"WDEF B" Virus (17-December-1991) Entry...............: "WDEF B" Virus Alias(es)...........: --- Virus Strain........: WDEF Virus Strain Virus detected when.: March 1991 where.: Hannover,Germany Classification......: File infector only Desktop file Length of Virus.....: Resource fork extension: 1842 bytes --------------------- Preconditions ---------------------------------- Operating System(s).: MacOS proprietary Version/Release.....: System 4.1 or greater , not 7.0 Computer model(s)...: Apple Macintosh: all models --------------------- Attributes ------------------------------------- Easy Identification.: Additional WDEF 0 resource in Desktop file; Desktop shouldn't have one. Resource pattern....: Desktop File: WDEF 0 1842 Bytes. Type of infection...: The virus copies itself to all Desktop files on all connected volumes. Infection trigger...: Executing an infected Desktop file and a random algorithm produces the value 1 long and the availability of SysEnvirons-Trap; the random value is calculated using the RandomSeed system variable. Applications affected:Only Desktop files Traps intercepted...: Only during infection: Write, AddResource, ChangedResouse, WriteResource, UpdateResFile Damage..............: Permanent damage: --- Transient damage: Only when running under MultiFinder. Only first launched application: if the application has a menu that displays font-size-information using the system, available font sizes are no longer displayed outlined; all sizes are displayed in normal style. Switching between applications doesnot change the first application's behavior. Damage Trigger......: Running an infected Desktop file. Peculiarities.......: No infection on systems without SysEnvirons. Virus beeps once if infected application is run. Similarities........: CDEF, WDEF A --------------------- Agents ----------------------------------------- Countermeasures/direct:1.Removal of WDEF 0 from all Desktop files: copy Desktop to another file and cut off WDEF 0 resource, delete original Desktop file and rename cleaned copy to Desktop. The desktop file is always active, so copying and renaming must be done by special file utilities like the file tools DA. 2.Or create a new Desktop file by pressing Option and Command key when opening a volume. (Can be very time-consuming on full harddisk, and information in the comment field of file information are lost) Countermeasures/software: 1.Use an anti-viral product (public domain or commercial) such Disinfectant, Interferon, Virus detective or VirusRx to scan for virus signature. 2.Use a protection INIT called Eradicat'Em that prevents WDEF infection (also prevents CDEF infection) --------------------- Acknowledgement -------------------------------- Location............: Virus Test Center, University Hamburg, Germany Classification by...: Ronald Greinke Documentation by....: Ronald Greinke Date................: 17-December-1991 Information Source..: --- .