Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!uwm.edu!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw From: jap2_ss@uhura.cc.rochester.edu (Joseph Poutre) Newsgroups: comp.virus Subject: Followup on new virus (Mac) Message-ID: <0007.8910021119.AA27772@ge.sei.cmu.edu> Date: 29 Sep 89 19:22:37 GMT Sender: Virus Discussion ListLines: 29 Approved: krvw@sei.cmu.edu This is a followup to my earilier report. I will try to give more details from my and others investigations. The virus definatly attacks Macwrite. It adds a str ID 801 and modifies the icon to say Macwite instead of the standard application icon. The application increases in size by 104 bytes, 56 in the string. they are added in sector 014F, according to Fedit Plus 1.0. It also attacks the system, in an unknown fashion. I was able to induce it to do something by repeated Get Infos. This may be a counter towards a more fatal outcome. Some of the disks have crashed after giving the This is not a Macintosh disk. Shall I initialize it? warning. This happens almost immediatly after attempts to print. The chooser is unable to find printer resources, and claims there are none. When the File locked, Lock, Bozo and File Protect bits are set, the virus apparently cannot infect. It doesn't appear able to attack a disk write protected by the corner tab, either. Tommorrow I will be performing further experimenets, and will upload exact locations for the added code, and probably the string listing, too. No anti-virus program has been able to find it, including Interferon, Virus Rx, Anti-pan, and Disinfectant 1.2. If this is recognized by anyone, please email me ASAP at the address below with devirusing help. If not, I will try to do everything I can. Thank you for your time and effort. The Mad Mathematician jap2@uhura.cc.rochester.edu Understand the power of a single action. (R.E.M.)