Path: utzoo!utgpu!jarvis.csri.toronto.edu!cs.utexas.edu!uwm.edu!rpi!zaphod.mps.ohio-state.edu!usc!ucsd!ucselx.sdsu.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: alexis@rascal.ics.utexas.edu (Alexis Rosen) Newsgroups: comp.virus Subject: Re: Gatekeeper veto: Normal behavior or virus attack? (Mac) Message-ID: <0016.9002051554.AA01695@ge.sei.cmu.edu> Date: 3 Feb 90 21:17:36 GMT Sender: Virus Discussion List Lines: 69 Approved: krvw@sei.cmu.edu swenson@pythagoras.Stanford.EDU (Norman Swenson) writes: >I have noticed something suspiciously virus-like on my Mac II. I was First the good news. This is almost certainly not a virus. To make sure, find out if the file signature of ADoBe Separator is ADBS. If it is, you're fine. Otherwise, you might have a problem. >getting a "Serious disk error" message from Microsoft Word and garbage >in my files when using the editor in TeXtures. Fearing an imminent >disk crash, I backed up my hard disk to another. While the files were >copying over. I got a veto message from Gatekeeper (ver 1.1.1, w >Gatekeeper Aid). I decided to check my disk using Disinfectant 1.5... > ...However, whenever I try to open the Illustrator folder on the backup >disk, I get the following veto message: 'Gatekeeper has vetoed an >attempt by Finder to violate "Res(other)" privileges against Desktop. >[AddResource(ADBS,0)]'. I have isolated the behavior to the Adobe >Separator 2.0 program. When I remove it from that folder, I do not >get the message. When I put it back, I don't get the message the >first time I open the folder, but I do every time after that. I made >a copy of the folder on another disk, and at first I got the same >behavior, but after I rebooted it went away on the second disk. I >looked at both desktop files using resedit; one had the ADBS resource >in it, the other did not. Is this normal behavior, or could it be due >to a virus that Disinfectant 1.5 is not catching? Why would opening a >folder require adding a resource to the desktop file? And why did >Gatekeeper veto it on one disk, but not the other? I've seen this coming ever since the GK-Aid INIT was released- but then again, I anticipated WDEF in a message about seven months ago, and all of this revolves around one concept- file signatures that look like code, and vice versa (I can't claim any great genius on this, though- I got the idea from seeing C. Weber's FKEY Manager program cause crashes on Cmd-Shift-0... anyone else remember that?). To answer your questions (as best as I can from your description), the Adobe Separator utility has a file signature which happens to have the exact same four bytes as a type of executable resource that lives in the system file. Now while I've never seen the GateKeeper-Aid, I'm pretty certain I know exactly what it does- it prevents any resource which looks like executable code to the Mac OS from going into the Mac desktop. This is a well-defined list which includes (not surprisingly) WDEF. So what happened was, when Separator was put on your hard disk, you didn't have GK-Aid, and so the Separator bundle (signature ADBS) was added to your desktop (as it should have been). When you tried to open the folder containing Separator for the first time, on your other disk, you were running GK-Aid. At that point, the Finder wanted to add the bundle resource 'ADBS' to the second disk's Desktop file, and GateKeeper vetoed it. In summary, everything is OK (as long as I'm right that Separator's signature is 'ADBS'). GK and the Finder are both behaving as they should. The folks at Adobe get the programming-fools-of-the-week award for picking such a bad signature. Nothing to shoot them over, though. If you just override GK long enough for the signature to get into the desktop file, it will stop bothering you (the Finder only adds a bundle once). Hope this helps (and I _really_ hope it's right)-- Alexis Rosen alexis@panix.uucp {apple,cmcl2}!panix!alexis DISCLAIMER: IF A NEW VIRUS TRASHES YOUR DISK, DON'T BLAME ME.