VIRUS-L Digest Friday, 27 Jan 1989 Volume 2 : Issue 28 Today's Topics: re: init 29 virus (Mac) Mac Virus? checksum protection National LAN Laboratory --------------------------------------------------------------------------- Date: Thu, 26 Jan 89 22:47 GMT From: Subject: re: init 29 virus (Mac) The 'INIT 29" virus is not a mutation of nVIR, even if it is very similar. Its sole purpose is to replicate itself. Other than that, it causes no harm to the system. However, it will copy itself to *every* resource fork that has been opened by the System, an application or a utility (CDEV, DA, etc). I'd classify it as extremely virulent. Symptoms are an INIT resource with ID 29 and a size of 712 bytes. Infected applications also have an additional CODE resource of the same size. If you open the application with ResEdit, the viral resource will be on top of the list of CODE resources. As it patches the code jump table, removing the INIT and the CODE resources without restoring the table will cause your application to crash. The latest version of VirusDetective (2.0) will detect this virus. It will not repair an infected application, as it does not restore the jump table. The next version of AntiPan will probably be able to detect and remove it. In any case, I suggest you to trash the infected applications and system files. Other infected resource files (those who do not contain CODE resources) may be repaired by removing the INIT 29 resource. - -- Danny Schwendener ETH Macintosh Support macman@czheth5a.bitnet macman@ethz.uucp macman@ifi.ethz.ch ------------------------------ Date: Thu, 26 Jan 89 17:41 EST From: CNSM CCR - Rob Rothkopf Subject: Mac Virus? I have a MAC-SE that I *thought* was eradicated from all viruses (virii pl?). It seemed free of nVIR and SCORES and all the others and yet the system crashes periodically and I need to reload it from the original. Any advice? --Rob Rothkopf ------------------------------ Date: Thu, 26 Jan 89 17:34:54 EST From: Don Alvarez Subject: checksum protection David M. Chess made a pretty convincing argument in the last issue that he can absolutely trust his checksum if he keeps the checksummer on a floppy disk which is locked away and never inserted into a machine that hasn't just had a warm boot. I will agree with him that he can trust his checksummer, but unless he can checksum every file on my hard disk in under one minute its a cure that's worse than the disease (just add up how long you would spend doing checksums in a year and compare that against your expected rate of infection). Also, suppose I have five hundred files on my disk. How am I going to know what the checksum for each of them should be? Keep a list of checksums on my disk? This shut-the-machine-off, boot-from-floppy, run-checksum, put-floppy- away and switch-over-to-hard-disk routine sounds like a lot of work to do every time I want to run my word processor. Its a whole lot worse if you want to do it not to an isolated PC but to a networked workstation. Also, what does the checksum program tell me? It tells me that someone has destroyed my data. It doesn't tell me when and it doesn't tell me what to do to get it back. I still have to keep backups of everything. Checksums are good for checking the integrity of data if you have reason to believe that it has been corrupted (ie did I just download a bogus copy of VirusRX off the network). They are not a good way to handle everyday protection against viruses (consider the couple that tries to practice birth control by spending ten minutes every morning giving the woman a pregnancy test). Add up how much time you personally expect to loose in a year from data lost to viruses. Any "cure" that takes up more of your time in a year than you expect to loose is quite litterally "wasting your time." Nobody spends $20,000 a year to insure a $10,000 car. Even fewer people spend $20,000 a year for a service that merely tells them whether someone has already stolen their $10,000 car. -Don Alvarez ------------------------------ Date: Thu, 26 Jan 89 20:10 EST From: Subject: National LAN Laboratory Roman Olynyk writes: >Computer World (Jan. 9) had a article which referenced virus prevention >guidelines: > "Del Jones, managing director of the National LAN Laboratory in > Reston, VA., has issued a set of guidelines on virus prevention > and control endorsed by about 70 manufacturers." >A subsequent reference to another CW article didn't discuss these >guidelines. > >Can anyone help me get a handle on these guidelines or where I might >actually find them? Roman, I happen to live in Reston, and although I've never heard of the place, chances are that its only about 5 or 10 minutes from my house. If you could get me an exact address or something I'd be glad to pop over there someday and try and scare up a copy. - ---Steve - ---------------- Steve Okay ACS045@GMUVAX.BITNET/acs045@gmuvax2gmu.edu/CSR032 on The Source "These comments are less relevant than say, The New York Times OP-ED Page, but more relevant than say, Plywood" ----Bloom County ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253