Path: utzoo!utgpu!attcan!uunet!lll-winken!lll-tis!ames!ncar!tank!nucsrl!jln From: jln@eecs.nwu.edu (John Norstad) Newsgroups: comp.sys.mac Subject: Re: SCORES ordeal + new(?) SCORES info Message-ID: <10330053@eecs.nwu.edu> Date: 10 Oct 88 21:51:17 GMT References: <6685@ut-emx.UUCP> Organization: Northwestern U, Evanston IL, USA Lines: 98 > I've spent the last 3 months without a hard disk. The reason? Catastrophic > failure. Inability to reformat, etc. This ordeal included shipping the device > to Wisconsin (I'm in Texas) *4 times* to get it repaired. Recently, however, > I learned the cause of the problem: SCORES infection. The reason it wouldn't > reformat (normally a sure indication of a hardware problem) was, of course, > that the formatter itself was infected. When I booted up the "repaired" > hard disk, it seemed to work fine, until after I ran an application. Then > things started crashing again. The infected application had wrecked the device's > new System. Well, enough of the sob story. This is indeed a horrible story, and I sympathize with your plight. When Scores first appeared I studied it, figured out how it worked, and posted some notes on what I'd discovered. I find several of your remarks quite puzzling. I don't understand why you formatter wouldn't work, even though it was infected with Scores. Most applicatations continue to work fine when they're infected. One possibility is if the formatter has a gap of size one in the numbering of its CODE resources. For example, if the CODE resources were numbered 1,2,3,5,6,7,... In this example there's a gap of size 1 at resource number 4, and Scores would try to add a new CODE segment number 5. This screws up the application so that it most likely will bomb on launch. KillScores can disinfect such an application, but Ferret doesn't even think it's infected. I also don't understand why your "repaired" hard disk worked fine until you ran an infected application. Systems usually continue to work properly after they become infected. This may be some sort of conflict between your hard disk driver and Scores. > The second thing I wanted to point out in this post is that apparently a > System can be fully infected WITHOUT showing the symptoms on the desktop. > Those symptoms are, as you know, "blank document" ScrapBook and NotePad icons, > and two invisibles files called "Desktop" and "Scores." I just finished > examining a System Folder on a floppy I had lying around; it looked clean as > a whistle. Upon opening it with ResEdit, though, I found ALL(?) of the resources > created in a SCORES infection: DATA ID -4001, atpl ID 128, and INIT's 6, 10, > and 17. This was a supposedly unaltered copy of 6.0/4.2. I've noticed this too, especially on floppies. Sometimes only part of the viral resources are installed. In all the cases I've come across it's because the disk becomes full. Scores installs its viral resources in the following order: System file Scores file NotePad file Scrapbook file Desktop file In your case your floppy probably became full after the five viral resources were installed on your system file. Scores continued to try to infect the other four files, but nothing happened because the floppy was full. > I booted up under that System about 10 times, and ran a number of applications > under it as well, trying to get something to happen. No luck. The applications > weren't infected, nor did the telltale signs appear in the System > Folder. The SCORES-installed resources WERE, however, detected by the program > "KillScores 1.0." Scores does not begin to spread until two days after the system is infected. In addition, due to what appears to be a bug in Scores, each time an infected application is run during that two day dormant period, the system is infected AGAIN and the timer is RESET. Thus you have to actually a) run an infected application, and b) NOT run an infected application for another two days, before it begins to spread. This may be what happened to you. > From reading the available documentation, I had the impression that those > System Folder additions ALWAYS occured as a result of infection. Not true? > Or, perhaps SCORES has some kind of delayed-action mechanism, where the > resources sit idle until Event X, then create the files. Scores does have delayed-action mechanisms, but not in this case. It tries to create all of the system folder viral stuff when an infected application is launched. As I mentioned above, what probably happened to you was that your floppy became full. > I understand that the FBI knows who created this unseen horror. If so, whatever > happened to him? If he's been arrested and they're trying to decide what > to do with the bastard, I have some good ideas. Words cannot describe what > I've been through. >--Ron Morgan Why hasn't this criminal been arrested and prosecuted? Scores has spread very widely and is still spreading, and has caused great damage. We recently experienced a small infection in our labs and on our servers here at Northwestern, and it cost at least 50-60 man hours to examine and disinfect everything in sight. In your case you lost three months! Multiply that by the number of infections around the world, and there must have been many tens of thousands of man hours lost because of this plague. John Norstad Academic Computing and Network Services Northwestern University Bitnet: JLN@NUACC Internet: JLN@NUACC.ACNS.NWU.EDU