Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!usc!julius.cs.uiuc.edu!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!netnews.upenn.edu!vax1.cc.lehigh.edu!cert.sei.cmu.edu!krvw
From: ROEBUCK@admin1.usask.ca (Terry (TR) Roebuck; 966-4841)
Newsgroups: comp.virus
Subject: Is this a MAC Virus attack? (Mac)
Message-ID: <0006.9011061327.AA14231@ubu.cert.sei.cmu.edu>
Date: 5 Nov 90 15:54:00 GMT
Sender: Virus Discussion List <VIRUS-L@LEHIIBM1>
Lines: 47
Approved: krvw@sei.cmu.edu

The machine:
        MAC SE/30; 4MB & 80 MB Apple drive running 6.04; MAChine purchased
        in spring of 1989; NEVER EVER BACKED UP!!!!! and holding the
        entire financial and planning records of a local dept.
Symptoms:
        Disinfectant 2.3 INIT goes off, WDEF on newly inserted diskette; user
        runs Disinfectant (theoretically correctly); everything seems fine ...
The next morning:
        First time being powered on after the Disinfectant run; the desktop
        comes up as being empty (no icons to be displayed; the message bar
        on the desktop window still reports 41,xxx KB used, 38,xxx KB available
        and indicates a reasonable number of files (~370) using the 41MB)
First Aid:
        Find File can not find any files.
        Apple FILE FIRST AID can not find anything to fix (I think this only
        looks at the desktop file).
        NORTON's MAC Utilities says that the directory has problems; says that
        it can fix the files affected ands rebuild; claims to have done so, BUT
        no files are seen (same state as before - yes I rebuilt the desktop
        after the recover attempt).
The final Solution:
        SUM Utilities are required to get every file, and lots of 'stuff' that
        are/were files (got to get all 79.9MB back).  User is still sifting
        through 'hundreds' of "??MS WORD Doucument No. xx"; some of which have
        spreadsheets and databases stuck in the middle (fragmentation?). Disk
        seems fine (physically). Only clue was that there were at least 4
        different versions of the system on the disk; probably the result of
        poor application install practices ....
Question:
        Does this sound like a virus, or "a random photon from the radio
        galaxy"? - If it's a virus, which one? any other thoughts?  Did I do
        things in the right order?  Was there a magic bit to flip?
Comment:
        I could claim that the user deserved this - after all it is a lot
        easier to recover from a disk/tape then to look at all those files
        at the block level and determine if they should be saved; and we
        push at all levels to get these people to backup - but you know, once
        the data is dusted, some one has got to get it back (on the grounds
        that a few days of my work is better that 1000's of hours of theirs
        from an institutional point of view)
Aside:
        They are now buying a tape drive and I suspect will be doing backups.
===============================================================================
Terry (TR) Roebuck                                   University of Saskatchewan
Computing Services                              Saskatoon, Saskatchewan, Canada
"roebuck@Sask.Usask.CA"                                        (306) 966 - 4841
===============================================================================