Path: utzoo!attcan!uunet!tank!uwvax!rutgers!cmcl2!rocky8!cucard!ccnysci!alexis From: alexis@ccnysci.UUCP (Alexis Rosen) Newsgroups: comp.sys.mac Subject: Re: Transfers and Viruses Keywords: virus transfer Message-ID: <1015@ccnysci.UUCP> Date: 23 Nov 88 10:30:56 GMT References: <76699@sun.uucp> <206@internal.Apple.COM> <6127@netnews.upenn.edu> <219@internal.Apple.COM> <577@poseidon.ATT.COM> <17975@shemp.CS.UCLA.EDU> <17991@shemp.CS.UCLA.EDU> <17119@agate.BERKELEY.EDU> <1006@ccnysci.UUCP> <479@dbase.UUCP> Reply-To: alexis@ccnysci.UUCP (Alexis Rosen) Distribution: comp.sys.mac Lines: 25 In article <479@dbase.UUCP> cy@dbase.UUCP (Cy Shuster) writes: >Unfortunately, we discovered nVIR in CMS's disk formatting software recently >as well. Not only is a locked disk from a vendor the last place you'd think >to look, but in cleaning up after a virus many people go back to format their >disk! It's easy to spot, though: ResEdit will show the nVIR resource if their >program is infected. And, it did no damage that we can see: it looks like it >was designed to call Macintalk and say "Don't Panic" every 1,000th invocation. In his followup, Cy implies that this infected his disk. This seems odd to me, because when I discovered this infection (see my article from a few days back) I noticed one saving grace: All of CMS's CODE resources were protected and locked, and thus immune to infection. The file still gets a bunch of nVIR resources, but they're stillborn- not infectious. Cy, are you SURE that the CMS software infected you? When I got bitten by nVIR I found it first in the CMS stuff and I would have thought that CMS was responsible... except that I hadn't run the program in ages. This caused me to dig deeper until I turned up the true vector, an international system I had on a floppy. ---- Alexis Rosen alexis@dasys1.UUCP or alexis@ccnysci.UUCP Writing from {allegra,philabs,cmcl2}!phri\ The Big Electric Cat uunet!dasys1!alexis Public UNIX {portal,well,sun}!hoptoad/