Path: utzoo!utgpu!watmath!clyde!att!rutgers!cmcl2!nrl-cmf!ames!elroy!hacgate!ashtate!dbase!cy From: cy@dbase.UUCP (Cy Shuster) Newsgroups: comp.sys.mac Subject: Re: Transfers and Viruses Summary: CMS Util (v3.4) was infected Keywords: virus transfer CMS Message-ID: <484@dbase.UUCP> Date: 30 Nov 88 20:19:07 GMT References: <1015@ccnysci.UUCP> > Reply-To: cy@dbase.UUCP (Cy Shuster) Organization: Ashton Tate Development Center Glendale, Calif. Lines: 44 In article <1015@ccnysci.UUCP> Alexis Rosen writes: >Cy, are you SURE that the CMS software infected you? ...the true vector >[was] an international system... I just retried it to verify (for CMS's sake, as well as net accuracy) and yes, it was the CMS software that came with it: "CMS Util (to 80MB) v3.4" Size: 96,247 bytes Created: Thu, Jun 23, 1988, 10:42 PM Modified: Thu, Aug 25, 1988, 11:11 AM Version: Copyright 1987, 1988 CMS enhancements, Inc. With Vaccine installed, I launched the application from the original floppy, and it hung after drawing the menu bar: Vaccine had detected a problem, was unable to put up an alert, but was polling the keyboard for a "y" to allow the infection, or "n" to disallow it (read Vaccine's instructions via the Control Panel!). I typed "n" (gulp!), and the (CMS) program then continued its initialization sequence. There was some confusion in the recent MacWeek article about how this nVIR was "renaming" files to "Throw Me In The Trash": their experience differed from ours. Here's what happened to us: my colleague Paul Springer noticed an nVIR resource in an application on his hard disk. I gave him Virus RX to run, from a locked floppy (but still booted from the hard disk). It did not detect any problems. Paul then copied the Virus Rx application to his hard disk, and launched it from there (without rebooting). He immediately got an alert saying "An infection attempt has been made on Virus Rx. If this program is not on a locked disk the name will be changed to 'Throw Me In The Trash'. Please do so." He was returned to Finder, and the Virus Rx application had indeed been renamed. (Virus Rx version 1.0A2, Sun, Apr 24, 1988, 6:00 PM, 41,151 bytes). So while the bad news is that it didn't detect the nVIR when run from a locked floppy as directed, Virus Rx *does* detect when any modi- fications are attempted to it, so running it from your hard disk has that potential benefit. Paul painstakingly tracked down the source by determining the earliest modification date of any infected application, and then trying to remember what had changed at that time. My sympathies to CMS: hopefully, through information sharing like this over the net, we can minimize future infections. DISCLAIMER: My opinions only. --Cy--