Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!tut.cis.ohio-state.edu!ucbvax!decwrl!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: dplatt@coherent.com Newsgroups: comp.virus Subject: Re: WDEF A (Mac) Message-ID: <0005.9002121947.AA15751@ge.sei.cmu.edu> Date: 10 Feb 90 21:47:41 GMT Sender: Virus Discussion List Lines: 33 Approved: krvw@sei.cmu.edu + Today, while I was disinfecting a Macintosh IIx with Disinfectant 1.6 + I got a report saying that the desktop was infected at 3:36 p.m. on + 2/6. + + Now, it just happened that it WAS 3:36 p.m. while I was doing the + disinfecting... + + Since the locked disk was clean, it couldn't have infected the HD, + right? The person involved swears that no other disks had been in his + drives today. The time-of-infection which Disinfectant reports is the "last modification time" for the infected file. This information is often useful when you try to track down a virus which infects applications, since most applications do not modify themselves when they are run... and hence the "last modification time" of the application will often be the time at which the virus infected the program. However, the Desktop file is modified _very_ frequently by the Finder... it may be modified any time you launch a new application, or drag an application from one disk/folder to another, or change any file's Get Info... comments. For this reason, the "last modification time" on the Desktop file is _not_ a reliable indicator of when your system was first infected. BTW, there's no reason (as far as I know) to install Gatekeeper Aid on the locked Disinfectant disk... as long as you keep the disk locked, no virus will be able to infect it. - -- Dave Platt VOICE: (415) 493-8805 UUCP: ...!{ames,apple,uunet}!coherent!dplatt DOMAIN: dplatt@coherent.com INTERNET: coherent!dplatt@ames.arpa, ...@uunet.uu.net USNAIL: Coherent Thought Inc. 3350 West Bayshore #205 Palo Alto CA 94303