I have succumbed again to the urge to speak out on the topic of computer viruses. My objective is to attempt to correct some of the misinformation in the Macintosh community and to offer some basic suggestions for dealing with virus suspicions . Please bear with me as I attempt to educate without pontificating on this controversial subject.
• My first premise in introducing this topic is that Virus writers are of some mentally deranged species, are extremely brilliant, and dangerous as Hell!
• My second premise is that the rampant spread of viruses, in non-networked systems, is due to the proliferation of software. Networked systems are susceptible by virtue of their design. If one accesses an infected file server — they get the virus with the solicited information.
HISTORY:
I was as informed about computer viruses as most computer users are today — be careful where your floppy disk has been and where you stick it and all will be fine was the message of the literature. After all, no-one that I knew had even the sniffles. That was just over one year ago.
Since then I have been introduced to several Virus affected Macintosh's, I have accumulated, and contained a small collection of some of the active buggers for autopsy— I do not recommend that you do this . I have since forgotten my first exposure to this subject, but my phone at home is quite busy among modem and voice communication with "disease centers" and programmers in efforts to learn more about what is going down. I have discovered that there is clearly a phobia among us, but more out of ignorance than a real concern to remedy the situation. Since you have started to read this article, I will assume that you will read on. Perhaps to find out what you think that I know, perhaps you will find that you have to do some investigating on your own. If you are content in your present knowledge, then please do not perturb the path of those of us who are continuing to sleuth our way to a deeper understanding of this subject.
Viruses are simply code, bits of ones and zeroes, which are written onto a floppy disk or hard drive. They are really written into a file or "Resource" in Mac lingo. None have appeared as yet in data files. The basic mission of the virus is to reproduce itself as it comes in contact with other "Resources". Some do no more than reproduce. They fill up empty disks with their spoor, and render otherwise useable data space to garbage data. Others can completely disable your operating system to the exclusion of all but the most heavy-handed remedies.
To date , there are no fewer than two (2) dozen potential detection and inoculation programs to pick from. New ones are produced each day. I even found one labeled "KillVirus" that was a completely debilitating file itself—if it found its way in to the system folder.
BASIC PROTECTION:
What is the user to do? If you perform your computerizing on a networked machine, you should have a greater concern than someone who has the benefit of a limited-user, more personal machine. You will need to start with a "Known good" disk. My recommendations for both configurations are as follows:
1. Find someone who has a "known good" system; a Mac of the same type as the one you typically use.
2. Use a "known good" set of Apple system disks - preferably of the most recent vintage (today it is 6.0.2 or 6.0.3 ). Most corporations are already site licensed to copy system software freely — the Apple cost per site is ≈ $480.00 annually.
3. Create a Startup disk using the minimum system installer program. Include the printer drivers for the printer that you would typically use. Remove all fonts that the Font/DA mover will allow—The Mac requires certain fonts to remain in the system file. Leave Helvetica 12 for clean Laserwriter printing. These operations will leave less than half of an 800K floppy unoccupied.
4. Copy a "known good" Virus Rx file onto your startup disk. Version 1.5 was released by Apple in August of this year. This is freeware and readily available from technically knowledgeable Apple Support Coordinators or your User Group.
5. Copy "Vaccine" into your system folder; these are both freeware; neither will protect against all known viruses, however, some protection is better than none.
6. If you use an external SCSI hard drive on your machine, you will need to add a "Find Me" type file to the startup disk. This is necessary to locate your hard drive from your floppy startup disk. ie Totem Bering uses a "Find Totem" application. Others have similar applications. Recent freeware and shareware are MountEm™, SCSI Probe, and Probe. They are all advertised to be useful for this purpose.
Set this disk to be a startup disk from the special menu. Boot the system from your new clean, known good disk. Get into the Control Panel and find the Vaccine icon. Click on it, read the instructions, and set the parameters for Vaccine accordingly. Initialize the Chooser so that it will perform properly with a locked disk — which you will surely do soon. Reboot the disk. Run the Virus Rx application on the disk — for a confidence check. The Virus Rx application has a "built-in" feature that if attacked by certain viruses, it changes its name to "Throw Me In The Trash" and is rendered impotent. I have actually created a game out of this feature in order to study the virus effects — please do not do this either. You have successfully passed the first hurdle in your quest for a clean system, at a nil cost. Back up this disk and lock them both.
ADVANCED PROTECTION:
I suggest the purchase of several of the "industrial strength" antivirus products. Among these are Virex, version 2.1 as of this writing, which replaced Interferon and is now a commercial product available at discount. The author of Interferon has advised me of certain reporting of anomalies in using Interferon (yes even 3.1). He has been commissioned to write Virex and is not permitted to clear up the deficiencies in Interferon — yes capitalism, and the need to eat even affects good programmers. You can use Interferon, but my advice is to not believe all that it tells you. Other products are SAM by Symantec, 1st Aid Kit™ by 1st Aid Software, and Antitoxin by Mainstay. DiskDetective DA 3.x (shareware) is reported to be a worthy purchase. Recent Freeware such as Disinfectant and GateKeeper are excellent candidates for your arsenal against viruses.
DISCOVERY:
You are now back at the machine which you normally use. You approach with feelings of trepidation. You "cold-boot" from your new, locked startup disk. You access the hard drive. You run Virus Rx against the hard drive. You are breathing hard....You get a notice of INFECTION from the application. Calm yourself—This is the time for truth. You may not be infected. What is this crap, you say to yourself. Do I or don't I have a virus? This is where my suggestion that you use other Virus detecting applications is beneficial. We all need sanity checks periodically.
Do the best that you can to log all infected files, and the pertinent data from the detecting application. Don't forget to use the built-in functions of the Mac — use the view by date to log when the infected files were last modified. Now you see the usefulness of the Printer drivers — yes print it out for all to see!
REPORTING:
You now have a very important decision to make. Who do I tell? If you had passed all tests there would be no problem - right? Should I fake it? My succinct and most cogent answer is to be candid — after all you did not create this situation, you were being very responsible and protecting your applications and files. GET COMPETENT HELP! There are policies and procedures which should be followed as a result of this discovery. The most important thing is to prevent further use of the machine; next is to investigate the cleanliness of all other machines in the vicinity. Leave the investigation of the nature of the Virus and the method of infection to those who are more knowledgeable. As a minimum, I recommend that the following be notified as applicable:
1. Your Supervisor or Manager - advise them in computer literate terminology.
2. Competent help such as your resident technical Apple Support Coordinator.
3. Computer Security Organizations
4. Investigation Service Organizations
5. Information Services Organizations
6. Your User Group Virus Coordinator
YOU ARE ON YOUR OWN:
If the timing of this unhappy event is inconvenient (late hours of the night), there are some remedial steps that are possible. Your first decision, however, must be to try to alleviate the condition or to leave it for the next day, when you are fresh. If you elect to try to proceed, you still should follow the recommendation outlined above at the first opportunity. Do you still want to try — OK. Take notes as you perform things - do NOT trust your memory - your hard work is in jeopardy and you know it. Prepare yourself for approximately three (3) hours of computer surgery for each 20 MB of disk storage.
1. Remove all data files to clean floppy media. If they are excessively large, use streaming tape backup, use whatever you have - but save that data on clean media! The poor slob who used the machine before you probably did not heed the rule of not leaving data on a networked machine; he probably did not back-up either. You must make these preventive and protective assumptions.
2. If you have Virex or Disinfectant or Virus Detective DA or whatever is sound and available, try to eradicate the virus with those applications. DO THIS ONLY IN AN ABSOLUTE EMERGENCY. The best approach is to totally reformat your hard disk.
3. Replace the System with a "known good" system. Make sure that the disks you are reading from are locked. For Gawd sakes - don't infect them.
4. Replace all applications from their original disks (or suitable backups for this purpose), keep them locked - do NOT infect them either. Beware, some applications need to be INSTALLED, not simply copied.
5. Run your detection program on itself and each data disk you recover. Run the application against the suspect hard disk often. There are occurrences where you will get a notice of infection, when in reality, the file or system may really have been inoculated with code such as AntiVirus 1.0E provides. Most shareware or freeware detection applications do not distinguish the difference.
6. Never use ResEdit to poke around if you have never used it. ResEdit is designed as a programmer & developer tool. I cannot emphasize enough the caution that must be taken with this powerful application. The best incentive against using it is that ResEdit will, in all likelihood, become infected if you probe an infected disk. You will then pass the virus to otherwise uninfected disks.
