VIRUS-L Digest Thursday, 30 Mar 1989 Volume 2 : Issue 76 Today's Topics: Disinfectant for Mac RE: Star Trek virus PKWare virus? (PC) Not really an nVIR (Mac) Disinfectant (Mac) New England J. of Med. letter KillVirus Init not malevolent (Mac) Re: KillVirus Init (Mac) --------------------------------------------------------------------------- From: David.J.Ferbrache Date: Wed, 29 Mar 89 10:03:02 BST Subject: Disinfectant for Mac Ken, you asked about disinfectant. In my opionion this is probably the most comprehensive virus control program available for the Mac system. The program is designed to detect all non-hypertext Mac viruses (including the recent AIDS resource edited nVIR strain). Most importantly this program can detect the new Anti virus (see recent posting by Danny Schwendener) which a number of older tools fail to detect [No characteristic resource additions]. If run together with an INIT to detect modification of code file resources (hmm, vaccine, gatekeeper, watcher etc one of this group), it should provide excellent protection. Availability: Disinfectant 1.0 was posted to comp.sys.mac recently, and is available from a number of backbone archive sites, including the info-mac archives, and Heriot-Watt's anti-virus software archive. I suspect Werner Uhrig's archives on RASCAL.ICS.UTEXAS.EDU should also also have a copy in the virus-tools directory (although I haven't confirmed this). European sites can pull a copy by sending mail to with the body: request: virus topic: mac.disinfect Bugs: One serious problem due to contention while accessing files from remote servers, involving missed directories. John's looking into the problem at the moment. Features: - - Detects and repairs files infected by Scores, nVIR A, nVIR B, Hpat, AIDS, INIT 29, ANTI, and MacMag. These are all of the currently known Macintosh viruses. - - Scans volumes (entire disks) in either virus check mode or virus repair mode. - - Option to scan a single folder or a single file. - - Option to "automatically" scan a sequence of floppies. - - Option to scan all mounted volumes. - - Can scan both MFS and HFS volumes. - - Dynamic display of the current folder name, file name, and a thermometer indicating the progress of a scan. - - All scans can be cancelled at any time. - - Scans produce detailed reports in a scrolling field. Reports can be saved as text files and printed with an editor or word processor. - - Carefully designed human interface that closely follows Apple's guidelines. All operations are initiated and controlled by 8 simple standard push buttons. - - Uses an advanced detection and repair algorithm that can handle partial infections, multiple infections, and other anomalies. - - Careful error checking. E.g., properly detects and reports damaged and busy files, out of memory conditions, disk full conditions on attempts to save files, insufficient privileges on server volumes, and so on. - - Works on any Mac with at least 512K of memory running System 3.2 or later. - - Can be used on single floppy drive Macs with no floppy shuffling. - - 8500 word online document describing Disinfectant, viruses in general, the Mac viruses in particular, recommendations for "safe" computing, Vaccine, and other virus fighting tools. The document can be saved as a text file and printed with an editor or word processor. We tried to include everything in the document that the average Mac user needs to know about viruses. John Norstad wrote Disinfectant with the help of an international group of Mac virus experts, programmers and enthusiasts: Wade Blomgren, Chris Borton, Bob Hablutzel, Tim Krauskopf, Joel Levin, Robert Lentz, Bill Lipa, Albert Lunde, James Macak, Lance Nakata, Leonard Rosenthol, Art Schumer, Dan Schwendener, Stephan Somogyi, David Spector, and Werner Uhrig. - -------------------------------------------------------------------------- Dave Ferbrache Personal mail to: Dept of computer science Internet Heriot-Watt University Janet 79 Grassmarket UUCP ..!mcvax!hwcs!davidf Edinburgh,UK. EH1 2HJ Tel (UK) 031-225-6465 ext 553 ------------------------------ Date: Wed, 29 Mar 89 13:39 EST From: "Mark H. Anbinder" Subject: RE: Star Trek virus There WAS one problem with the Star Trek: The Next Generation episode "Contagion" as far as the treatment of computer viruses was concerned. How did this alien code get executed? If the Enterprise downloaded the other ship's log as data, no code buried within it should have been executed. My speculation was that ship's logs include code (perhaps security systems) that must be executed in order to accesss the data, so the virus code could have been executed that way. Mark H. Anbinder ------------------------------ Date: Wed, 29 Mar 89 13:53:20 EST Sender: Virus Alert List From: msmith%TOPAZ.RUTGERS.EDU@IBM1.CC.Lehigh.Edu Subject: PKWare virus? (PC) Original-Date: Wed, 29 Mar 1989 10:50 MST Original-From: Keith Petersen Mark, I hope whoever posted messages on this will retract them immediately. There is NO virus and PKWare is NOT involved. Here is the REAL story: 2/25/89 - ARCMASTER SOFTWARE DANGER - ----------------------------------- The ArcMaster compression program shell/menu system has been a very popular download on our BBS. In the past week I have received numerous reports of messed up hard disks after running ArcMaster version 4.0 and 4.01. I don't know if there were bugs in those versions, or if some hacker has decided to target ArcMaster for trojans. I suggest all users of ArcMaster 4.0 and 4.01 stop using those versions and wait until you can get a clean, new version from a reliable source. My apologies to John Newlin, since he has written some great software, but the reports of trashed hard disks have been consistent enough to warrant some caution with the 4.x versions of ArcMaster. Bob Mahoney Exec-PC Multi-user BBS 414-964-5160 ------------------------------ Date: Wed, 29 Mar 89 16:52:00 EST From: Joe McMahon Subject: Not really an nVIR (Mac) The KillVirus INIT installs what I've called a "killed" virus - an nVIR 10 resource that some (but not all) versions of nVIR check for. If nVIR finds this resource in the system file, it "goes dormant" and doesn't infect that copy of the System. Generally, NOT RECOMMENDED. It triggers the detectors (as you've seen) and interferes with Vaccine, You should remove the nVIR 10 resource from any System whose system folder you've installed Kill- Virus and make sure that KillVirus is out of there too. Vaccine is safer and works as well. --- Joe M. ------------------------------ Date: Wed, 29 Mar 89 16:59:52 EST From: Joe McMahon Subject: Disinfectant (Mac) Disinfectant comes from John Norstad, someone whose work I would very much trust. If John says it cleans up all that stuff, it does. The only other thing I'd like to mention is that as viruses get more complex, the less I trust disinfectants. I'm all for using them to clean up far enough to finish what you're doing and THEN clean up by replacing, but I wouldn't bet the farm on them. --- Joe M. ------------------------------ Date: Wed 29 Mar 89 13:22:09-PST From: Ted Shapin Subject: New England J. of Med. letter New England Journal of Medicine, March 23, 1989, Vol. 320, No. 12, page 811-12. _COMPUTER-VIRUS INFECTION OF A MEDICAL DIAGNOSTIC COMPUTER_ To the Editor: Computers used in dianostic imaging, intensive care monitoring, and other such functions have been relatively immune to computer vandalism, because they have been special purporse units that are not easily programmed by amateurs. A detailed MEDLINE search has revealed no previous reports of "infection," or sabotage, of medical diagnostic data with a computer "virus." Recently, our Department of Nuclear Medicine acquired new image-display stations for cardiac studies, consisting of powerful personal computers (PCs) (Macintosh II) that provide high-quality images for diagnosis. After sucessfully using the system for several weeks, we noted occasional random malfunctions. Often the computer had to be shut down and then restarted before it would respond to any commands. Occsionally, nonexistant patients and garbled names appeared on the patient directory. We found that approximately 70 percent of the programs on the PC data disk had been altered by the insertion of an exogenous code into the standard computer instructions. In addition, many new files were found scattered among the legitimate programs. We found that our system harbored two separate computer viruses. An investigation revealed that these viruses had spread from a computer company to both our facilities (located 20 miles aprt) and a nearby university medical center PC network. The computer virus has many similarities to biologic viruses. It is a small program designed to splice copies of itself into other programs. Whe these programs are run, the viral code directs the computer to make additional copies of the virus and splice them into other "uninfected" programs. The original program then continues aftera barely noticeable delay. As with biologic viruses, host facilities are subverted into producing endless copies of the foreign intruder. At random intervals, these hidden programs may produce delays, noises, scrambling, or actual deletion of data from computer storage. The viral infection may spread from computer to computer by the simple insertion of a floppy disk into an infected machine and later into another, similar computer. This is the likely mechanism of spread of the viruses we encountered. Floppy disks used by members of our staff for word processing were found to contain copies of at least one of these viruses. After several weeks of meticulous work, all copies of the virus were eliminated from our systems. Mass production of PCs has generated a large pool of amateur programmers, a few of whom attempt computer sabotage either as an intellectual challenge or as vandalism. The capability of the PC to perform literature searches, word processing, and other tasks tempts users of hospital PCs to insert a variety of "foreign" disks, thus spreading infections. We now examine all software before use in our systems and have alerted our personnel to the need to practice "safe computing". As multipurpose PCs replace their safer single-purpose predecessors in patient care, the need for expanded vigilance is clear. Jack E. Juni, M.D. Richard Ponto William Beaumont Hospitals Royal Oak, MI 48072-2793 - ------- ------------------------------ Date: Wed, 29 Mar 1989 13:34:11 EST From: Clare Shawcross Subject: KillVirus Init not malevolent A couple of postings have been made recently about KillVirus Init, one (from Jonathan Baker) wondering if it was a virus or virally infected, and the other (from David Stodolsky) suggesting that it is some sort of breeding ground for viruses. In fact, KillVirus Init is intended to *protect* your files from nVIR by "vaccinating" your disk. KillVirus contains a dummy nVIR and installs one in your System file. Interferon and VirusRX can't tell the difference between this and a real virus. But your Macintosh can. And so can you. One way of checking is to run a smarter program like Disinfectant which will not flag the dummy virus. The commercially available program Virex will go so far as to flag such a virus as a fake one. The more adventurous may want to use ResEdit to look at the nVIR resource on a file. If it is called "InstallTrap (ID=1)" or "nVIR Inhibitor (ID=10)" then you are dealing with a dummy virus rather than the real thing. Clare Shawcross Consulting Support Specialist Brown University ------------------------------ From: Andrew Dawson Date: Thu, 30 Mar 89 10:31:54 BST Subject: Re: KillVirus Init (Mac) The KillVirus Init is *NOT* infected with the nVIR virus - it just appears that way to a lot of virus search utilities. A feature of nVIR is that it will effectively disable itself if it finds an nVIR resource with ID=10 in the system file. If you place killvirus in your system folder and reboot, it will install an nVIR 10 resource in the system to prevent infection, at the same time removing any other nVIR resources. In order to do this effectively, killvirus itself has an nVIR 10 resource, which is simply copied. There is no code in this resource. Most virus checking utilities check for resources of a certain type - and the presence of any nVIR resource will cause warnings from Interferon, Virus RX or Virus Detective (and probably others). While I'm not actually very keen on anything that modifies the system file, KillVirus has proved very effective in keeping our machines clean - it will automatically disinfect any nVIR infected application that a user attempts to launch. Andrew Dawson School of Medicine Computer Unit University College London ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253