For what it's worth, here is my two cent's worth concerning the Scores Virus:
The information provided in the Virus Info # 1 Document is substantially correct, although I will disagree with certain aspects according to my own experiences with this plague.
Detection:
The viral files contain several distinct and possibly unique strings. Use Fedit to search for VULT and/or ERIC. If you do not find either of these strings on your disk, you are NOT infected. If you find them, proceed as though you are infected and make further tests.
When Vaccine has been installed on your disk and is running, opening an infected application will produce either a bomb or the Mac will hang up. In either case, the application should be examined more closely: Use ResEd to open the CODE resource. If the top one is two numbers higher than the next highest, do a Get Info on it. If the size is 7026, you have confirmed it as an infected application. Throw it in the trash as it is unusable and will cause you problems if you run it with Vaccine off.
If you have installed Vaccine and it periodically gives you a warning, even when you are doing nothing to change anything on the Mac, Vaccine is NOT defective. It is telling you that you are contaminated and that the virus has tried and failed to attack a previously clean application. If you do not have Vaccine installed and have noticed your disk drive (hard or floppy) run for a few seconds when there is no cause, it is quite likely the same thing, except in this case you just lost the application.
Check ALL of your applications. It is easy to overlook some of the smaller and common ones like Font/DA Mover and backup programs. Remember, you do NOT have to have run an application for it to be contaminated.
Removal:
The virus can be removed from your System by less stringent means than described in document # 1. Open your System folder with ResEd. Select and Clear Scrapbook File, Note Pad File, Desktop, and Scores. Then open the System and clear these resources: atpl ID 128, DATA ID -4001, and INITs 10, 17, & 6. Close ResEd and save changes. Note that the System file atpl and DATA resources are not mentioned in the Virus Info # 1 document. However, they are in the System and should be removed. A virgin System (4.1, at least) from Apple does not contain either resource type, but some programs - LaserSpeed, for one - legitimately place them in the System. Remove only the ID numbers listed.
My experiences with this virus over the past two months have shown this to be an effective and relatively simple way to clean the System. I did this two months ago and have seen no more Scores etc. files until a week ago, when a friend gave me an infected application. Even then I had to turn Vaccine off to get it to do its dirty work. I have not yet seen an infected Finder, but a check of the Finder CODE resource will tell you if it has been contaminated. I question how the Mac could operate at all if Vaccine were running and the Finder was contaminated. On the other hand, perhaps this is the nefarious purpose of this virus...
After you feel that all infected applications have been removed and replaced, run Disk Express with the Erase Free Space option turned on. This will cluster your data to the start of the disk and zero out all remaining space. Then use Fedit to search for the VULT and ERIC strings. If they are gone, you are cured. If they are still there, do what you can to find out which file they are in and remove it from the disk. Repeat this until there is no ERIC or VULT. (By the way, if anyone knows where I might find a jerk named Eric Vult who wrote this virus, I have a few things I'd like to say - and do - to him.)
Speculation:
In addition to ERIC and VULT, several of the viral resources contain another possibly important string: HD20. Pure supposition on my part, but this could be a two-step virus. First the spread. You get a bad application. It infects your system. Once active, it spreads to applications. You give one of these to a friend or put it on a BBS. It infects other systems, which infect more applications... In a finite and rather short time it is all over the country. I know for a fact that as of April 2, 1988, it is in Hawaii, Dallas and Washington. Then on some predetermined date, or following some specific action on your part, it performs some heinous act, and possibly on HD20's.
If you own an HD20, I recommend the following: Choose a disk name other than HD20. The name may or may not have anything to do with the possible purpose of this virus, but don't take a chance. The bad news is that the name HD20 is found in multiple places on your disk. To simplify the name changing procedure, choose a name comprised of four letters like Mine, Disk, or Bomb. Use Fedit to search the disk for HD20, and change EVERY occurrence to the new name. You will also find your disk name in the next to the last sector on the disk. Don't overlook this one. Changing to a name of other than four letters is much more complex and I can't explain how to do it here. Just a friendly suggestion.
Prevention:
Contrary to the advice in the Info # 1 document, I have so far found Vaccine to be very effective in controlling this virus. Make sure you have the real Vaccine and not a phony. It is 11,875 bytes in size, created March 19,1988 at 11:49 PM. (I guess CE Software worked long hours on this one. Have you thought of paying them, even though the program is free?) Keep Vaccine running at all times. For those who do not know how to use it, place Vaccine in your System Folder and then open the Control Panel under the Apple menu. Vaccine will appear in the left window. Select it with the mouse and read the instructions.
Research:
We know that an infected application grows in size by 7042 bytes. CODE 0 resource is altered, but with no change in size, and a new CODE of 7026 bytes is created. Where is the additional 16 byte increase? Apparently not in the CODE resources. Help here would be appreciated. Vaccine will beep three times when an attempt is made to infect an application. My guess is one for adding the 7026, one for the CODE 0 change, and one for the 16 bytes. Finding the last may provide the means for rescuing a sick application.
Does the atpl resource have any reference to AppleTalk? Can this virus be spread over a network? I am not a programmer, just a hacker, and do not know.
Me:
One hates to publish a phone number in a document designed for public distribution, but without it you could not relay any important information. Please call only from 8 AM to 8 PM Central time, and only if you have found something not in either of the two documents in this package. Long distance callers, please leave a complete message on the answering machine if it answers, as I cannot afford to return many long distance calls. And thanks for any help.
Howard Upchurch
3409 O'Henry Drive
Garland, TX 75042
(214) 272-7826
Notices:
I have reported information as I have found it. If there are any errors in the above, I apologize but ask not to be held responsible. Some statements may prove false as more information comes to light.
Please look at the "About The Docter" notice. I have chosen this program to distribute these documents as a way of reaching the most and the least knowledgeable Macintosh owners in a way that all can open and read this MOST IMPORTANT information without regard to what word processors he/she might have. Support Mark Wall by buying The Docter. And let's get this damned virus killed before it does any serious damage!
