Virus Watch for the Mac
Author: Kevin M. Savetz
Date: May, 1993
Keywords: trojan house worm init-m init-17 disinfectant cdef t4-c
Text: In the world of Macintosh, it seems it's virus season. In the past three months, four new computer viruses are pestering Mac users. This is hardly an epidemic, but it is wise to take the time to acquire and use antiviral software - before your computer catches one. A computer virus is a program, named for its organic counterpart, that infects files on a computer system. As you access infected files on your computer, the virus spreads. Many viruses are programmed to wait for a certain period - after it has made a number of duplicates, or until a certain date - before doing damage. A malicious virus might try to erase the files on your hard disk or write a message on the screen. Other viruses don't perform overt actions; instead they silently propagate from file to file, and from computer to computer. (These viruses also can cause problems because they modify existing informaion on your disk. A program conflict or a bug in the virus code can prove as disasterous as a malicious virus.) Your computer can "catch" a computer virus in a number of ways. Most common for modem users is to download (copy from another computer to your computer) an infected program. Modem-less users aren't safe, either. Your hapless machine can catch a virus by running a program on a borrowed floppy disk or on another computer in your network. Even the most careful computer owner is sometimes caught off guard: there have been incidents of store-bought, shrink-wrapped software harboring a virus. In this case, the virus was either duplicated en masse by the manufacturer, or the software was opened, infected, then re-wrapped at the store. There is another kind of malicious program, called a Trojan horse. This is a program that does something undocumented which the programmer intended, but that the user would not approve of. For example, you might run a program that claims to be a game - only instead of seeing Pac-Man, something nasty happens. Trojans are non-repeating: there is no "infection" - it will run once to do its evil deed. Finally, a "worm" is a program that replicates itself, but does not attach itself to other programs. Worms generally are spread over computer networks, not through sharing software or disks. THE NEW VIRUSES - There are currently about 20 types of Macintosh viruses, but each of these has multiple versions, or "strains." The following is a list of the newest Mac viruses.
Discovered: April 22, 1993.
Systems affected: All Macintosh computers, only under System 7. The INIT-M virus was recently discovered at Dartmouth College, in a file downloaded off the net. It is a malicious virus that may cause severe damage. INIT-M rapidly spreads to applications, system extensions, documents and preference files under System 7. The virus spreads as the application files are run, and is likely to spread extensively on an infected machine. The infection is accomplished by altering existing program code. The virus does extensive damage to systems running on any Friday the 13th - not just ones booted on that day. Files and folders are renamed to random strings, creation and modification dates are changed, and file creator and type information are scrambled. In some very rare circumstances, a file or files may be deleted. Recovery from this damage will be very difficult or impossible. (Note that the next three Friday the 13ths are in August 1993, May 1994, and January 1995.) The virus, when present on an infected system, may interfere with the proper display of some application window operations. It will also create a file named "FSV Prefs" in the Preferences folder.
Discovered: April 12, 1993
Systems affected: All Macintosh computers, under Systems 6 & 7. The INIT-17 virus spreads to the System file and many applications as they are run, and is likely to spread quite quickly on an infected machine. The infection is accomplished by altering existing program code, but the virus code that does this contains several bugs of various types. These bugs, coupled with the behavior of altering applications and the System file, may result in damage to those files. On some older Macs (e.g., Mac Plus, SE, Classic) the presence of the virus will cause those systems to crash during execution of infected applications. The only overt action by the virus is to display an alert message in a window entitled "From the depths of Cyberspace" the first time an infected machine is rebooted after 6:06:06 PM, 31 Oct 1993.
Name: CDEF (new version)
Discovered: February, 1993
Systems affected: System 6 CDEF was first found in August, 1990, but a new strain was just discovered. It only infects invisible "desktop" files used by the Finder. It doesn't infect applications, document files, or other system files. System 7 users are completely immune to CDEF. This virus doesn't do any overt damage, but infected files may still cause problems.
Discovered: February, 1993
Systems affected: All Macintosh computers, under Systems 6 & 7. T4-C is a new version of the T4 virus, which was first discovered in June of 1992. It spreads to applications and the Finder, and it attempts to alter the System file. Under system 6 and 7.0, T4 will prevent INIT files and system extensions from loading. Under System 7.0.1, the change may prevent the system from booting or cause random crashes. Files damaged by this virus are not repairable by antiviral software - the only way to receiver is to delete the infected programs and restore from backups. ANTIVIRAL SOFTWARE - If you don't have antivirus software, you need to get and use one. There are several antivirus packages for the Macintosh. A good anti-virus program does two things: it will keep a lookout for viruses and, when possible, it will disinfect infected programs. Some packages look out for a known set of viruses , but the list of known viruses needs to be updated as viruses are discovered. Other programs watch for any suspicious activity and ask the user if it's safe to proceed. Because they trap all questionable activity, these programs need to be updated less frequently, but they are more visible to the user. Disinfectant is the perfect choice for users who stay informed about new viruses, but the commercial vendors offer the advantage professional support and updates as new viruses are discovered. Central Point Anti-Virus (Commercial software) Version: 2.01e.
Where: CompuServe, America Online, Internet: sumex-aim.stanford.edu,
Central Point BBS: (503) 690-6650. Disinfectant (free)Version: 3.2
Where: Internet: ftp.acns.nwu.edu, America Online, other online services. Gatekeeper (free) Version: 1.2.7
Where: Internet: rascal.ics.utexas.edu and other FTP archives, America Online, other online services. Rival (Commercial software) Version: INIT-M Vaccine
Where: AppleLink, America Online, Internet, CompuServe. SAM (Commercial software) Version: 3.5.6
Where: CompuServe, America Online, Applelink, Symantec's customer service: (800) 441-7234 Virex (Commercial software) Version: 3.93
Where: Datawatch Corporation: (919) 490-1277 VirusDetective (Shareware) Version: 5.0.9 VirusDetective is shareware. Search strings for the new viruses are sent only to registered users. Where: Internet: sumex.aim.edu, America Online, other services.
Copyright © may, 1993 by Kevin M. Savetz