Path: utzoo!yunexus!geac!syntron!jtsv16!uunet!ncrlnk!ncrcae!hubcap!gatech!uflorida!mailrus!ncar!tank!nucsrl!jln From: jln@eecs.nwu.edu (John Norstad) Newsgroups: comp.sys.mac Subject: Re: SCORES ordeal + new(?) SCORES info Message-ID: <10330057@eecs.nwu.edu> Date: 12 Oct 88 16:53:10 GMT Article-I.D.: eecs.10330057 References: <6685@ut-emx.UUCP> Organization: Northwestern U, Evanston IL, USA Lines: 68 >>Your case is the first I've heard of a system that won't function at all >>when infected. > >It might have been Finder. According to the documentation I've read, Scores >"likes" to infect Finder, and Finder WAS infected. Yes, Finder almost always gets infected, but this doesn't usually cause any problems. >>>Keep in mind that we're talking about a virus that will actually >>>search out applications to infect, even if they aren't run. If you've ever >>>seen your infected disk drive start spinning for no reason, that's the Scores >>>virus on a "hunting trip." >> >>This is false. Scores only infects applications that are actually run. >>Scores does not go on any "hunting trips." > >This is in direct contradiction to the documentation that came with >KillScores 1.0. The literature was written by Howard Upchurch, and >says [quote]: > > "As the infected disk is used, the virus continually seeks uncon- > taminated applications. The present thought is that it searches > in a random fashion at an interval of 3 1/2 minutes...after a > long enough period of time, every application on the disk will > be infected, apparently whether it has been used or not." > >On another page, he says: > > "...an application does not have to have been run for it > to be contaminated."If you are saying you've found contradictory > information, could you please say so explicitly? Howard wrote this before I had disassembled and figured out Scores in detail. He made a reasonable educated guess based on observing the behaviour of infected systems, but he was wrong. This is only one of many incorrect rumors that have been spread about Scores. Another one that won't seem to die is that Scores contains some sort of special code designed to fool ResEdit. This is not true. Yes, you can disinfect your system file with ResEdit, rerun ResEdit, and discover that your system file is still infected. All this means is that ResEdit itself was infected, and it reinfected your system the second time you launched it. There's no magic here. >I have one more question for you, since you obviously know more about this >than I do. Would the problems caused by Scores appear the FIRST time a >"clean" application is run? I noted that when I ran Yeager Advanced Flight >Trainer (a known clean copy) on my infected system, it failed to work the >very first time, saying the application file was busy or damaged. Sorry, I don't really have any ideas. It could be almost anything, and I'd have to see it first hand to figure out what's happening. I obviously don't know everything, since I can't explain most of the problems you've experienced. I wish I knew what was going on. >Many, many thanks for your words on this matter. You are welcome. I hope I've helped. John Norstad Academic Computing and Network Services Northwestern University Bitnet: jln@nuacc Internet: jln@nuacc.acns.nwu.edu