Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!uwm.edu!uakari.primate.wisc.edu!polyslo!vlsi3b15!vax1.cc.lehigh.edu!sei.cmu.edu!krvw
From: jap2_ss@uhura.cc.rochester.edu (Joseph Poutre)
Newsgroups: comp.virus
Subject: Followup on new virus (Mac)
Message-ID: <0007.8910021119.AA27772@ge.sei.cmu.edu>
Date: 29 Sep 89 19:22:37 GMT
Sender: Virus Discussion List 
Lines: 29
Approved: krvw@sei.cmu.edu

This is a followup to my earilier report.  I will try to give more
details from my and others investigations.

The virus definatly attacks Macwrite.  It adds a str ID 801 and
modifies the icon to say Macwite instead of the standard application
icon.  The application increases in size by 104 bytes, 56 in the
string.  they are added in sector 014F, according to Fedit Plus 1.0.

It also attacks the system, in an unknown fashion.  I was able to
induce it to do something by repeated Get Infos.  This may be a
counter towards a more fatal outcome.  Some of the disks have crashed
after giving the This is not a Macintosh disk.  Shall I initialize it?
warning.  This happens almost immediatly after attempts to print.

The chooser is unable to find printer resources, and claims there are
none.  When the File locked, Lock, Bozo and File Protect bits are set,
the virus apparently cannot infect.  It doesn't appear able to attack
a disk write protected by the corner tab, either.  Tommorrow I will be
performing further experimenets, and will upload exact locations for
the added code, and probably the string listing, too.  No anti-virus
program has been able to find it, including Interferon, Virus Rx,
Anti-pan, and Disinfectant 1.2.  If this is recognized by anyone,
please email me ASAP at the address below with devirusing help.  If
not, I will try to do everything I can.  Thank you for your time and
effort.

The Mad Mathematician
jap2@uhura.cc.rochester.edu
Understand the power of a single action.  (R.E.M.)