Eradicat'Em 1.2 (5/10/91) is a minor update of Eradicat'Em 1.0 (12/19/89). Version 1.2 eliminates false infection alarms which would occur when Eradicat'Em 1.0 encountered signature resources associated with a small number of applications (including the Now Utilities "Customizer" program). Version 1.2 has been updated to assure compatibility with Apple's System 7; it is 32-bit clean and works correctly with Finder 7.
BACKGROUND
In early December of 1989, a new Macintosh virus was discovered in Belgium, and almost simultaneously in the United States. This virus, dubbed "WDEF" after the resource it installs, has since been found all across the United States.
WDEF seems to travel very rapidly. A system can become infected if you simply insert an infected floppy disk into your Mac and open a window or two... you don't have to run any programs (other than the Finder) to trigger the infection.
WDEF does not infect programs or System files, to the best of our knowledge. Instead, it infects the invisible "Desktop" file which the Finder maintains on each disk. When you "mount" an infected volume (floppy or hard disk) on your Mac, the Finder opens the Desktop file on the volume. If you then open a window to display the disk's contents, the WDEF virus can be read into memory by the Finder, and can then infect other volumes. It appears to be very easy for WDEF to spread from an infected floppy onto a hard disk; infections travelling from a hard disk to a floppy seem to occur somewhat less frequently, but are nevertheless quite common. WDEF can also spread to some extent over AppleShare and TOPS networks.
WDEF was written to bypass the virus-detectors which had been developed prior to its release. Free antiviral INITs such as Vaccine, Gatekeeper, and RWatcher, and then-current versions of commercial INITs such as SAM Intercept and Virex would not detect WDEF, nor would they prevent it from spreading to uninfected disks.
It appears likely that the author of the WDEF virus intended it to be harmless; the virus does not seem to contain any time-bombs, "Trojan Horse" features, or any other code which would deliberately cause damage. However, there are a number of nasty bugs in the design and implementation of WDEF:
• It will crash several newer models of Macintosh (Mac IIci, IIfx, Portable, Classic, LC, and IIsi) when it tries to infect them.
• It causes occasional problems with the Font Manager... especially when displaying the "outline" style.
• It can seriously degrade the performance of AppleShare networks.
• It has a bad habit of crashing programs during a "Save..." operation. In a number of cases, the disk which was being accessed at the time has been rendered unreadable, due to a scrambled directory. SUM's Disk Clinic and similar utilities may be able to recover many of the files, but the disks themselves must often be reformatted.
STAFFING THE BARRICADES
The only way you can be sure of keeping this virus from infecting your disks is to ensure that it never gets a chance to run. To do this, it is necessary to scan each and every dismountable volume (floppy disk, Syquest cartridge, Bernoulli disk, etc.) when it's inserted into your system.
It is not sufficient to depend on Vaccine, or RWatcher, or GateKeeper 1.1.1, or on the versions of SAM Intercept or Virex dated 11/89 or earlier. The WDEF virus successfully bypasses all of these INITs.
It is not sufficient to depend on periodic scans of your hard-disk with a utility such as Disinfectant or VirusDetective™... WDEF can come in on an infected floppy, infect your hard disk, and cause some real problems before you get around to your weekly scan.
If you're running a late-model Mac... well, there's good news and bad news. The good news is that you'll probably never find a WDEF infection on your hard disk. The bad news is that your machine will crash every time the Finder sees a WDEF-infected floppy.
ABOUT ERADICAT'EM
The Eradicat'Em INIT has been designed to bar the WDEF virus from your system, without requiring that you manually scan each floppy that you insert. Eradicat'Em checks the Desktop file on each of your disk when the Finder opens it. If the WDEF virus is found, Eradicat'Em will warn you with a double-beep, and will attempt to remove the virus. If the virus can be removed, Eradicat'Em permits the Finder to open the Desktop file. If the virus cannot be removed (if, for example, the disk is locked), Eradicat'Em will prevent the Finder from opening the Desktop file; this will prevent the virus from spreading.
Eradicat'Em will eliminate both known strains of the WDEF virus, as well as the one known strain of the CDEF virus. It should also eliminate any other strain or family of virus which attempt to use the "implied loader" technique by hiding in the Desktop file.
Eradicat'Em is not intended to provide a defense against viruses which modify programs or the System file. It's not effective against SCORES, Anti, INIT29, MDEF, or any strain of nVIR. You should use a trap-watcher such as Gatekeeper, and a good program-scanner such as Disinfectant or VirusDetective™, to keep nVIR and its friends out of your Mac. See the "OTHER TOOLS" section below.
INSTALLATION
Eradicat'Em does not require any configuration prior to use... simply drag it into your System folder and reboot. Under System 7, you should place Eradicat'Em in the "Extensions" folder... the Finder will offer to do this for you if you simply drag Eradicat'Em into the System folder. Eradicat'Em must run before Gatekeeper, or any similar INIT which intercepts Resource Manager traps; otherwise, Gatekeeper will prevent Eradicat'Em from removing the WDEF virus from your disks. For this reason, its filename starts with a couple of blanks... this causes its name to sort before Gatekeeper's, and assures that Eradicat'Em runs first. I recommend that you do not rename either Eradicat'Em or Gatekeeper.
SYSTEM 7
Eradicat'Em 1.2 is fully compatible with Apple's System 7. Its behavior is slightly different under System 7 in one case. If you insert an infected, locked floppy disk into your Mac, Eradicat'Em will be unable to disinfect the Desktop file; it will beep repeatedly, and will refuse to allow the Finder to open the file. Under System 6 (and previous releases), the Finder ejects the disk and complains that the Desktop file could not be created. Under System 7, the Finder simply ignores the inaccessible Desktop file... it will let you access the disk, but you may find that some of the files will be displayed with generic "application" or "document" icons, rather than their real icons. If this happens, you should drag the disk icon into the trash, unlock the disk, and reinsert it... this will allow Eradicat'Em to disinfect the disk's Desktop file.
COMPATIBILITY
Eradicat'Em has been tested on Mac Plus, SE, SE/030, and Mac II, IIx, IIcx, IIci, IIfx, and Classic machines, under System 6.0.2, 6.0.3, 6.0.4, 6.0.5, and 6.0.7, under both the "uni-Finder" and MultiFinder environments, with AppleShare and TOPS software, and both with and without the Desktop Manager. It hasn't been tested against the full cross-product of all of these choices, though. It seems to work properly on the alpha- and beta-test versions of System 7.0 to which I've had access.
Eradicat'Em will not install itself on machines with the 64k ROM (the 128k and unenhanced 512k Macs). It will not install itself if the mouse button is held down during the boot process.
I've tried to be careful and conservative in my coding, and to avoid using tricky techniques which might cause compatibility problems. I'm not aware of any nasty or dangerous interactions between Eradicat'Em and any other INITs, etc. Nevertheless, trap-patching is a delicate task; my testing may not have uncovered all possible problems, and I cannot guarantee that Eradicat'Em is bug-free or entirely safe to use.
A NOTE TO USERS OF THE NOW UTILITIES
You may have noticed that Eradicat'Em 1.0 sounds a virus-infection alarm if you insert the floppy disk holding the Now Utilities 2.03 software (and perhaps other versions, as well). This is due to the fact that the Now Utilities "Customizer" program has a signature-code of 'CUST'; Eradicat'Em sees this in the diskette's Desktop file and believes that it's a suspicious viral resource. You may also have noticed that if you unlock the diskette, and allow Eradicat'Em to "disinfect" it, that another virus-alarm goes off (typically, Gatekeeper vetoes the Finder's attempt to write the 'CUST' resource into the Desktop file).
To fix this problem, remove Eradicat'Em 1.0 from your System folder, and replace it with Eradicat'Em 1.2. Reboot your machine. Temporarily disarm your suspicious-activity monitor (e.g. use Gatekeeper's "Override" button). Unlock the Now Utilities diskette and insert it into your floppy drive, while holding down the command and option keys. The Finder will ask you if you want to rebuild the Desktop file; click OK. When the diskette windows appear on the screen, drag the diskette icon into the trash, lock the disk, and put it away for safekeeping. The problem should not recur... Eradicat'Em 1.2 knows about the 'CUST' signature code and will leave it alone.
CONDITIONS OF USE AND DISTRIBUTION
Eradicat'Em is distributed without any warranty whatsoever. I specifically disclaim responsibility for any harm which may come from using it. [Arrgh... I hate disclaimers like this... but in today's litigation-happy environment they seem to be a necessity]
Eradicat'Em is being distributed for free. You may use it, copy it, give it away to friends, upload it to on-line services and bulletin-board systems, and so forth. Please provide a copy of this documentation with any copy of the INIT that you hand out or upload.
Charging anyone a fee for a copy shall be considered a reflection on your extreme bad taste and lack of good-neighbor ethics. I've donated my time and effort to develop this INIT, in an attempt to stem the damage done by the bozo who write the WDEF virus. The least you can do is pass this INIT along to folks in need, without rooking them for a few bucks in the process. 'Nuff said?
VERSION HISTORY
Version 1.0 of Eradicat'Em was released on 12/20/89. Version 1.1 was released on 5/4/91 and was retracted almost immediately due to a bug discovered the day after it was shipped (sigh). Version 1.2 was released on 5/10/91.
CREDITS AND ACKNOWLEDGEMENTS
Eradicat'Em is based in part on the source code for the Eradicator! INIT, written by Guy Fiems, Riccardo Ettore, and Luc Wets. These gentlemen were the first to release an INIT designed to deal with this virus. They were kind enough to have the source code send to John Norstad at Northwestern University; John forwarded it to me.
I've reworked the "guts" of Eradicator! 1.2 to create Eradicat'Em. Eradicat'Em scans for a somewhat wider range of viruses, patches a different set of traps, and has some additional code to ensure compatibility with older machines.
I'd like to express my thanks to Messrs. Fiems, Ettore, and Wets for having identified and characterized the WDEF virus, developed and distributed the Eradicator! INIT, and made the source code available to others for study and tweaking. Without their work, Eradicat'Em would not exist.
I'd also like to express special appreciation to Chris Johnson, the author of Gatekeeper and Gatekeeper Aid (more on which in a moment). Chris has been most generous in sharing his knowledge of the subtlties of the Macintosh Resource Manager. His help has been extremely valuable.
My thanks, also, to Jim Macak, John Norstad, Dick Kriss, Jeff Spencer, and the other people who have acted as beta-testers for earlier versions of Eradicat'Em.
OTHER TOOLS
John Norstad has released new versions of his excellent free program Disinfectant, as details of WDEF and other viruses have become known. Version 2.4 of Disinfectant will identify and remove both strains of WDEF, as well as any yet-to-be-discovered mutant strains that may crop up. Disinfectant is available via anonymous FTP from Northwestern University, from the /info-mac directories at SUMEX-AIM.Stanford.Edu, and from other on-line services and Mac user-groups. Eradicat'Em is completly compatible with Disinfectant and with the ◊ Disinfectant INIT. If you have Eradicat'Em installed on your startup disk, neither Disinfectant nor the ◊ Disinfectant INIT will report a WDEF or CDEF infection; Eradicat'Em will identify and remove the virus before Disinfectant sees it.
Jeff Shulman's VirusDetective™ desk accessory was the only virus-scanning utility which was easily made capable of identifying and removing the WDEF virus. VirusDetective™ is very flexible, easy to use, and (if you pay the very reasonable shareware fee) comes with Jeff's virus-alert and update-notification services. Users who've seen Jeff's new-virus alert postcards will probably agree that they're really getting their money's worth.
Most of the commercial developers of anti-viral software have updated their products to cope with WDEF and other new viruses.
At least one good virus-scanning tool should be part of every Mac-owner's arsenal. You can choose from among free, shareware, and commercial products; there's good software in all categories. Use SOMETHING, fercryinoutloud! I use Gatekeeper 1.1.1 and the ◊ Disinfectant INIT as primary virus-shields, with Disinfectant and VirusDetective™ as scanning tools... and Eradicat'Em too, naturally.
A COMPARISON WITH GATEKEEPER AID
Gatekeeper Aid is Chris Johnson's WDEF-killer. It's a supplement to Chris's excellent Gatekeeper INIT.
Gatekeeper Aid is a comprehensive and aggressive hunter/killer aimed at "implied loader" viruses. It will identify and remove these viruses from the Desktop file, as well as from certain classes of Macintosh document that could be used as a transmission-vector for these viruses. It's a "broad spectrum" solution to a large class of possible viruses. When it finds or eliminates such a virus, it alerts you with a message giving the gory details.
Eradicat'Em is more of a "narrow spectrum" solution. It scans only the Desktop file, and alerts you with a simple double-beep. It's somewhat smaller than Gatekeeper Aid, and may be somewhat less intrusive.
Gatekeeper Aid and Eradicat'Em are both targeted at the same problem. You should use one or the other (or a good commercial equivalent), but probably don't need to use both.
Neither Gatekeeper Aid nor Eradicat'Em use tail-patches to do their job. Tail patching is considered to be A Bad Thing by Apple's Developer Technical Support group, for what I believe are good and sufficient reasons.
A COMPARISON WITH THE ◊ DISINFECTANT INIT
Current versions of the Disinfectant application can install a protection INIT in your system folder. This INIT can detect and temporarily disable the WDEF and CDEF viruses, and it will warn you when it has done so. It will not, however, disinfect the affected disk... you must run the Disinfectant application or another virus-killing utility to do that.
There is no known conflict between Eradicat'Em and the ◊ Disinfectant INIT. You can use both at once, if you want to have both Eradicat'Em's automatic disinfection feature and the ◊ Disinfectant INIT's ability to warn you of a wide range of different types of virus.
A NOTE TO THE PEOPLE WHO WRITE AND CLONE VIRUSES
Hey, guys, writing and releasing viruses is not a good idea. It isn't funny, nor is it a good way to show how smart you are, or how well you understand the Mac. It's no different from throwing a rock through somebody's window, or poisoning somebody's Sudafed.
You _really_ won't like the results, if you're ever publicly identified as the author of a particular virus. Criminal prosecution is a real possibility, and you could also face civil lawsuits for damages that would make your head spin for the next few decades. Even if you aren't arrested or prosecuted, the experience of being accused and questioned is unpleasant in the extreme. [Trust me about this. When I was in high school in the '70s I was called on the carpet for poking around on a computer system I shouldn't have been using. I wasn't being malicious or trying to damage anything... but I had inadvertently deleted an important file, and had my rear end thoroughly roasted as a result. Not a pleasant experience for a 16-year-old.] Don't believe for a moment that it's impossible for you to be identified... it has happened already to one Macintosh-virus writer.
Do something constructive with your abilities... the satisfaction lasts a lot longer!
CONTACT INFORMATION
If you discover bugs in Eradicat'Em, or identify unpleasant interactions with other INITs or with specific hardware or software, I'd appreciate your dropping me a note or email'ogram, or phoning. I can't promise to correct any such problems... I'm doing Eradicat'Em in my spare time, of which there never seems to be enough. I'll probably take a shot at fixing glitches which turn up, though, if they seem sufficiently significant.
Day phone: (415) 494-1600. Calling me at home in the evenings is not kosher and will be met by selective deafness or rudeness.
