Path: utzoo!utgpu!watmath!clyde!att!rutgers!cmcl2!nrl-cmf!ames!elroy!hacgate!ashtate!dbase!cy
From: cy@dbase.UUCP (Cy Shuster)
Newsgroups: comp.sys.mac
Subject: Re: Transfers and Viruses
Summary: CMS Util (v3.4) was infected
Keywords: virus transfer CMS
Message-ID: <484@dbase.UUCP>
Date: 30 Nov 88 20:19:07 GMT
References: <1015@ccnysci.UUCP> >
Reply-To: cy@dbase.UUCP (Cy Shuster)
Organization: Ashton Tate Development Center Glendale, Calif.
Lines: 44

In article <1015@ccnysci.UUCP> Alexis Rosen writes:
>Cy, are you SURE that the CMS software infected you? ...the true vector
>[was] an international system...

I just retried it to verify (for CMS's sake, as well as net accuracy) and
yes, it was the CMS software that came with it:
 
               "CMS Util (to 80MB) v3.4"
               Size: 96,247 bytes
            Created: Thu, Jun 23, 1988, 10:42 PM
           Modified: Thu, Aug 25, 1988, 11:11 AM
            Version: Copyright 1987, 1988 CMS enhancements, Inc.
 
With Vaccine installed, I launched the application from the original
floppy, and it hung after drawing the menu bar: Vaccine had detected a
problem, was unable to put up an alert, but was polling the keyboard for
a "y" to allow the infection, or "n" to disallow it (read Vaccine's
instructions via the Control Panel!). I typed "n" (gulp!), and the (CMS)
program then continued its initialization sequence.

There was some confusion in the recent MacWeek article about how this nVIR
was "renaming" files to "Throw Me In The Trash": their experience differed
from ours. Here's what happened to us: my colleague Paul Springer noticed
an nVIR resource in an application on his hard disk.  I gave him Virus RX
to run, from a locked floppy (but still booted from the hard disk). It did
not detect any problems.  Paul then copied the Virus Rx application to his
hard disk, and launched it from there (without rebooting).  He immediately
got an alert saying "An infection attempt has been made on Virus Rx. If this
program is not on a locked disk the name will be changed to 'Throw Me In The
Trash'. Please do so." He was returned to Finder, and the Virus Rx application
had indeed been renamed. (Virus Rx version 1.0A2, Sun, Apr 24, 1988, 6:00 PM,
41,151 bytes). So while the bad news is that it didn't detect the nVIR when
run from a locked floppy as directed, Virus Rx *does* detect when any modi-
fications are attempted to it, so running it from your hard disk has that
potential benefit.

Paul painstakingly tracked down the source by determining the earliest
modification date of any infected application, and then trying to remember
what had changed at that time.  My sympathies to CMS: hopefully, through
information sharing like this over the net, we can minimize future infections.

DISCLAIMER: My opinions only.

--Cy--