Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!mailrus!accuvax.nwu.edu!jln From: jln@accuvax.nwu.edu (John Norstad) Newsgroups: comp.sys.mac Subject: Re: I'm not sure I believe this. (was Re: New WDEF Virus) Message-ID: <1944@accuvax.nwu.edu> Date: 8 Dec 89 18:03:13 GMT References: <1886@accuvax.nwu.edu> <12044@phoenix.Princeton.EDU> Sender: news@accuvax.nwu.edu Reply-To: jln@accuvax.nwu.edu (John Norstad) Organization: Northwestern Univ. Evanston, Il. Lines: 99 In article <12044@phoenix.Princeton.EDU> bskendig@phoenix.Princeton.EDU (Brian Kendig) writes: >Then how *does* it spread? (In reference to the new WDEF virus). I don't discuss the internal mechanisms of viruses in public. It *does* spread from disk to disk. We have completely disassembled the virus, we understand its basic replication mechanism, we've run experiments and watched it spread, we've stepped through it with a debugger, etc. >I've learned not to get worried at the sight of what might be a bad >virus. (Just look at the DataCrime virus in the IBM PC that was >supposed to wipe hard drives clean on Columbus Day - nothing big ever >came of that, but people panicked anyway.) Nobody is recommending panic. But it does appear that this virus has been around for several months, it may be widespread, and it does cause a number of problems because of bugs in the virus. We know all of this for certain - this is not conjecture or rumor. >Now this alleged WDEF virus comes along. First of all, how can it >possibly do any damage from the DeskTop file? (... a long discussion >about why this virus couldn't possible work) Again, I will not go into details here except to say that it does work. >Thirdly, I'd like to remind everyone that there have been three >postings before this one about the virus. The first announced it. >The second followed impressively quickly, and introduced 'Eradicator!' >to fix it. The third was a post from someone at Stanford who *thinks* >he has the virus, and has also downloaded 'Eradicator!' to fix it. > >Now, call me a doubting Thomas, but I find it highly unusual that (a) >someone could whip up a patch that quickly after the virus was >discovered, (b) the virus could spread that quickly from the three >source locations (hmm...) to Stanford, and (c) that the virus appeared >at Stanford at around the same time that 'Eradicator!' was introduced >there. (The posted didn't say whether he downloaded 'Eradicator!' >after he suspected the virus, or if he just downloaded the program to >be safe and only later found traces of funny business.) The virus was discovered last weekend by the three programmers in Belgium who wrote Eradicator!. We discovered it here independently in one of our Mac labs on Tuesday. By coincidence, shortly after we discovered it here I received a note about the Belgium discovery. I immediately began disassembling and testing the virus with the help of a group of other virus-fighters on the Internet (authors of virus-fighting programs and other experts, including the authors of SAM, Virex, Virus Detective, GateKeeper, and Virus Rx. I am the author of Disinfectant). Some of the members of this group are at Stanford, the University of Texas, and the University of New Mexico, and after they were notified of the existence of the new virus they checked and discovered infections at their locations. Another member of the group reports discovering infected backup disks dating back to October 14, so we now know that the virus has been around for some time. Once we felt that we understood the virus sufficiently to announce it to the public, I prepared and posted my original announcement. Shortly thereafter I received a copy of Eradicator! from Belgium, performed some quick experiments on my Mac II, and posted it to the nets. Shortly after that I received a note from Chris Johnson, the author of GateKeeper, that it bombed on 68000-based machines, and I posted my note about that. >Also, if the virus only affects the DeskTop file and copies itself, >with no other effect on the use (as the original annoucement stated), >how did the Stanford folks notice it? Does everyone at Stanford have >a IIci? (I only rarely check the resources in my DeskTop file just for >the heck of it. ;-) The virus has several bugs. It causes Mac IIcis to crash horribly, and we know why. It causes problems with AppleShare servers which we can reproduce but which we do not yet fully understand. It causes frequent crashes when attempting to save files in certain applications, and we haven't figured out that one yet either. Our research continues, and we hope to have more information soon. In the case of Stanford, I believe that they used Jeff Shulman's Virus Detective to locate the virus, after we had first discovered it and figured out how to configure Virus Detective to catch it. >I'm not blaming anyone for anything. I'm just stating that the events >thus far surrounding the 'virus' have been somewhat questionable. Now that I've given you some more information, I hope that I've convinced you that this one is for real. We don't know exactly how widespread it is, and we still have some unanswered questions, but everything we've stated publicly so far is confirmed fact. >I will wait for more information before I set up my defenses against >the WDEF virus. I would recommend that you at least use Virus Detective or ResEdit to check your Desktop file for WDEF resources, and rebuild your Desktop files if you find them. See my original posting for more details. Eradicator! may be buggy even on 68020 and 68030-based machines - as I mentioned, I can't guarantee it since I didn't write it and I don't have source code. Use it at your own risk. John Norstad Northwestern University jln@acns.nwu.edu