home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
BMUG Revelations
/
BMUG Revelations.toast
/
Utilities
/
Virus Checkers
/
Disinfectant 3.5
/
Read Me
< prev
Wrap
Text File
|
1992-07-04
|
5KB
|
120 lines
Disinfectant 2.9
July 4, 1992
Disinfectant 2.9 is a new release of our free Macintosh anti-viral
utility.
Version 2.9 detects the new T4 virus.
The T4 virus was discovered in several locations around the world in
June, 1992.
The virus was included in versions 2.0 and 2.1 of the game GoMoku. Copies
of this game were posted to the USENET newsgroup comp.binaries.mac and to
a number of popular bulletin boards and anonymous FTP archive sites.
The game was distributed under a false name. The name used in the posting,
and embedded in the game's about box, is that of a completely uninvolved
person. Please do not use this person's name in reference to the virus.
The actual virus author is unknown, and probably used this person's name
as a form of harassment.
The virus spreads to other applications and to the Finder. It also
attempts to alter the System file.
When the virus infects an application, it damages it in such a way that
the application cannot be repaired. When you use Disinfectant to attempt
to repair an infected application, Disinfectant removes the virus from the
file, but leaves the file damaged. You should not attempt to use such a
file. Disinfectant issues the following error message:
### This file was damaged by the virus, and it cannot
### be repaired properly. You should delete the file
### and replace it with a known good copy.
The change to the System file results in alterations to the startup code
under both Systems 6 and 7. Under System 6 and System 7.0, the change
results in INIT files and system extensions not loading. Under System
7.0.1, the change may render the system unbootable or cause crashes in
unpredictable circumstances. Disinfectant cannot repair this damage to
the System file. If the virus damages your System file, you will have
to reinstall it.
If your system suddenly stops loading INITs and system extensions for no
good reason, it is a good indication that you may have been attacked by
the T4 virus.
The virus masquerades as Disinfectant in an attempt to bypass general-
purpose suspicious activity monitors like Gatekeeper. If you see an alert
from such an anti-viral tool telling you that "Disinfectant" is trying to
make some change to a file, and if Disinfectant is not running, it is a
good indication that T4 is attacking your system.
Once installed and active, the virus does not appear to perform any other
overt damage. At least one version of the virus may display the following
message:
Application is infected with the T4 virus.
There are two known strains of the T4 virus: T4-A (contained in GoMoku 2.0)
and T4-B (contained in GoMoku 2.1). The two strains are very similar. The
only significant difference is the trigger date. The trigger date for T4-A
is August 15, 1992, while the trigger date for T4-B is June 26, 1992.
Neither virus does anything before its trigger date. After the trigger
date, the virus begins to spread to other files and attempts to alter the
System file.
We know of an earlier third strain of the T4 virus which appears to have
been used for testing. Disinfectant identifies this strain as "T4-beta".
For those people who may have missed the news about the MBDF virus, we
added the following paragraph to the description of MBDF in the
Disinfectant online manual:
Three undergraduate students at Cornell university have been charged
under New York state law with multiple felony counts of first-degree
computer tampering in connection with the release of the MBDF virus.
They are awaiting trial.
We hope that this news will help convince potential virus writers that
computer viruses are not trivial or harmless, and that society takes the
problem very seriously indeed. Writing and releasing a virus is a
serious offence which can and should be punished under the law.
Disinfectant 2.9 is available now via anonymous FTP from site
ftp.acns.nwu.edu [129.105.113.52]. It will also be available soon on
sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac,
America Online, CompuServe, GEnie, Delphi, BIX, MacNet, Calvacom,
AppleLink, and other popular sources of free and shareware software.
Macintosh users who do not have access to electronic sources of free and
shareware software may obtain a copy of Disinfectant by sending a self-
addressed stamped envelope and an 800K floppy disk to the author at the
address given below. People outside the US may send an international postal
reply coupon instead of US stamps (available from any post office). Please
use sturdy envelopes, preferably cardboard disk mailers.
People in Western Europe may obtain a copy of the latest version of
Disinfectant by sending a self-addressed disk mailer and an 800K floppy
disk to macclub benelux. Stamps are not required. The address is:
macclub benelux
Disinfectant Update
Wirtzfeld Valley 140
B-4761 Bullingen Belgium
Mactivity-macclub benelux is also offering a new international update
service for Disinfectant. This service is available to people anywhere in
the world, not just Western Europe. For a fee they will send you new
versions of Disinfectant as new viruses appear. Write to them at the above
address for more information.
John Norstad
Academic Computing and Network Services
Northwestern University
2129 Sheridan Road
Evanston, IL 60208 USA
Internet: j-norstad@nwu.edu