Path: utzoo!attcan!uunet!samsung!zaphod.mps.ohio-state.edu!wuarchive!decwrl!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: XRJDM@SCFVM.GSFC.NASA.GOV (Joe McMahon) Newsgroups: comp.virus Subject: Re: WDEF details (Mac) Message-ID: <0001.9002221232.AA07723@ge.sei.cmu.edu> Date: 21 Feb 90 17:35:38 GMT Sender: Virus Discussion List Lines: 35 Approved: krvw@sei.cmu.edu Paul Duckenfield writes: > ... Another problem which we have had to deal with is recurring >system crashes on our AppleShare servers even after the eradication of >WDef. Although WDef if "officially" gone thanks to Disinfectant v1.6, >the servers still seem to crash regularly. It appears that WDef, like >polio can be cured, but it leaves lasting damage. The only solution I >have found is to delete the unused DESKTOP file on all server volumes... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ By all means do that. The virus will still write to this file (if you've allowed your client machines access to it) and will be lurking there, waiting for you to boot the server from a floppy. When you do that, the AppleShare Desktop Manager INIT is bypassed and you have a new source of infection. Also, be warned that rebooting from a floppy will cause the Desktop file to be *rebuilt* on the server! You will have to remove it again. Paul also notes/asks: > Incidentily, I have heard reports that it is possible >(although not easy) for someone to rename the WDef virus's resource to >CDef. Potentially this will create another virus, exactly the same as >the first except for the name, which can propogate quickly as well. >Anyone know anything about this? Doubtful. I don't have my handy copy of Inside Mac right here at the moment, but as I recall, the calling sequences are quite different. I believe that there would be trouble (i.e., crash/hang) if you tried it. However, if the viral WDEF does its infections directly, it might be able to spread itself before the crash occurs. I don't think that it would spread as fast as WDEF, because the behavior of the Mac would take such a sudden turn for the worse that almost anyone would become suspicious. Also, if you're running GK Aid or Eradicate'em, you're already protected against anything which looks even remotely executable in the Desktop file. --- Joe M.