Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!tut.cis.ohio-state.edu!unmvax!indri!polyslo!vlsi3b15!vax1.cc.lehigh.edu!ubu.cc.lehigh.edu!virus-l From: dplatt@coherent.com (Dave Platt) Newsgroups: comp.virus Subject: Re: Mac II virus? Message-ID: <0003.8905311730.AA00394@ubu.CC.Lehigh.EDU> Date: 30 May 89 23:23:38 GMT Sender: Virus Discussion List Reply-To: VIRUS-L@IBM1.CC.Lehigh.EDU Lines: 46 Approved: virus-l@ubu.cc.lehigh.edu > After attending a virus seminar, I went back and checked my Mac II, > and noticed that the System file had been modified earlier that day. > I ran Interferon 3.1 and it showed a virus type 003 in my TOPS file. > The Interferon documentation says that virus type 003 is the "SNEAKS" > virus, and that this virus affects the INITs in the System folder. > There are only 6 INITs in my System folder, one for each of the three > TOPS files: TOPS, SOFTTALK, and SPOOL. EasyAccess has three INITs. I > ran ResEdit over all the INITs and couldn't find any strings like > "Evil Wizard," or anything else overtly suspicious. Interferon has a tendency to report "sneak" infections in some cases in which it should not. I believe that recent versions of TOPS trigger this alert. I suggest that you download a copy of Disinfectant from the archives at SUMEX-AIM.Stanford.Edu and use it to scan your system. It is much less prone to false alarms, and will detect viruses that Interferon will miss. > Another symptom: I've been running Gatekeeper in Notify Only mode for > the past month, and whenever I bring up the machine, it gives warnings > for SPOOL and TOPS. I've ignored those messages, thinking that TOPS > (and SPOOL) were just performing some misinterpretted, but legal > operation. TOPS and a number of other useful INITs (e.g. the Moire screen-saver, the RAM Disk CDEV, etc.) tend to modify themselves. Open the Gatekeeper Control Panel window, flip the switch to "Settings", add these files to the applications/inits list (or select them, if they're already there) and then grant them "Res: self" permission. This will prevent the alerts from occurring when these INITs twiddle with their own resources, but it will prevent them from infecting other files if they are indeed virus-ridden. > Anyone having similar experiences? Am I infected? Yup. I don't believe so. > Thanks. You're welcome! - -- Dave Platt FIDONET: Dave Platt on 1:204/444 VOICE: (415) 493-8805 UUCP: ...!{ames,sun,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303