Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!cs.utexas.edu!tut.cis.ohio-state.edu!rutgers!netnews.upenn.edu!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: boulder!boulder!johnsonr@ncar.UCAR.EDU (JOHNSON RICHARD J)
Newsgroups: comp.virus
Subject: Re: Gatekeeper veto: Normal behavior or virus attack? (Mac)
Message-ID: <0006.9002011922.AA24486@ge.sei.cmu.edu>
Date: 31 Jan 90 21:23:36 GMT
Sender: Virus Discussion List <VIRUS-L@IBM1.CC.Lehigh.EDU>
Lines: 47
Approved: krvw@sei.cmu.edu

swenson@pythagoras.Stanford.EDU (Norman Swenson) writes:
] I have noticed something suspiciously virus-like on my Mac II.
..
] Fearing an imminent disk crash, I backed up my hard disk to another.
] While the files were copying over, I got a veto message from Gatekeeper.
] I decided to check my disk using Disinfectant 1.5 and found that Drawover
] (part of Adobe Illustrator) was infected with nVir B.  I disinfected that
] file, and all my disks then scanned clean.

The veto message you got probably had nothing to do with the nVIR B
infection.  (However, if you'd tried to run Drawover before disinfecting
it, you probably would have gotten a message about nVIR B.)

] However, whenever I try to open the Illustrator folder on the backup
] disk, I get the following veto message: 'Gatekeeper has vetoed an
] attempt by Finder to violate "Res(other)" privileges against Desktop.
] [AddResource(ADBS,0)]'.  I have isolated the behavior to the Adobe
] Separator 2.0 program.

Yup.  ADoBe Separator uses ADBS for it's creator signature.  Sadly, the Mac
OS also uses a resource called ADBS for the Apple Desktop BuS.  The latter
is executable code, while the signature resource isn't.  GateKeeper blocks
unprivileged attempts to add executable resources to file, and is obviously
mistaking the totally harmless signature resource for a nasty virus.
Stupid GateKeeper :-)  The solution here is to simply not use applications
that use resource names as their application signatures.  Stupid Adobe :-)

] Why would opening a folder require adding a resource to the desktop
] file?

The Finder keeps track of which icons to display for which files.  To do
that it stores the icons, signature resources, etc. in the DeskTop file.
If the Finder discovers an unknown file in a folder, it will attempt to
add that file's identifying info to the DeskTop.

] And why did Gatekeeper veto it on one disk, but not the other?

I dunno.  The Finder is often mysterious to the semi-initiated (like me).
Perhaps an expert can take the rest of the questions?

] Norm
] swenson@isl.stanford.edu

| Richard Johnson                           johnsonr@spot.colorado.edu |
|    CSC doesn't necessarily share my opinions, but is welcome to.     |
|  Power Tower...Dual Keel...Phase One...Allison/bertha/Colleen...?... |
|   Space Station Freedom is Dead.  Long Live Space Station Freedom!   |