informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/virus/virus3.txt

162 lines
7.4 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ THE VIRUS INFORMER ³ FACT: Did you know that there
³ your weekly virus newsletter ³ are over 586 unique viruses,
³ by Mark E. Bishop edited by ³ over 716 variants, and over
³ Alan Bechtold ³ 1302 known viruses?
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
CHAPTER 3: 'Introducing the NEW Macintosh Virus, T4A, T4B'
The following information is in regard to a new Macintosh virus discovered
June 30, 1992 which causes damage to Apple Macintosh computers. The virus
is the T4-A, and T4-B. They can alter your boot code, alter/damage your
Macintosh applications, and could possible spread into your System files.
The information is valid and has been edited. Contributing information
came from Gene Spafford of Purdue University and Chris Schram of the Home-
base CVIA BBS.
Virus: T4-A, T4-B Damage: altered boot code; altered/damaged applications
Spread: possibly significant Systems affected: Apple Macintosh computers. All
types, but see text.
A new virus has been discovered, in two slightly different strains. These
were included with the game application GoMoku, versions 2.0 and 2.1. These
files were posted to the Usenet comp.binaries.mac newsgroup, and uploaded to
various ftp archives, including the one at sumex-aim.stanford.edu. [Note: the
game was distributed under a falsified name.
The name used in the posting, and embedded in the game, is that of a
completely uninvolved person. Please do not use this person's name in
reference to the virus. The actual virus author is unknown, and probably
used this person's name as a form of harassment.
When invoked, the virus attempts to alter the System file. This alteration
attempt will be noticed by the SAM antivirus program (and possibly by
Gatekeeper, depending on settings). The alert message that is displayed
indicates that "Disinfectant" is trying to make the alteration -- whether
Disinfectant is installed on the system or not. This is evidently an attempt
to fool users into approving the modification attempt, thus allowing the
virus to infect.
The change to the System file results in alterations to the boot code under
both Systems 6 and 7. The damage may render some systems unbootable, but
will usually result in INIT files and System extensions (respectively) not
loading.
The virus also attempts to modify application files on the system disk.
These alterations may damage some applications by overwriting portions of the
programs with the virus code. These damaged applications *cannot* be
repaired but must be reinstalled from distribution or backup media.
Once installed and active, the virus does not appear to perform any other
overt damage. At least one version of the virus may print a message when run
after a certain number of files are infected by it. This message identifies
the infection as the T4 virus.
[Note: Although this note is unrelated to the T4 virus, we feel it
appropriate and important to remind Mac users that neither Apple System 7 nor
7.0.1 should be used UNMODIFIED because they have the "disappearing folders"
bug. Users should be sure they have installed the (free) System Tuner 1.1.1
from Apple on these systems; versions 1.0 and 1.1 of the Tuner are outdated
or buggy and should not be used.
Tuner 1.1.1 is available from authorized Apple dealers, from many user
groups, from commercial networks, and on several places on the Internet.
Also, System 7.0.1 is *not* the same as System 7 with the Tuner installed;
7.0.1 is a later release of System 7. System 7.0.1 also needs the update
installed.]
Authors of all major Macintosh anti-virus tools are planning updates to
their tools to locate and/or eliminate this virus. Some of these are listed
below. We recommend that you obtain and run a CURRENT version of AT LEAST
ONE of these programs.
HERE ARE SOME MAC ANTI-VIRUS SOFTWARE PRODUCTS AND THEIR UPDATE INFO:
Tool: DISINFECTANT
Status: Free software (courtesy of Northwestern University and John
Norstad) Revision to be released: 2.9 Where to find: usual archive sites
and bulletin boards -- ftp.acns.nwu.edu, sumex-aim.stanford.edu,
rascal.ics.utexas.edu, AppleLink, America Online,
CompuServe, Genie, Calvacom, MacNet, Delphi,
comp.binaries.mac, when available: soon (probably by July 6)
Tool: GATEKEEPER
Status: Free software (courtesy of Chris Johnson)
Revision to be released: 1.2.6
Where to find: usual archive sites and bulletin boards --
microlib.cc.utexas.edu, sumex-aim.stanford.edu,
rascal.ics.utexas.edu, comp.binaries.mac
When available: soon
Tool: RIVAL
Status: Commercial software
Revision to be released: T4 Vaccine, Rival Refresh 1.1.9w
Where to find it: AppleLink, America Online, Internet, Compuserve.
When available: Immediately.
Tool: SAM (Virus Clinic and Intercept)
Status: Commercial software
Revision to be released: ???
Where to find: CompuServe, America Online, Applelink, Symantec's
Bulletin Board @ 408-973-9598
When available: immediately
Notes: User definition information: Virus Name: T4 Resource type: CODE
Resource ID: Any 0 Resource size: >= 5600 Search String: Hex
2F2EFFD02F2EFFC43F3CA97B486E String offset: >= 714 from end Check value
should be 'E7FA' if all fields entered correctly
Tool: VIREX
Status: Commercial software
Revision to be released: 3.82
Where to find: Microcom, Inc (919) 490-1277
When available: 6 July 1992
Comments: Virex 3.82 will detect the virus in any file, and repair
any file that has not been permanently damaged by the virus. All
Virex subscribers will automatically be sent an update on
diskette. All other registered users will receive a notice with
information to update prior versions to detect T4. The information
necessary to update immediately is also available on Microcom's
BBS: (919)419-1602 and on America OnLine.
Tool: VIRUSDETECTIVE
Status: Shareware
Revision to be released: 5.0.5
Where to find: Usual bulletin boards will announce a new search string.
Registered users will also get a mailing
with the new search string.
When available: Immediately.
Comments: search strings are: Resource CODE & Size > 3900 & Pos -1200 &
WData 3F3CA9CC*31BC4E71 ; For finding T4
If you discover what you believe to be a virus on your Macintosh system,
please report it to the vendor/author of your anti-virus software package for
analysis. Such reports make early, informed warnings like this one possible
for the rest of the Mac community.
Also, be aware that writing and releasing computer viruses is more than a
rude and damaging act of vandalism -- it is also a violation of many state
and Federal laws in the US, and illegal in several other countries. If you
have information concerning the author of this or any other computer virus,
please contact any of the anti-virus providers listed above.
Several Mac virus authors have been apprehended thanks to the efforts of
the Mac user community, and some are awaiting trial for their actions. This
is yet one more way to help protect you computers.
- end -
Downloaded From P-80 International Information Systems 304-744-2253
Reference in New Issue View Git Blame Copy Permalink