Path: utzoo!attcan!uunet!seismo!sundc!pitstop!sun!amdcad!ames!mailrus!nrl-cmf!cmcl2!phri!dasys1!alexis
From: alexis@dasys1.UUCP (Alexis Rosen)
Newsgroups: comp.sys.mac
Subject: Re: Virii at the U of I
Message-ID: <6725@dasys1.UUCP>
Date: 29 Sep 88 07:21:53 GMT
References: <20200005@uxh.cso.uiuc.edu>
Reply-To: alexis@dasys1.UUCP (Alexis Rosen)
Lines: 40

In article <20200005@uxh.cso.uiuc.edu> crouse@uxh.cso.uiuc.edu writes:
>  At the University of Illinois we are having a major virus outbreak
>  at this time. [...] The Sneak virus attacks Laser
>  Prep,Laser Writer,and Image Writer files. This is a major problem we
>  are having to deal with across the campus. Any information about
>  Sneak or nVIR would be helpful.

It is virtually certain the the "Sneak" virus you are detecting does not
exist. Apple printer drivers contain certain resources that Interferon
considers to be indicative of a virus, but in fact are not. To make sure,
simply open a shrink-wrapped System Software package and run Interferon
on it. If you see the exact same "sneak" virus, you know that you are not
in fact infected. If you see something else, then you have my condolences
since you have discovered a brand-new Mac virus.

As far as nVIR goes, there may or may not be a new version of it going
around. One of the things that nVIR does is patch itself into your apps.
One side effect of this is the creation of a CODE 256 resource in each
infected resource file. The "harmless" nVIR creates CODE 256s which are
372 bytes long. I was recently infected by an nVIR of unknown malignance
which created CODE 256s which were 422 bytes long. I strongly suggest
reporting on the net if you discover any CODE 256s other than 372 bytes
long.

>  We are looking for a program that
>  can be installed on the system to check a disk for virii 
>  every time one is inserted into the machine.

I doubt it. You wouldn't have any users within a week, because such checks
would take a considerable length of time. Heavy user education is the only
solution I am aware of.

>					       James Crouse
>					       Mgr Union Micro Lab

----
Alexis Rosen                       {allegra,philabs,cmcl2}!phri\
Writing from                                {harpo,cmcl2}!cucard!dasys1!alexis
The Big Electric Cat                  {portal,well,sun}!hoptoad/
Public UNIX                         Best path: uunet!dasys1!alexis