.

    Let me amend that; I don't think my occurrences were a virus.  It's
possible that a virus is coincidentally duplicating what I saw.  But I
would look for other solutions before you decide that it's a virus.

-Josh.
-- 
 /--------------------------------------------------+-------------------------\
 |Josh Alden, Consultant, Kiewit Computation Center | HB 48, Dartmouth College|
 |   Private mail: Joshua.Alden@dartmouth.edu       | Hanover, NH     03755   |
 |    Virus mail:   Virus.Info@dartmouth.edu        |      (802) 295-9073     |