Disinfectant may help you detect and remove some Macintosh viruses. It may fail to locate and repair some infected files. Use it at your own risk. Neither the author, John Norstad, nor his employer, Northwestern University, make any warranty, either express or implied, with respect to this software.
We also grant permission to extract and reproduce all or part of the Disinfectant document in other publications, provided it is not for profit, and provided you give appropriate credit to both John Norstad and Northwestern University.
\str#
\page
\tcon Introduction
\only screen
\pict 300
\only print save
\style bold
\just center
\size 140
Introduction
Viruses and other kinds of destructive computer software have become an increasingly serious problem in the computing world. In the Macintosh community, viruses continue to spread rapidly and widely. Viruses will continue to cause problems for some time.
A virus is a piece of software which attaches itself to other applications or files. Once you run an infected application, the virus quickly spreads to your system files and to other software. Viruses spread from one Macintosh to another via the sharing and distribution of infected software or infected disks.
Viruses may be malicious or non-malicious. Non-malicious viruses replicate, but they do not attempt to do anything destructive. For example, they may beep, display messages on the screen, or do something else innocuous, but they do not intentionally try to do any damage. On the other hand, malicious viruses, in addition to replicating, do attempt to damage something. For example, there have been several viruses in the IBM PC world which intentionally delete files or destroy the contents of hard drives.
We are very fortunate that to date all known Macintosh viruses are non-malicious. It is very important to realize, however, that even non-malicious viruses are almost always damaging, even if it is unintentional. Many people who have experienced infections have reported problems with the normal operation of their Macintosh. Viruses occupy memory and disk space, and this is enough to cause problems all by itself. They also live at very low levels in the operating system, and can interfere in unexpected ways with other parts of the system. We have also discovered errors in most viruses which can cause unexplained crashes and strange behavior.
Disinfectant version 2.0 recognizes the Scores, nVIR, INIT 29, ANTI, MacMag, WDEF, ZUC, and MDEF viruses. It also recognizes all the known variations and clones of these viruses. Furthermore, Disinfectant also recognizes many possible unknown variations and clones. It will both detect the viruses and repair files which have been infected by the viruses.
Disinfectant will not recognize all possible viruses—only the ones it has been configured and programmed to recognize. If a new virus or strain appears, we will have to modify the application to recognize it, and you will have to get a new copy of the application.
Disinfectant does not recognize the “Dukakis” virus, which only propagates between HyperCard stacks and is very rare.
Disinfectant also includes a virus protection startup document (INIT). When properly installed, the Disinfectant INIT will protect an uninfected system against infection by any of the known Mac viruses.
Viruses should not be confused with other types of destructive software such as “worms” and “Trojan horses.”
A “worm” is an application which replicates and spreads, but does not attach itself to other applications. Unlike a virus, it does not require a host to survive and replicate. Worms usually spread over a network of computers. They are not spread through the sharing of applications. The most well-known example is the Fall 1988 Internet worm, which infected and disabled several thousand government and university UNIX computers in a single day.
A “Trojan horse” is an application which appears to do something useful, yet additionally does something destructive behind your back. An example is the “Sexy Ladies” HyperCard stack, which erased your hard drive while you ogled the cheesecake images. Trojan horses do not replicate.
Disinfectant does not attempt to address the problems of worms and Trojan horses.
There is no need to panic over the current virus situation. However, you should take the problem seriously. Using Disinfectant, it only takes a few minutes per week to effectively protect your Macintosh against the known viruses. See the section titled “Recommendations” for a short list of the simple things we suggest you do to protect your Mac.
There is a dangerous misconception that you can protect your Macintosh against viruses by avoiding shareware and freeware software. This is far from the truth. There have been many reported cases of (inadvertently) infected commercial software. Most of the major national sources for freeware and shareware software are remarkably virus-free.
The analogy between biological viruses and computer viruses is striking. Both of them replicate and they both require the assistance of a host to survive. In both cases, the infected system is sometimes severely damaged. With both kinds of viruses, it is sometimes possible to remove the infection without damaging the system, and it is sometimes possible to inoculate or vaccinate the system to protect it against future infection.
As with all analogies, however, it is possible to carry the analogy between biological and computer viruses too far. Computers are not living organisms. Biological viruses usually occur naturally and are almost never created by people. Computer viruses are always created by people—they never occur naturally. Most importantly, it is not possible to compare the enormous suffering caused by biological viruses such as AIDS to the comparatively meaningless damage caused by computer viruses.
For more information on the problems of computer viruses and destructive computer software in general, we refer you to the report “Computer Viruses—Dealing with Electronic Vandalism and Programmed Threats,” by Eugene H. Spafford, Kathleen A. Heaphy, and David J. Ferbrache, published by ADAPSO, the computer software and services industry association. Contact ADAPSO at 1300 N. 17th Street, Suite 300, Arlington, VA 22209, (703)522-5055, for information on how to obtain a copy of this report.
\str#
\page
\tcon Quick Start
\only screen
\pict 315
\only print save
\style bold
\just center
\size 140
Quick Start
This section describes how to use Disinfectant for the first time to check your system for viruses, remove any viruses which you may have on your system, and protect your system against future infections. We also discuss a few very important rules and restrictions which you should follow when using Disinfectant.
• Step 1. Make a virus tools floppy containing a copy of the System file, a copy of the Finder file, and a copy of Disinfectant.
\pict 201
Use original locked Apple release disks for your copies of the System and Finder files. Lock the virus tools disk and keep it locked at all times—viruses cannot infect files on locked floppies. To lock the floppy, slide the plastic tab on the back of the floppy up so that you can see through the hole.
• Step 2. Restart your Macintosh using the virus tools floppy you made in step 1. Run Disinfectant from the virus tools floppy. Click on the Eject button to eject the virus tools floppy.
• Step 3. Disinfect all of your hard drives. (Skip this step if you do not have a hard drive.) Select the “All Disks” command from the “Disinfect” menu. Disinfectant will scan all of your hard drives and will remove any viruses which it discovers.
• Step 4. Disinfect all of your floppy disks. Select the “Floppies” command from the “Disinfect” menu. Disinfectant will prompt you to insert floppies one at a time to be scanned and repaired. Unlock each disk before inserting it—Disinfectant cannot repair a disk if it is locked. You can lock the disk again after Disinfectant has ejected it.
• Step 5. Install Disinfectant on your hard drive. (Skip this step if you do not have a hard drive.) Quit Disinfectant. Drag a copy of Disinfectant to your hard drive.
\keep
• Step 6. Install the protection INIT on your hard drive. (Skip this step if you do not have a hard drive.) Restart your Macintosh using your hard drive. Run Disinfectant from your hard drive. Select the “Install Protection INIT” command from the “Protect” menu. Disinfectant will place a copy of the protection INIT inside the currently active System folder on your hard drive. Restart your Macintosh using your hard drive one more time to activate the INIT. You should see the protection INIT icon appear at the bottom of your screen during startup.
\pict 209
\endkeep
• Step 7. Install the protection INIT on each of your startup floppy disks. Run any copy of Disinfectant. Select the “Extract Protection INIT” command from the “Protect” menu. A standard file dialog should appear. Use the standard file dialog to save a copy of the protection INIT. Quit Disinfectant. Drag copies of the protection INIT into the System folder on each of your startup floppy disks.
There are only a few rules and restrictions when running Disinfectant, but they are important.
When using Disinfectant in its “disinfecting” (file repair) mode, use Finder instead of MultiFinder to avoid possible problems with busy files.
Disinfect all your disks at one time. Do not do some of them, then run some other applications, and finally disinfect the rest of your disks. If you run other applications before making certain that you have completely eradicated the virus, you run the risk of reinfecting your system.
Try to make certain that your virus tools disk is not infected. Run Disinfectant and use the Scan button to check the virus tools disk to make certain that none of the three files are infected. Keep your virus tools disk locked to prevent future infection.
You can and should run Disinfectant from your hard drive. It is not necessary to run it from your virus tools floppy for everyday use. If you encounter problems running it from your hard drive, however, we suggest that you try restarting your Mac using the virus tools disk and then run Disinfectant from the virus tools disk. This avoids INIT conflicts and other possible causes of problems.
If you run Disinfectant on a GateKeeper-protected system, check to make certain that Disinfectant has been granted all GateKeeper privileges (“File” and “Res” privileges for “Other,” “System” and “Self”).
\keep
If you run Disinfectant on a Vaccine-protected system, Vaccine may present a dialog box asking for permission to “add a CODE resource”. Grant the request—this is Disinfectant trying to repair an infected file.
\pict 208
\endkeep
For even greater safety, if you have locked original copies of applications and system files, you can delete the files that Disinfectant says are infected and reinstall uninfected copies from the original floppies. If you do this, use Disinfectant to rescan the replaced files to make certain your originals were not infected.
After Disinfectant starts from a fixed hard drive, you may notice considerable disk activity, even though it appears that Disinfectant is not doing anything. This is normal, and you should not be concerned. Disinfectant computes a thorough checksum of itself in the background to make certain that it has not been damaged, infected by a virus, or otherwise modified. This background check does not interfere with or seriously degrade the normal operation of the application.
When Disinfectant starts from a floppy disk or other ejectable disk, it completes its initial checksum before presenting the main window. A dialog is presented asking you to “Please Wait.” This can take some time. Please be patient.
Disinfectant creates a file named “Disinfectant Prefs” in your System folder. This file is used to save preferences, window positions, and page setup information between Disinfectant sessions.
You should now be ready to use Disinfectant for the first time. The remainder of this document gives more information about Macintosh viruses and Disinfectant. You may read it now if you wish, or return to read it later.
\str#
\page
\tcon Windows
\only screen
\pict 314
\only print save
\style bold
\just center
\size 140
Windows
This section describes each of Disinfectant’s windows.
\tag 500
\tcon Main
\style bold
\size 120
The Main Window
The main Disinfectant window is the one you will use most often. It contains the main controls for the application and it displays the report generated by the application. The main window is always open and cannot be closed.
The operation of Disinfectant is controlled by six buttons in the main window:
\tag 300
\tag 301
\just left
\pict 210
• Drive and Eject. Use these buttons to select the disk you want to scan or disinfect. These buttons work just like they do in Apple’s standard file dialogs. The Drive button cycles through all of your hard disks and floppy disks. The Eject button is used to eject a floppy disk.
\tag 302
\tag 303
\keep
\just left
\pict 211
• Scan and Disinfect. Use the Scan button to scan the disk you selected. Disinfectant will check the disk for infections, but it will not try to repair infected files.
Use the Disinfect button to scan and disinfect the disk you selected. Disinfectant checks each file for infection and attempts to repair any infected files which it finds.
For other kinds of scans, you can use the menus or command keys. The Scan and Disinfect menus are described in detail in the section titled “Menus.” You can also hold down the following key or keys while clicking on the Scan or Disinfect button:
Option key: Scan a single folder or file.
Command key: Quickly scan a sequence of floppies.
Option and command keys: Scan all mounted volumes.
\endkeep
\tag 304
\keep
\just left
\pict 214
• Cancel. This button is active during disk scans. Use it if you want to cancel the scan. You can also type Command-Period to cancel a scan.
\endkeep
\tag 305
\keep
\just left
\pict 215
• Quit. Quits the application.
\endkeep
\tag 321
\keep
Both the Scan and Disinfect buttons produce a detailed report in the field on the left side of the screen. When the scan is complete, you can use the scroll bar to view the entire report.
\pict 206
\endkeep
In addition to using the scroll bar, you can also use the up and down arrow keys to scroll the report backwards or forwards one line at a time (if your keyboard has these keys). To scroll up or down one screen at a time, hold down the command key while pressing the up or down arrow key. To jump to the beginning or end of the report, hold down both the command and shift keys while pressing the up or down arrow key.
\keep
\tag 320
Several other pieces of information are displayed in the top right corner of Disinfectant’s main window:
\pict 205
\endkeep
The current disk name is a popup menu. You can click on the disk name and keep the mouse button held down to get a popup menu listing all of your disks. This is an alternative to using the Drive button.
During a disk scan, the names of the folder and file currently being scanned are displayed next to the small folder and file icons. In addition, a thermometer fills with gray to indicate the progress of the scan. The thermometer is only available on full disk scans. It is not present on folder scans, file scans, or scans of server disks.
The three counters show a running total of how many files have been scanned, how many infected files have been discovered, and how many errors have been encountered. You can click on the small Reset button next to the counters to reset all of them to zero.
\keep
\tag 501
\tag 602
\tcon Help
\style bold
\size 120
The Help Window
This window displays the document you are reading now. It is opened by the “Disinfectant Help” command in the Apple menu or by the Command-H keyboard equivalent.
Use the scroll bar to scroll through the document.
In addition to using the scroll bar, you can also use the up and down arrow keys to scroll the document backwards or forwards one line at a time (if your keyboard has these keys). To scroll up or down one screen at a time, hold down the command key while pressing the up or down arrow key. To jump to the beginning or end of the report, hold down both the command and shift keys while pressing the up or down arrow key.
\endkeep
\keep
You can quickly jump to any section of the document by clicking on the section title in the table of contents on the right side of the window. The table of contents is a scrolling menu. Click on the triangles at the top and bottom of the menu to scroll up or down.
\pict 203
\endkeep
The document can be printed and you can save it as a text file. See the section on the File menu for more details.
Disinfectant offers a method to help you quickly locate information in the document. Press Command-? and the cursor will turn into a question mark. Then click on any object in any of Disinfectant’s windows or select any menu command. Disinfectant will bring up the help window and scroll to the description of that object or command.
If Disinfectant issues an error message in the report, press Command-? and click on any error message line (any line that begins with “###”) to get a detailed description of that error message.
If Disinfectant reports that a file is infected by a virus, press Command-? and click on the infection message in the report to get a detailed description of that virus.
Help mode can be canceled at any time by pressing Command-Period.
\keep
\tag 628
\tcon Preferences
\style bold
\size 120
The Preferences Window
This window lets you set various options and parameters for Disinfectant. It is opened by the “Preferences” command in the File menu.
\tag 330
• Beeping option.
\pict 240
This option specifies how many times Disinfectant should beep when an infection is discovered. The default is no beeping.
\endkeep
\keep
\tag 331
• Scanning station options.
\pict 241
If you wish, you can establish a special Mac in your lab or office to be used for nothing but checking for viruses. Users can simply insert their floppies to have them scanned or disinfected. You can even remove the mouse and keyboard to discourage use of the Mac for anything but checking for viruses.
\endkeep
\keep
If you do remove the mouse and keyboard, you should first build a special scanning station startup disk:
Step 1. Make a copy of your regular virus tools disk (System + Finder + Disinfectant).
Step 2. Restart using the disk you just made, and run Disinfectant.
Step 3. Select the “Preferences” command from the “File” menu to open the preferences window.
\endkeep
Step 4. Check the “Scanning station with no mouse or keyboard” option.
Step 5. Select either the “Scan” or the “Disinfect” option.
Step 6. Close the Preferences window and quit Disinfectant.
Step 7. You should see a fourth file on the disk named “Disinfectant Prefs” .
Step 8. In the Finder, click on the Disinfectant application icon to select it, and then use the “Set Startup” command in the “Special” menu to set Disinfectant as the startup application for this disk.
Step 9. Shutdown and lock the disk. This is your special scanning station startup disk.
You should use this special startup disk whenever you restart your scanning station. It will automatically go into Disinfectant’s floppy scanning mode. You should need neither the keyboard nor the mouse at any time during the startup process.
This scanning station option also tells Disinfectant to avoid any situations which might require use of the mouse or keyboard in the future.
We do not recommend that you check this option in any other situation. Use it only for scanning stations.
\keep
\tag 332
• Saved text file options.
\pict 242
You can save the reports generated by Disinfectant and you can also save text-only versions of the document. These files are always saved as plain text files without any formatting and they can be read by any Macintosh word processor or editor.
By default, Disinfectant saves reports as TeachText files and it saves documents as Microsoft Word files. This means that if you open a saved report from the Finder, TeachText will be opened, whereas if you open a saved document from the Finder, Microsoft Word will be opened.
You can change the applications which own these saved files. The boxes containing the names of the applications are popup menus which let you select any of the more popular word processors and editors. You can also type “creator types” directly in the fields to the right of the application names.
You may notice that the popup menu for saved reports contains more application names than does the popup menu for saved documents. This is because saved documents are very large and not all of the applications can handle such large files.
\endkeep
\keep
\tag 333
• Background notification options.
\pict 243
Disinfectant can run in the background under MultiFinder. This option specifies how you wish to be notified if an infection is discovered or if Disinfectant requires attention for some other reason. The default is to display a diamond next to Disinfectant’s name in the Apple menu and to flash the small Disinfectant icon in the menu bar.
\endkeep
\keep
\tag 503
\tag 601
\tcon About
\style bold
\size 120
The About Window
This window presents Disinfectant’s about box. Our apologies to Monty Python. It is opened by the “About Disinfectant” command in the Apple menu.
\endkeep
\str#
\page
\tcon Menus
\only screen
\pict 313
\only print save
\style bold
\just center
\size 140
Menus
This section describes each of Disinfectant’s menus.
\keep
\tcon Apple
\style bold
\size 120
The Apple Menu
\pict 250
• About Disinfectant…
This command opens Disinfectant’s about window or brings it to the front if it is already open.
\endkeep
\keep
• Disinfectant Help… (Command-H)
This command opens Disinfectant’s help window or brings it to the front if it is already open.
\endkeep
\keep
\tcon File
\style bold
\size 120
The File Menu
\pict 251
\tag 621
• Close (Command-W)
This command closes the active (front) window.
\endkeep
\keep
\tag 622
• Save As… (Command-S)
This command saves reports and documents as text files. If the main window is active, the report is saved as a TeachText file. If the help window is active, the Disinfectant document is saved as a Microsoft Word text file. A standard new file dialog appears, asking you to specify the file’s name and location.
These saved text files can be read by most any Mac word processor or editor. You can change the type of the file (TeachText and Microsoft Word by default) in the preferences window.
You can save a separate report for each disk you scan or you can scan many disks and save the combined reports as a single file. The latter option is particularly appropriate when scanning a sequence of floppies.
When the document is saved, only the text from the document is saved, without the pictures, and without any of the formatting. The primary purpose of this feature is to let you save the text so that you can copy and paste it into newsletter articles or other documents. We grant you permission to do this, if it is not for profit, and if you give appropriate credit to the author and to Northwestern University.
\endkeep
\keep
\tag 624
• Page Setup…
This command presents an expanded version of the standard page setup dialog. The extra items in the bottom half of the dialog window are used to specify additional options for a printed report or document. You can specify the font and font size, all four margins, and an option to print the pages in reverse order.
\endkeep
\keep
\tag 625
• Print… (Command-P)
This command is used to print reports and documents. It presents the standard print job dialog.
If the main window is active, the report is printed. If the help window is active, a formatted copy of the Disinfectant document is printed.
The printed version of the document has a title page, table of contents, page headers, smart page breaks, and other nice formatting features. Paragraphs are reformatted to fit the margins specified in the page setup dialog.
\endkeep
\keep
\tag 626
• Print One
This command prints one copy of all pages of a report or document. It does not present the standard print job dialog.
\endkeep
\keep
• Preferences…
This command opens the preferences window or brings it to the front if it is already open.
\endkeep
\keep
\tag 630
• Quit (Command-Q)
This command quits Disinfectant.
\endkeep
\keep
\tcon Edit
\style bold
\size 120
The Edit Menu
\pict 252
\tag 641
• Undo (Command-Z)
This command is not used by Disinfectant. It is present only for desk accessories.
\endkeep
\keep
\tag 643
• Cut (Command-X)
This command cuts selected text to the clipboard.
\endkeep
\keep
\tag 644
• Copy (Command-C)
This command copies selected text to the clipboard.
\endkeep
\keep
\tag 645
• Paste (Command-V)
This command inserts the contents of the clipboard at the current cursor location or replaces the currently selected text by the contents of the clipboard.
\endkeep
\keep
\tag 646
• Clear
This command clears the selected text. It is equivalent to pressing the Delete key.
When the main window is active, this command clears the report. If the report lists any infections, you will be presented with an alert asking whether you want to save the report before clearing.
\endkeep
\keep
\tcon Scan
\style bold
\size 120
The Scan Menu
\pict 253
\tag 661
• File…
This command scans a single file. It presents the standard open file dialog.
\endkeep
\keep
\tag 662
• Folder…
This command scans a single folder. It presents a modified open dialog which lists only folders.
\endkeep
\keep
\tag 663
• Floppies
This command is used to quickly scan a sequence of floppy disks. Disinfectant will prompt you to insert floppies and will eject them when they have been scanned. You can also use this command to scan CD-ROM disks or other kinds of removable media.
\endkeep
\keep
\tag 664
• All Disks
This command scans all mounted volumes. This option is useful if you have more than one hard disk and you want to scan all of them.
\endkeep
\keep
\tag 665
• Some Disks…
This command presents a dialog in which you specify which mounted volumes you wish to scan. This option is useful if you wish to scan more than one disk, but not all of them.
\endkeep
\keep
\tag 666
• System File
This command scans just the currently active System file.
\endkeep
\keep
\tag 667
• System Folder
This command scans just the currently active System folder.
\endkeep
\keep
\tcon Disinfect
\style bold
\size 120
The Disinfect Menu
\pict 254
\tag 681
• File…
This command disinfects a single file. It presents the standard open file dialog.
\endkeep
\keep
\tag 682
• Folder…
This command disinfects a single folder. It presents a modified open dialog which lists only folders.
\endkeep
\keep
\tag 683
• Floppies
This command is used to quickly disinfect a sequence of floppy disks. Disinfectant will prompt you to insert floppies and will eject them when they have been disinfected. You can also use this command to disinfect other kinds of removable media.
\endkeep
\keep
\tag 684
• All Disks
This command disinfects all mounted volumes. This option is useful if you have more than one hard disk and you want to disinfect all of them.
\endkeep
\keep
\tag 685
• Some Disks…
This command presents a dialog in which you specify which mounted volumes you wish to disinfect. This option is useful if you wish to disinfect more than one disk, but not all of them.
\endkeep
\keep
\tag 686
• System File
This command disinfects just the currently active System file.
\endkeep
\keep
\tag 687
• System Folder
This command disinfects just the currently active System folder.
\endkeep
\keep
\tcon Protect
\style bold
\size 120
The Protect Menu
\pict 255
\tag 701
• Install Protection INIT…
This command installs the Disinfectant protection INIT in the currently active System folder.
After the INIT has been copied into your System folder, Disinfectant presents an alert informing you that your must restart your Mac to activate the INIT. Click on the Restart button to restart your Mac. Click on the Cancel button to return to Disinfectant.
See the section below titled “Protection” for more details.
\endkeep
\keep
\tag 702
• Extract Protection INIT…
This command extracts the Disinfectant protection INIT to any file of your choosing. A standard file dialog appears which lets you specify the location of the extracted file.
See the section below titled “Protection” for more details.
\endkeep
\str#
\page
\tcon Protection
\only screen
\pict 302
\only print save
\style bold
\just center
\size 140
Protection
The Disinfectant application by itself will not protect your system against infection—it will only locate and repair previously infected files and disks. To protect your system against infection, you must install a protection startup document (protection INIT).
Disinfectant includes such a protection INIT. When properly installed, it will protect your system against all of the known Macintosh viruses.
WARNING: The Disinfectant protection INIT will not protect your system against unknown viruses! If a new virus appears, we will have to release a new version of Disinfectant to recognize it.
Use the “Install Protection INIT” command in the “Protect” menu to install the Disinfectant INIT in your currently active System folder. You must restart your Macintosh to activate the INIT.
Use the “Extract Protection INIT” command in the “Protect” menu to extract a copy of the Disinfectant INIT to any location you desire.
The Disinfectant INIT is simple, small, efficient, and unobtrusive. It does not need to be configured. In fact, it has no control panel interface at all, so it cannot be configured. The INIT will never ask you to make a decision. It should have no noticeable effect on the performance of your Mac. It is very tiny, and can easily be used on floppy startup disks (e.g., in University labs with floppy-only Macs). The INIT does not interfere with the normal operation of Disinfectant or other anti-viral applications, or with programming environments, installer applications, or other system software.
\keep
If you run an application which is infected by one of the known Mac viruses, the Disinfectant INIT beeps ten times, quits the application, and presents an alert. For example, if the application “MacWrite” is infected by the nVIR virus, the following alert appears when you try to run the application:
\pict 290
\endkeep
The Disinfectant INIT only detects and blocks viruses; it does not remove them. To remove a virus, you must use the Disinfectant application.
If you use a disk which is infected by the WDEF virus, the Disinfectant INIT beeps ten times, presents an alert, and temporarily neutralizes the virus. You can safely use the disk; the virus will not spread. You should use the Disinfectant application to remove the virus from the disk.
If you use a HyperCard stack which is infected by the MacMag virus, the Disinfectant INIT beeps ten times, presents an alert, and temporarily neutralizes the virus. You can safely use the stack; the virus will not spread. You should use the Disinfectant application to remove the virus from the stack.
The Disinfectant INIT also checks your System file at startup time to see if it is infected by any of the known viruses. If it discovers one of the known viruses at startup time, it beeps ten times and presents an alert.
The Disinfectant INIT uses the Notification Manager to present its alerts. The Notification Manager is not available on systems older than System 6.0. With these old systems, the INIT only beeps ten times and it does not present an alert.
The name of the Disinfectant protection INIT begins with the special symbol “◊”:
◊ Disinfectant INIT
The special “◊” symbol is present to force the Disinfectant INIT to be the last INIT loaded when you start up your Macintosh. This is important—the Disinfectant INIT must be loaded last! If you rename the INIT, make certain that you rename it so that it comes last in alphabetical order in your System folder.
\keep
The Disinfectant INIT icon should appear at the bottom of your screen every time you restart your Macintosh. If an error occurs, and the INIT cannot load properly, the INIT will beep ten times, and it will draw a special error version of the icon—the normal icon with a large “X” superimposed.
\pict 291
The Disinfectant INIT requires the hierarchical file system (HFS). If you try to use the INIT on a very old system which does not support HFS, it will not load properly, and it will display the error icon.
\endkeep
An alternative to the Disinfectant INIT is Chris Johnson’s excellent GateKeeper protection INIT. GateKeeper is a “general purpose suspicious activity monitor.” Unlike the Disinfectant INIT, GateKeeper checks not only for the known viruses, but also for suspicious activity characteristic of viruses in general. Thus it can often provide protection against even unknown viruses. GateKeeper requires some configuration and it will sometimes ask the user to make complicated decisions. It is much more powerful than the Disinfectant INIT, but it is also larger, more complicated, more obtrusive, and harder to use than the Disinfectant INIT.
It is very important that you use either the Disinfectant INIT or GateKeeper to protect your system .
You can use both GateKeeper and the Disinfectant INIT if you wish. Just make certain that the Disinfectant INIT loads last at startup time.
\str#
\page
\tcon Recommendations
\only screen
\pict 303
\only print save
\style bold
\just center
\size 140
Recommendations
There is no need to panic over the current virus situation. However, you should take the problem seriously.
• If you do nothing else, use the Disinfectant INIT or GateKeeper religiously. They only take a minute to install and they can save you much grief.
• Keep original software on locked floppies. Use copies. When you obtain a new piece of software, immediately lock the disk it came on, make a copy and use the copy. Never unlock the original disk. It is impossible for a virus to infect files on a locked floppy.
• Make periodic backups of your hard drive, at least once per week.
• Run Disinfectant just before each backup to make certain the backups do not become infected and to make certain your system has not become infected.
• Before using new software, check it for possible infections with Disinfectant. This rule applies to all new software—commercial software, shareware, and freeware.
\keep
The remaining recommendations are for people who manage Mac networks, Mac laboratories, Mac bulletin boards, or collections of public domain and shareware software. An environment where many people share Macs, or share a Mac network, is a perfect breeding ground for viruses. People who sell software also have a special responsibility to make certain that their software is free from infection.
• Install the Disinfectant protection INIT or GateKeeper on all your lab start-up disks.
• Check all your lab disks frequently with Disinfectant to make certain that they are uninfected. Also check to make certain that the Disinfectant protection INIT or GateKeeper is still installed and active on all your start-up disks. We have discovered that students love to play with the start-up disks. At Northwestern University we try to check our lab disks once a week.
\endkeep
• Educate the people in your organization about viruses and how to protect against them. Give them copies of Disinfectant and teach them how to use the application. Distribute printed copies of the Disinfectant document.
• Create a special “virus scanning station” in your lab. See the section on the preferences window for details.
• Try to put software in write-protected folders on AppleShare server disks. Viruses cannot infect applications if they are in folders which do not have the “Make Changes” privilege. On the other hand, if an application is in a writable server folder, any infected Mac on the network that accesses the disk and uses the application might spread the infection to the application on the server. If it is a popular application, it will in turn quickly infect any other Macs on the network which are not protected by a protection INIT. This is one way in which viruses can spread very rapidly. Since some applications insist on writing to their own file or folder, it is not always possible to put applications in write-protected folders, but you should make every attempt to do this when it is possible.
• Check server disks frequently with Disinfectant to make certain they are uninfected. For best results you should take the server out of production, start up the server from your virus tools disk, and run Disinfectant from the virus tools disk. This is the only way to guarantee that Disinfectant will be able to scan all the files on the server disk. At Northwestern, we try to check all our servers once a week. For more details on scanning servers, see the discussion in the “Special Features” section.
• Check all new software with Disinfectant before installing it on a server.
• Back up your servers frequently. Run Disinfectant just before each backup.
• Bulletin board operators and other people who maintain and distribute public domain and shareware software have a special responsibility to the Mac community. Please carefully test all new software before distributing it. You should also, of course, run Disinfectant on all new software you receive.
• If you sell software, please check your master disks for infections before sending them out to be duplicated and distributed.
\str#
\page
\tag 400
\tcon Problem Clinic
\only screen
\pict 301
\only print save
\style bold
\just center
\size 140
Problem Clinic
This section discusses what you should do if you think that your system may be infected by a new virus, but Disinfectant reports that it cannot locate any known viruses.
There are many, many things which can go wrong on a Macintosh and almost all of them have absolutely nothing to do with viruses. Thousands of people have reported strange behavior on their Macintoshes to anti-viral experts, but after careful investigation only a handful of these cases were actually new viruses.
If your Macintosh begins to malfunction or behave unusually, please do not yield to the temptation to immediately blame the malfunction on a new virus. There are several things you can do to try to isolate the problem.
The most common cause of problems is simple errors in software. An error in an application, startup document (INIT), control panel (cdev), or other piece of software can cause crashes, hangs, damaged files, trashed disks, or any other kind of problem imaginable.
Thus, the first question you should ask is, “Have I installed any new software lately?” If the answer is yes, try removing the software and see if the problem disappears.
One very common symptom on the Macintosh is problems with the proper display of icons in Finder windows. This symptom is almost never due to a virus, even though the Scores virus does change the appearance of a few icons. This problem is almost always due to a damaged “Desktop” file. If your icons are not being displayed properly, you should rebuild the Desktop file. On hard drives you do this by holding down the Command and Option keys while restarting your system. Keep the keys held down until an alert appears asking if you really want to rebuild the desktop. Click on the OK button when the alert appears. To rebuild a desktop file on a floppy disk, hold down the Command and Option keys while inserting the floppy into a floppy drive.
Another common problem is damaged applications. If an application begins behaving unusually, try replacing it with a known good copy from your locked original master floppy.
Another common problem is damaged system files in the System folder. The best way to cure this problem is to rebuild your System folder from scratch. Restart your Macintosh from a startup floppy (a floppy containing clean copies of the System and Finder files). Drag the Finder file outside of the System folder on your hard drive. Rename your hard drive System folder “Old System Folder.” Then use your Apple installer disks to install a completely new System folder on the hard drive. Restart from this hard drive. If your problem disappears, then you have verified that the cause of the problem was something in your old System folder. Use the Font/DA Mover to copy all of your fonts and DAs from your old System file to your new System file.
Next, copy files from your old System folder into your new
System folder a few at a time. Restart your Mac after each copying operation and use it for a while to see if the problem has come back. If the problem has not come back, copy a few more files over and repeat the process. Eventually the problem will reappear and you will have narrowed down the cause of the problem to the last few files which you copied. You can now remove these last few files from your new System folder one at a time to locate the file that is causing the problem. Replace the problem file by a known good version.
In some cases, software errors can damage the areas on your disk which contain file directories and other important system information. This can sometimes be so serious that all or some of the files and folders on the disk become inaccessible, or the system may not even be able to mount the disk at all, or the system may simply behave strangely. In this case you may attempt to use a disk recovery utility, or you may be forced to reinitialize and reformat the disk and reload your files from backup floppies or tapes. There are several good disk recovery utilities available, including Apple’s Disk First Aid, which is included with every Mac sold. If you have access to Apple’s Macintosh Technical Notes, consult note number 134, “Hard Disk Medic & Booting Camp.”
If all else fails and you still suspect that your system may be infected by a new virus, there are a few additional things you can try. Monitor application file sizes and last modification dates with the Finder's Get Info command. If your applications are consistently growing in size, or if their last modification dates are consistently changing, this is one indication that there may indeed be a virus spreading on your system. Do not, however, be concerned about changes in size or changes in the last modification date of your System file—this is normal and does not indicate a virus. Also, some applications modify themselves, and in these cases you may see a legitimate increase in size and/or change in the last modification date. Look for consistent patterns of change which affect several files.
If your problems continue, try to obtain the assistance of a knowledgeable friend or local expert. If you are a university student, staff member, or faculty member, ask for assistance at your campus computing center. If you work for a corporation with a computer department, ask the local gurus within the department for help. Go to a meeting of your local Mac users group and ask for help.
If you have followed all of this advice and if you still think that you may have a new virus, then you should feel free to contact the author of Disinfectant for assistance. His addresses are at the end of this document. Please mail him a detailed report and, if it is at all possible, include copies of files which you suspect may be infected. Please do not try to call him on the phone.
\str#
\page
\tag 400
\tcon The Viruses
\only screen
\pict 304
\only print save
\style bold
\just center
\size 140
The Viruses
The following sections describe all of the known Mac viruses.
\tcon Scores
\style bold
\size 120
The Scores Virus
According to news reports, the Scores virus was written by a disgruntled programmer. It specifically attacks two applications which were under development at his former company. Fortunately, neither of the two applications was ever released to the general public. Scores was first discovered in the Spring of 1988.
Scores is also sometimes known as the “Eric,” “Vult,” “NASA,” and “San Jose Flu” virus.
There is an easy way to see if you have a Scores infection. Open your System folder and check the icons for the Note Pad and Scrapbook files. They should look like little Macintoshes. If they look instead like blank sheets of paper with turned-down corners, your software has been infected by Scores.
\pict 202
It is possible to be partially infected by Scores and still have normal Note Pad and Scrapbook icons. Consequently, we recommend running Disinfectant to make certain your system is not infected, even if you have normal icons.
Scores infects your System, Note Pad, and Scrapbook system files. It also creates two invisible files in your System folder named “Scores” and “Desktop ”. You cannot see invisible files without the aid of ResEdit or some other utility application. Do not confuse Scores’ invisible Desktop file with the Finder’s invisible Desktop file—they have nothing to do with each other. The Finder’s Desktop file lives at the root level on your disk, outside the System folder, while Scores’ Desktop file lives inside the System folder. Also, Scores’ Desktop file has an extra space character at the end of its name.
Scores does not infect or modify document files—only applications and system files.
Scores gets its name from the invisible “Scores” file that it creates.
Two days after your system becomes infected, Scores begins to spread to each application you run. The infection occurs between 2 and 3 minutes after you begin the application. The Finder and DA Handler usually also become infected. For technical reasons, some applications are immune to infection.
Scores does not intentionally try to do any damage other than to spread itself and attack the two specific applications. It does occupy memory and disk space, however, and this can cause problems all by itself. People have reported problems printing and using MacDraw and Excel. There are also several errors in Scores that could cause system crashes or other unexplained behavior.
There is a serious conflict between Scores and Apple’s System Software release 6.0.4 and later releases. In System 6.0.4, Apple began using some resources with the same type and id as those used by Scores. When Scores infects the System file, it replaces Apple’s versions of these resources with the Scores viral versions of the resources. When Disinfectant repairs the file, it deletes the Scores viral resources, but it does not replace the Apple versions. In this situation, Disinfectant issues a special error message, telling you that the resulting file is damaged and should not be used. You should immediately delete the damaged System file and replace it with a copy from original locked Apple release disks.
\str#
\page
\tag 401
\tcon nVIR
\style bold
\size 120
The nVIR Virus
According to news reports, the nVIR virus first appeared in Europe in 1987 and in the United States in early 1988. At least one variation of the virus was written. We know of two basic strains, which we call “nVIR A” and “nVIR B.”
We have reliable reports of an earlier version of nVIR which was malicious. It destroyed files in the System folder. This earlier version appears to be extinct, and we have not been able to obtain a copy.
nVIR is simpler than Scores. It infects the System file, but it does not infect the Note Pad or Scrapbook files, and it does not create any invisible files. nVIR begins spreading to other applications immediately, without the 2 day delay. Whenever a new application is run, it becomes infected immediately, without the 2-3 minute delay. As with Scores, some applications are immune to infection, the Finder and DA Handler usually also become infected, and document files are not infected or modified.
At first nVIR A and B only replicate. When the System file is first infected, a counter is initialized to 1000. The counter is decrement by one each time the system is started up and it is decrement by two each time an infected application is run.
When the counter reaches zero, nVIR A will sometimes either say “don’t panic” (if MacinTalk is installed in the System folder) or beep (if MacinTalk is not installed in the System folder). This will happen on system startup with a probability of 1/16. It will also happen, with a probability of 15/128, when an infected application is run. In addition, when an infected application is run, nVIR A may say “don’t panic” twice or beep twice with a probability of 1/256.
When the counter reaches zero, nVIR B will sometimes beep. nVIR B does not call MacinTalk. The beep will happen on a system startup with a probability of 1/8. A single beep will happen when an infected application is run with a probability of 7/32. A double beep will happen when an infected application is run with a probability of 1/64.
It is possible for nVIR A and nVIR B to mate and reproduce, resulting in new viruses combining parts of their parents. Disinfectant will report that such offspring are infected by both nVIR A and nVIR B, and will properly repair them.
Unlike Scores, there is no way to tell that you have an nVIR infection just by looking at your system. You must run Disinfectant or some other virus detection tool.
One of the viral resources added to infected files by nVIR has the resource type “nVIR,” which is how it got its name.
As with Scores, nVIR occupies both memory and disk space, and this alone is enough to cause problems.
\keep
In addition to the two basic strains of nVIR, a number of “clones” of nVIR B have appeared. These clones are all identical to nVIR B with the exception of a few very minor technical differences. Disinfectant recognizes all of these clones and treats them exactly the same as nVIR B.
\endkeep
\str#
\page
\tag 402
\tcon INIT 29
\style bold
\size 120
The INIT 29 Virus
The INIT 29 virus first appeared in late 1988. We do not know much about its origin.
INIT 29 is extremely virulent. It spreads very rapidly. Unlike Scores and nVIR, you do not have to run an application for it to become infected. Also, unlike Scores and nVIR, INIT 29 can and will infect almost any file, including applications, system files, and document files. Document files are infected, but they are not contagious. The virus can only spread via system files and application files.
INIT 29 has one side effect which reveals its presence. If you try to insert a locked floppy disk on a system infected by INIT 29, you will get the following alert:
The disk “xxxxx” needs minor repairs.
Do you want to repair it?
If you see this alert whenever you insert a locked floppy, it is a good indication that your system is infected by INIT 29.
As with Scores and nVIR, INIT 29 does not intentionally try to do any damage other than spread itself, but it can cause problems nevertheless. In particular, some people have reported problems printing on systems infected with INIT 29. We have also experienced many system crashes, problems with MultiFinder, and incompatibilities with several startup documents on systems infected with INIT 29.
One of the viral resources added to infected files by INIT 29 has the resource type “INIT” and the resource ID 29, after which the virus was named.
\str#
\page
\tag 403
\tcon ANTI
\style bold
\size 120
The ANTI Virus
The ANTI virus first appeared in France in early 1989.
Unlike the other viruses, ANTI does not infect the System file. It only infects applications and other files which resemble applications (e.g., Finder). ANTI does not infect document files. It is less contagious than the INIT 29 virus, but more contagious than the Scores and nVIR viruses. It is possible for an application to become infected even if it is never run.
Due to a technical quirk, ANTI does not spread at all when MultiFinder is used. It only spreads when Finder is used.
There is an error in ANTI which causes it to slightly damage applications in such a way that Disinfectant cannot repair them absolutely perfectly. In other words, the application as repaired by Disinfectant is usually not exactly identical to the uninfected original application. The damage is very minor, however, and in almost all cases it does not cause any problems. If you experience problems with an application which was infected by ANTI and repaired by Disinfectant, we recommend that you delete the repaired copy and replace it by an uninfected original copy. This is good advice in any case.
(For the technically inclined, the error in ANTI is that it clears all the resource attributes of the CODE 1 resource. Disinfectant has no way to know the values of the original attributes, so it leaves them cleared on the repaired application. The only effect of this error is that the repaired application may use memory slightly less efficiently than the original version, especially on old Macintoshes with the 64K ROMs.)
As with the other viruses, ANTI is non-malicious. It does not attempt to do any damage other than spread itself. As with all viruses, however, it can still cause problems.
The string “ANTI” appears within the virus, hence its name.
\str#
\page
\tag 404
\tcon MacMag
\style bold
\size 120
The MacMag Virus
The MacMag virus appeared in December, 1987. This virus is also known as the “Drew,” “Brandow,” “Aldus,” and “Peace” virus. It was named after the Montreal offices of MacMag magazine, from where it originated.
Unlike the other viruses, MacMag does not infect applications—only System files. It originated as a HyperCard stack named “New Apple Products.” The stack contained some exceptionally poorly digitized pictures of the then new Apple scanner. When the stack was run, the virus spread to the currently active System file. When other floppy disks containing System files were subsequently inserted in a floppy disk drive, the virus spread to the System files on the floppies.
Since applications are not infected by MacMag, it spreads much more slowly than the other viruses (because people share system files much less frequently than they share applications.) Even though the virus originated on a HyperCard stack it does not spread to other stacks, only to System files.
MacMag was programmed to wait until March 2, 1988, the anniversary of the introduction of the Mac II. The first time the system was started up on March 2, 1988, the virus displayed a message of peace on the screen and then deleted itself from the System file.
Since MacMag was programmed to self-destruct, it is unlikely that your software is infected with this virus. Disinfectant will nevertheless recognize it and repair infected files just in case you have some very old disks which might still be infected.
Disinfectant repairs both infected System files and infected copies of the original HyperCard stack. If you try to run the repaired stack, HyperCard will issue an error message.
There were two slightly different versions of MacMag. The differences were very minor and both versions were programmed to behave identically. Disinfectant properly detects and repairs both versions.
\str#
\page
\tag 405
\tcon WDEF
\style bold
\size 120
The WDEF Virus
The WDEF virus was first discovered in December, 1989 in Belgium and in one of our labs at Northwestern University. Since the initial discovery, it has also been reported at many other locations, and we now know that it is very widespread. We know of two strains, which we call “WDEF A” and “WDEF B.”
WDEF only infects the invisible “Desktop” files used by the Finder. With a few exceptions, every Macintosh disk (hard drives and floppies) contains one of these files. WDEF does not infect applications, document files, or other system files. Unlike the other viruses, it is not spread through the sharing of applications, but rather through the sharing and distribution of disks, usually floppy disks.
WDEF spreads from disk to disk very rapidly. It is not necessary to run an application for the virus to spread.
The WDEF A and WDEF B strains are very similar. The only significant difference is that WDEF B beeps every time it infects a new Desktop file, whereas WDEF A does not beep.
Although the virus does not intentionally try to do any damage, WDEF contains errors which can cause very serious problems. In particular, the virus causes both the Mac IIci and the portable to crash almost immediately after insertion of an infected floppy. The virus also causes other Macs to crash much more frequently than usual and it can damage disks. The virus also causes problems with the proper display of font styles. In particular, it often causes problems with the “outline” font style. Many other symptoms have also been reported and it appears that the errors in the virus can cause almost any kind of problem with the proper functioning of your Macintosh.
You can remove a WDEF infection from a disk by rebuilding the Desktop file.
To rebuild the Desktop file on a hard disk, start up using Finder (not MultiFinder), and keep both the Command and Option keys held down throughout the startup process. You should be presented with an alert asking if you really want to rebuild the Desktop file. Click on the OK button.
To rebuild the Desktop file on a floppy disk, hold down the Command and Option keys while inserting the disk into a drive. Click on the OK button in the alert.
It is often easier to get rid of a WDEF infection by simply rebuilding the Desktop file than it is to use Disinfectant.
For example, if the Disinfectant INIT warns you that a floppy disk is infected by WDEF, just eject the disk, unlock it, insert it again with the Command and Option keys held down, and click OK. This will rebuild the Desktop file on the disk, and eliminate the virus.
Even though AppleShare servers do not use the normal Finder Desktop file, many servers have an unused copy of this file. If the AppleShare administrator has granted the “make changes” privilege to the root directory on the server, then any infected user of the server can infect the Desktop file on the server. If a server Desktop file becomes infected, performance on the network will be very severely degraded. For this reason, administrators should never grant the “make changes” privilege on server root directories. We also recommend deleting the Desktop file if it exists. It does not appear that the virus can spread from an AppleShare server to other Macs on the network, however.
The WDEF virus can spread from a TOPS server to a TOPS client if a published volume’s Desktop file is infected and the client mounts the infected volume. It does not appear, however, that the virus can spread from a TOPS client to a TOPS server.
If you use ResEdit, VirusDetective, or some other tool to search for WDEF resources, do not be alarmed if you find them in files other than the Finder Desktop files. WDEF resources are a normal part of the Macintosh operating system. Any WDEF resource on a Finder Desktop file, however, is cause for concern.
When using Disinfectant to repair WDEF infections, you must use Finder instead of MultiFinder. Under MultiFinder, the Desktop files are always “busy,” and Disinfectant is not able to repair them. If you try to repair using MultiFinder, you will get an error message.
\keep
In addition to the two known strains of the WDEF virus, Disinfectant will also detect and repair other strains which may exist but have not yet been reported. If an unknown strain is detected, Disinfectant places the following message in the report:
### File infected by an unknown strain of WDEF
\endkeep
\str#
\page
\tag 406
\tcon ZUC
\style bold
\size 120
The ZUC Virus
The ZUC virus was first discovered in Italy in March, 1990. It is named after the discoverer, Don Ernesto Zucchini.
ZUC only infects applications. It does not infect system files or data files. Applications do not have to be run to become infected.
ZUC was timed to activate on March 2, 1990. Before that date, it only spread from application to application. After that date, approximately 90 seconds after an infected application is run, the cursor begins to behave unusually whenever the mouse button is held down. The cursor moves diagonally across the screen, changing direction and bouncing like a billiard ball whenever it reaches any of the four sides of the screen. The cursor stops moving when the mouse button is released.
The behavior of the ZUC virus is similar to that of a desk accessory named “Bouncy.” The virus and the desk accessory are different and they should not be confused. The desk accessory does not spread and it is not a virus. ZUC does spread and it is a virus.
ZUC has two noticeable side effects. On some Macintoshes it causes the desktop pattern to change. It also often causes long delays and an unusually large amount of disk activity when infected applications are opened.
ZUC can spread over a network from individual Macintoshes to servers and from servers to individual Macintoshes.
Except for the unusual cursor behavior, ZUC does not attempt to do any damage.
ZUC does not change the last modification date when it infects a file, so you cannot use the last modification dates in the Disinfectant report to trace the source of a ZUC infection.
\str#
\page
\tag 407
\tcon MDEF
\style bold
\size 120
The MDEF Virus
The MDEF virus was first discovered at Cornell University in May, 1990. It is also sometimes called the “Garfield” virus.
MDEF infects both applications and the System file. It does not infect document files. The Finder and DA Handler also usually become infected. The System file is infected as soon as an infected application is run. Other applications become infected as soon as they are run on an infected system.
MDEF does not intentionally attempt to do any damage, but it is harmful anyway. It does not beep, display messages or pictures, or do anything other than spread from file to file.
For technical reasons, the MDEF virus only spreads on some kinds of Macintoshes. It causes the Mac 128K and the 512K to crash. It spreads successfully on the 512KE, Plus, SE, SE/30, II, IIx, and IIcx. On the Mac IIci and IIfx, it spreads from infected applications to uninfected system files, but it does not spread from infected systems to uninfected applications. We have not yet had the opportunity to test the virus on the Mac Portable.
The MDEF virus has an unfortunate reaction with Vaccine. On Vaccine-protected systems, if an infected application is run, Vaccine properly notifies the user of the attack, but it blocks only part of the attempt by the virus to infect the System file. The virus cannot spread from the System file to applications in this situation, but the System file is damaged and menus no longer work properly. When you press on a menu title in the menu bar, no menu pops down. Menus continue to work properly only in infected applications—they do not work properly in the Finder or in uninfected applications. Disinfectant will properly detect and repair these kinds of damaged System files.
GateKeeper is totally effective against the MDEF virus. It successfully blocks the attempt by the virus to infect the System file. The System file is unchanged. Menus do not work properly in infected applications, but they do work properly in the Finder and in uninfected applications. This menu behavior is the exact opposite of what happens on Vaccine-protected systems.
The MDEF virus is named after the type of resource it uses to infect files. MDEF resources are a normal part of the Macintosh system, so you should not become alarmed if you see them with ResEdit or some other tool.
The MDEF and WDEF viruses have similar names, but they are completely different and should not be confused with each other.
\str#
\page
\tcon Sample Report
\only screen
\pict 305
\only print save
\style bold
\just center
\size 140
Sample Report
The following example shows a report generated by a disinfection run on a Scores-infected hard disk drive.
My Hard Drive
Disk disinfection run started.
12/16/88, 10:04:12 AM.
------------------------------------------------
My Hard Drive
My Programs
Games
SuperGame
### File infected by Scores.
Last modification 11/2/88, 11:15:03 PM.
File repaired.
------------------------------------------------
My Hard Drive
My Programs
Word Processors
MacWrite
### File infected by Scores.
Last modification 12/15/88, 5:02:49 PM.
File repaired.
------------------------------------------------
My Hard Drive
System Folder
Desktop
### File infected by Scores.
Last modification 12/13/88, 2:48:40 PM.
File deleted.
------------------------------------------------
My Hard Drive
System Folder
Finder
### File infected by Scores.
Last modification 12/14/88, 3:02:24 PM.
File repaired.
------------------------------------------------
My Hard Drive
System Folder
Note Pad File
### File infected by Scores.
Last modification 12/13/88, 2:48:34 PM.
File repaired.
------------------------------------------------
My Hard Drive
System Folder
Scores
### File infected by Scores.
Last modification 12/13/88, 2:48:33 PM.
File deleted.
------------------------------------------------
My Hard Drive
System Folder
Scrapbook File
### File infected by Scores.
Last modification 12/13/88, 2:48:35 PM.
File repaired.
------------------------------------------------
My Hard Drive
System Folder
System
### File infected by Scores.
Last modification 12/13/88, 2:48:40 PM.
File repaired.
------------------------------------------------
My Hard Drive
Disk disinfection run completed.
12/16/88, 10:08:30 AM.
Summary:
984 total files.
0 errors.
8 files infected by Scores.
8 infected files total.
Earliest infected file: SuperGame
Last modification 11/2/88, 11:15:03 PM.
The last modification dates in the report are useful for tracking down the history and source of an infection. The infected application with the earliest last modification date is usually the source of the infection.
E.g., in the sample report above, SuperGame is the earliest infected application, with a last modification date of 11/2. The System file was last modified on 12/13. If you obtained your copy of SuperGame sometime after 11/2, and if you first ran it on or before 12/13, then SuperGame was probably the source of the infection. You should contact the source of the application and tell them that their software is probably infected too. You should likewise contact anybody else to whom you have given copies of SuperGame or any of your other infected files, because their software may also be infected.
If Disinfectant’s report notes that a System file is the earliest infected file, this means that the application that caused the original infection of your system is no longer on, or never was on, the disk being scanned. Check all your other disks (hard drives and floppies) to attempt to locate the file that introduced the virus to your system.
This kind of analysis is not infallible, but it can be useful in tracing back a chain of infections.
The ZUC virus does not change the modification date when it infects a file, so this kind of analysis will not help locate the source of a ZUC infection.
\str#
\page
\tcon Special Features
\only screen
\pict 306
\only print save
\style bold
\just center
\size 140
Special Features
In this section we discuss various advanced features of Disinfectant, technical topics, and other miscellaneous items.
• It is very important to realize that detecting and repairing infected files is quite complicated and it is highly likely that there are some rare cases we do not handle properly. Read the disclaimer at the beginning of this document and take it seriously.
• One of our major design goals was to make Disinfectant as simple as possible to use so that even novices will be able to utilize it. We have tried to follow Apple’s human interface guidelines as closely as possible. For example, we religiously adhere to Apple’s rules for window management, as presented in their Human Interface Note number 6.
• Disinfectant is “modeless.” This means several things. You can have multiple windows open at the same time, you can use desk accessories, and you can use MultiFinder application switching. You can start a scan and switch to some other application under MultiFinder and the scan will continue in the background. You can do just about anything except start another scan while a scan is in progress. You can read the document in the help window, adjust options in the preferences window, use the online help facility, admire the about box, etc.
• Disinfectant can be run on any model of Macintosh with at least 512K of memory, System 3.2 or later, and the hierarchical file system (“HFS”).
• Disinfectant is 32-bit clean and may be run under AUX.
• Disinfectant can scan in the background under MultiFinder. With System 6.0 and later, the Notification Manager is used to notify you if an infection is discovered or if Disinfectant requires attention for some other reason. Systems prior to 6.0 do not support the Notification Manager and Disinfectant does not attempt to use it. In this case, the “Notification options” section of the preferences window is inactive (grayed out).
• Disinfectant uses popup menus in the main window (as an alternate method for selecting a disk) and in the preferences window (to select which applications should own saved text files). Systems earlier than 4.1 do not support popup menus and, in this case, Disinfectant disables them. You must use the Drive and Eject buttons to select a disk in the main window and you must type four character creator types in the preferences window to specify which applications own saved text files.
• Disinfectant can scan and repair both MFS and HFS disks. Single-sided 400K floppies are usually in MFS format, whereas other disks are usually in HFS format.
• Disinfectant tries to perform careful error checking. E.g., it properly reports disk full errors on attempts to save files, out of memory errors, and errors on attempts to disinfect “busy” and “damaged” files. The summary at the end of the report tells you if there were any errors. All error messages and messages reporting infected files begin with “###,” to make them easy to find in the report.
• Some other anti-viral tools add special “inhibitor resources” to files in an attempt to prevent future infections. Disinfectant does not do this. It does, however, recognize these “inhibitors.” It does not consider them to be infections and will not try to delete them on disinfection runs.
• Under MultiFinder, Disinfectant has a “preferred” memory partition of 700K and a “minimum” memory partition of 400K. On 1 megabyte Macintoshes running MultiFinder, there is not enough memory to allocate the preferred partition and you will have to run with the smaller minimum partition. The large memory partition is desirable because some applications use surprisingly large resources and Disinfectant must have enough memory to load them and check them for viruses.
• Disinfectant may be used to scan AppleShare server disks and remote disks on a TOPS network. For the best results, however, we recommend that you remove servers and shared disks from production and scan them using the Mac to which they are directly connected. This is the only way to avoid file busy errors, insufficient privileges errors, and other problems. Scanning a local disk is also much faster than scanning a disk over a network. This is also the only way to scan the Server folder on an AppleShare server disk.
One problem with AppleShare server disks is that they use a different kind of “Desktop” file than is used on regular disks. If the server disk contains a large number of applications, it may not be possible to start up the server using your regular virus tools disk (the Finder will bomb or hang during the process of building its version of the Desktop file.) You can avoid this problem by creating a special virus tools floppy that contains a copy of Apple’s “Desktop Manager” startup document file. Use this special version of the virus tools floppy only for scanning AppleShare servers.
When scanning over TOPS, we have noticed that TOPS sometimes beeps and flashes an alert intermittently while scanning with Disinfectant. The problem is not serious. It is annoying, but it does not interfere with the scan.
• Viruses sometimes damage applications in such a way that they cannot be run at all and sometimes viruses only partially infect files. It is also possible for a file to be infected by more than one virus. In most of these special cases, Disinfectant is able to repair the files. If it is impossible for Disinfectant to properly repair such a file, an appropriate error message is issued. Consult the section in this document titled “Error Messages” for detailed information on what each message means and for advice on what to do if you get an error message.
• Disinfectant may be installed on a server and used by more than one person simultaneously.
• Disinfectant may be used on Macs with no hard drive and only a single floppy drive. Start up and run Disinfectant from your virus tools disk. Click on the Eject button to eject your startup disk. Use the floppy drive to insert the disks you wish to scan or disinfect.
When you eject the virus tools disk, we preload the information Disinfectant needs to do scanning from the disk. This minimizes “floppy shuffling” on these systems. Disinfectant displays a dialog telling you to “Please wait” while it does this preloading, which can take quite some time. Please be patient.
• Disinfectant will not detect infected files if they are part of a StuffIt archive, if they have been converted to a text file with BinHex, if they have been compressed with PackIt, or if they have been compressed, converted or archived by some similar utility. If you have such files and want to make certain they do not contain infections, you must unpack them and check the unpacked files.
• Disinfectant cannot be used to check the backup floppy disks or tapes produced by most of the various hard disk backup utility applications. These applications usually write their backups in a special format which is not recognized by Disinfectant. If you suspect that your backups are infected, we recommend that you first disinfect all of your other disks (hard drives and floppies), then do a new full backup, and finally erase (reformat) all of your remaining suspect backup floppies.
\str#
\page
\tcon Error Messages
\only screen
\pict 307
\only print save
\style bold
\just center
\size 140
Error Messages
This section presents all of Disinfectant’s error messages, in alphabetical order, with a brief explanation of each one.
\keep
\tag 77
### An error or inconsistency was detected while
### trying to repair this file.
### WARNING: This file may still be infected!
Your file was infected, but while attempting to repair it Disinfectant discovered something wrong with the file. The file may still be infected. Scan the file again with Disinfectant to find out if it is still infected. If it is still infected, you should delete it. If Disinfectant reports that it is no longer infected, you can try running it to see if it works. It may be usable or it may be damaged in such a way that it cannot be used. This error is not common, but it can occur in unusual situations.
One situation in which this error can occur is if an application is infected by more than one virus and you attempt to use some other virus tool to repair the file before running Disinfectant. Some other virus tools cannot handle multiple infections properly and they sometimes leave the application damaged in such a way that Disinfectant cannot repair it properly.
\endkeep
\keep
\tag 9
\tag 80
### An I/O error occurred while trying to check
### this file.
### An I/O error occurred while trying to repair
### this file.
### WARNING: This file may still be infected!
These error messages are listed in the report if a hardware error occurs while trying to read or write a file. They usually mean that the disk itself or the disk drive is not operating properly. You can try running Disinfectant again on the same file. If the hardware problem is intermittent, it might work the second time.
\endkeep
\keep
\tag 6
### File infected by xxxxx.
Your file is infected by a virus. “xxxxx” is the name of the virus (Scores, nVIR A, etc.).
\endkeep
\keep
### File infected by an unknown strain of WDEF
Your file is infected by a strain of the WDEF virus which has not yet been reported. If you have not already repaired the file, we would appreciate it if you would send us a copy of the infected file. See the section on the WDEF virus for more information.
\endkeep
\keep
\tag 7
### File partially infected by xxxxx,
### but not contagious.
Your file is partially infected by the virus named “xxxxx,” but the infection is not contagious. These kinds of infections are not dangerous and they cannot spread to other files. You may chose to leave the infection on the file or you may use Disinfectant to remove the infection.
Partially infected files sometimes are the result of other virus tools which have errors. The other virus tool may remove part of an infection, but not all of the infection.
Partial infections can also arise on GateKeeper-protected systems. In particular, if the Scores virus attacks a GateKeeper-protected system, a harmless part of the Scores infection will manage to evade GateKeeper’s protection mechanisms.
\endkeep
\keep
\tag 88
### File partially infected by nVIR A or nVIR B,
### but not contagious.
nVIR A and nVIR B are different viruses, but some of their parts are identical. It is theoretically possible for only these common parts to be present in an infected file. In this case, Disinfectant has no way of knowing which virus originally attacked the file, so it issues this special message. We have never encountered this situation in actual practice.
\endkeep
\keep
\tag 74
### NOTE: Some errors were reported. For a detailed
### explanation of an error message, press Command-?
### and click on the error message text.
This message appears in the summary section of the report if any other error messages occurred during a scan.
\endkeep
\keep
\tag 32
### Scan canceled.
You canceled a scan or disinfection run.
\endkeep
\keep
\tag 31
### System files cannot be scanned over TOPS.
This error should only occur if you try to scan a disk over a TOPS network. TOPS does not permit access to currently active System files over the network. We recommend that you scan the disk using the Mac to which the disk is directly connected.
If this error occurs in some other situation, it means that there is probably an error in Disinfectant. We would appreciate it if you would send a report to the author.
\endkeep
\keep
\tag 73
### The disk is too full to repair this file.
### WARNING: This file may still be infected!
This error may occur if a disk is very full and you attempt to repair an infected file on the disk. Disinfectant requires at least a small amount of free space on the disk before it can repair the file. Try moving some of the files on the disk to some other disk to make more room and run Disinfectant again.
\endkeep
\keep
\tag 82
### The resource fork of this file is damaged or
### in an unknown format. It cannot be checked.
Macintosh files have two parts or “forks”—the resource fork and the data fork. When Disinfectant checks a file, it tries to open the resource fork. This message means that the information stored in the resource fork is not valid resource information. The data fork may still be intact and usable. For document files, this is usually not a problem. For applications and system files, this usually indicates that something is seriously wrong with the file and you should replace it with a known good copy of the file.
For some reason, we have seen this problem with a number of StuffIt archive files. These “damaged” files are usually still usable since StuffIt stores the archived files in the data fork, not the resource fork.
Disinfectant also reports that all Reflex database files are “damaged.” Reflex makes non-standard use of the resource fork in its database files. These files are not really damaged—they are still usable, but only by Reflex.
\endkeep
\keep
\tag 53
\tag 54
### There is not enough memory to check this file.
### There is not enough memory to repair this file.
### WARNING: This file is probably still infected!
Disinfectant was unable to get enough memory to check or repair the file. This message is quite rare. You might try running Disinfectant again without MultiFinder.
This error can be caused by applications which contain very large resources. Disinfectant must load these resources into memory to check them for viruses and if there is not enough memory available you will get this error message.
Another possible cause of this error is that the file is damaged.
\endkeep
\keep
\tag 29
### This file is busy and cannot be checked.
Your file could not be opened for reading because the file was already open with exclusive access by some other application. This message should only occur on server disks. For server disks, we recommend that you remove the server from production, start up the server Mac using your virus tools floppy disk, and run Disinfectant from the virus tools floppy. This should avoid file busy errors. For more details on scanning servers, see the “Special Features” section.
\endkeep
\keep
\tag 30
### This file is busy and cannot be repaired.
### Try using Finder instead of MultiFinder.
### WARNING: This file is still infected!
Your file could not be opened for writing because the file was already open by some other application. The most common cause of this error is running Disinfectant under MultiFinder. Try again without MultiFinder. This error is also possible when scanning server disks (under either Finder or MultiFinder). For server disks, we recommend that you remove the server from production, start up the server Mac using your virus tools floppy disk, and run Disinfectant from the virus tools floppy. This should avoid file busy errors. For more details on scanning servers, see the “Special Features” section.
\endkeep
\keep
\tag 84
### This file was damaged by the virus, and it cannot
### be repaired properly. You should delete the file
### and replace it with a known good copy.
Viruses sometimes damage files in such a way that they cannot be repaired properly. In this case, Disinfectant removes the virus from the file, but leaves the file damaged. You should not attempt to use such a file. You should delete it and replace it with a known good copy of the file.
This error message is currently issued in only one situation: when the Scores virus has infected a System file from Apple’s System Software release 6.0.4 or later. There is a serious conflict between Scores and Apple’s System Software release 6.0.4 and later releases. In System 6.0.4, Apple began using some resources with the same type and id as those used by Scores. When Scores infects the System file, it replaces Apple’s versions of these resources with the Scores viral versions of the resources. When Disinfectant repairs the file, it deletes the Scores viral resources, but it does not replace the Apple versions. In this situation, Disinfectant issues a special error message, telling you that the resulting file is damaged and should not be used. You should immediately delete the damaged System file and replace it with a copy from original locked Apple release disks.
\endkeep
\keep
\tag 33
\tag 50
### Unexpected error (nnn).
### Unexpected error (nnn) occurred while trying
### to open this file for repair.
### WARNING: This file is still infected!
Unexpected errors should not occur. It means that there may be an error in Disinfectant. We would appreciate it if you would send a note to the author describing what you were doing when the error occurred. Please specify the error number reported in the message. If possible, also send us a copy of the file that was being scanned when the error occurred.
\endkeep
\keep
\tag 70
### Unexpected error (nnn). If you are using
### GateKeeper, check to make certain you have
### granted privileges to Disinfectant.
### WARNING: This file is probably still infected!
One possible cause of unexpected errors is attempting to repair infected files on a GateKeeper-protected system when you have forgotten to grant Disinfectant privileges. You should grant Disinfectant all privileges (“File” and “Res” privileges for “Other,” “System” and “Self”).
\endkeep
\keep
\tag 67
\tag 64
\tag 58
\tag 55
\tag 61
### WARNING: You do not have the proper privileges
### to access files in some of the folders. Some
### files in those folders may be infected!
### You do not have Make Changes privilege
### to the folder containing this file.
### It cannot be repaired.
### WARNING: This file is still infected!
### You do not have See Files privilege
### to this folder. Files within this folder
### cannot be checked.
### You do not have See Folders privilege
### to this folder. Folders within this folder
### cannot be checked.
### You have neither See Files nor See Folders
### privileges to this folder. This folder
### cannot be checked.
These error messages are issued if a server folder is encountered for which you do not have the necessary access privileges. To avoid these errors, we recommend that you remove the server from production, start up the server Mac using your virus tools floppy disk, and run Disinfectant from the virus tools floppy. For more details on scanning servers, see the “Special Features” section.
\endkeep
\str#
\page
\tcon Alerts & Dialogs
\only screen
\pict 308
\only print save
\style bold
\just center
\size 140
Alerts & Dialogs
This section presents all of Disinfectant’s alerts and dialogs, in alphabetical order, with a brief explanation of each one.
\keep
• A virus may still be active in memory, and some of your files may have or could become reinfected. You should immediately restart your Macintosh using a locked virus tools floppy and run Disinfectant again.
When you quit after a disinfection run, Disinfectant checks to see if any infected files were found in the currently active System folder. If any were found, this alert is presented.
Click on the Restart button to restart your Macintosh. Click on the Cancel button to return to Disinfectant. Click on the Quit button to quit Disinfectant.
\endkeep
\keep
• An unexpected error (nnn) occurred while trying to save a file.
This alert is presented if Disinfectant encounters an unexpected error while trying to save a document, report, or the protection INIT. This alert should not happen. If it does, it might be an error in Disinfectant and we would appreciate it if you would notify the author.
\endkeep
\keep
• Disinfectant has found an infected file.
This alert is presented if Disinfectant finds an infected file while running in the background under MultiFinder and you have selected the “Also display alert” option in the “Notification options” section of the preferences window.
\endkeep
\keep
• Disinfectant is unable to repair files on this system. One possible reason is that you are using GateKeeper and you forgot to grant Disinfectant privileges. Another possible reason is that you are using the special University of Michigan version of Vaccine (Vaccine.UofM). You must remove this version of Vaccine from your System folder before using Disinfectant to repair files. You may use Disinfectant on this system to check for viruses, but you will not be able to use the Disinfect button to repair infected files.
Some virus prevention tools can interfere with Disinfectant in such a way that it is impossible for Disinfectant to properly repair infected applications. If Disinfectant detects such a virus prevention tool, it presents this alert. When you click on the OK button, the current scan is canceled and the Disinfect button is disabled.
The version of Vaccine mentioned in the alert is not the normal Vaccine. It is a special version that was prepared just for the University of Michigan.
You may also get this alert if you are using the regular version of Vaccine and you click on the “Denied” button instead of the “Granted” button by mistake.
\endkeep
\keep
• Disinfectant requires attention.
This alert is presented if Disinfectant is running in the background under MultiFinder and it requires your attention for some reason other than the discovery of an infected file and you have selected the “Also display alert” option in the “Notification options” section of the preferences window.
\endkeep
\keep
• Disinfectant requires System 3.2 or later.
Disinfectant requires System 3.2 or later. If you try running Disinfectant on an earlier system, it will present this alert. When you click on the OK button, Disinfectant quits to the Finder.
\endkeep
\keep
• Disinfectant requires the hierarchical file system (HFS). On Macs with the 64K ROMs, this means that you need to include the file “Hard Disk 20” on your startup disk.
On unenhanced Mac 512K models, Disinfectant requires the hierarchical file system. If you try running it without HFS, it will present this alert. When you click on the OK button, Disinfectant quits to the Finder.
\endkeep
\keep
• Out of memory.
This alert is presented if Disinfectant runs out of memory. It should not occur. When you click on the OK button, Disinfectant quits.
\endkeep
\keep
• Please wait…
This message is displayed if you eject the disk containing Disinfectant and/or the System file. Before ejecting the disk, Disinfectant loads all the information from the disk that it might need later. This can take quite some time, so you should be patient.
This message is also displayed when you startup Disinfectant from a floppy disk or other ejectable disk while Disinfectant completes its initial integrity checksum.
\endkeep
\keep
• Printing error - could not locate printer driver in System folder.
This alert occurs if you try to print a report or the document and the printer driver has not been properly installed. For example, to print on an Imagewriter, you must have the system file named “Imagewriter” in the same folder as your System file.
\endkeep
\keep
• Printing error - the startup disk is full.
This alert occurs if there is not enough room on your startup disk to complete a printing operation. Try to make more room on your startup disk, then try printing again.
\endkeep
\keep
• Printing error - the startup disk is locked.
This alert occurs is printing fails because the startup disk is locked. Unlock the startup disk, or create an unlocked copy of your startup disk, and try printing again.
\endkeep
\keep
• Printing error - you must use the Chooser to select a printer.
This alert occurs if you try to print when there is no currently selected printer. Use the Chooser desk accessory to select a printer.
\endkeep
\keep
• Printing error (error code = nnnn).
An unexpected error occurred during printing. “nnnn” is the error number. This alert should not occur. If it does, we would appreciate it if you would send a note to the author. Please specify the error number reported in the message. Click on the OK button to return to Disinfectant.
\endkeep
\keep
• Printing “xxxxx.” Press Command-Period to cancel printing.
This informative message is displayed during printing.
\endkeep
\keep
• Replace existing “xxxxxxxxxx”?
This alert is presented when you save a document or report or when you install or extract the protection INIT if a file with the same name already exists. Click on the “No” button to abort the file save operation. Click on the “Yes” button to delete the old file and replace it by the new one.
\endkeep
\keep
• Save report before clearing?
When you clear the report, Disinfectant checks to see if the report contains any messages for infected files. If it does, this alert is presented. There are three buttons—Yes, No, and Cancel. The Yes button presents a dialog that lets you choose the location of the saved report, saves the report, and then clears the report. The No button clears without saving the report. The Cancel button returns to Disinfectant.
\endkeep
\keep
• Save report before quitting?
When you quit Disinfectant, it checks to see if the report contains any messages for infected files. If it does, this alert is presented. There are three buttons—Yes, No, and Cancel. The Yes button presents a dialog that lets you choose the location of the saved report, saves the report, and then quits. The No button quits without saving the report. The Cancel button returns to Disinfectant.
\endkeep
\keep
• The application “xxxxxxxxxx” is infected by the yyyyy virus. Use Disinfectant to remove the virus.
This alert is presented by the Disinfectant protection INIT when it detects an infected application.
\endkeep
\keep
• The Disinfectant protection INIT has been installed. You must restart your Macintosh to activate the INIT.
This alert is presented when you select the “Install Protection INIT” command. Click on the “Restart” button to restart your Macintosh. Click on the “Cancel” button to return to Disinfectant.
\endkeep
\keep
• The disk cannot be repaired because it is locked. Please unlock and reinsert the disk.
If you try to disinfect a locked floppy disk, Disinfectant ejects the disk and puts up this alert. Unlock and reinsert the disk. Disinfectant will automatically begin scanning and repairing the disk as soon as you reinsert it. You can use the Cancel button in the alert to cancel the operation and return to Disinfectant.
\endkeep
\keep
• The disk cannot be repaired because it is locked. Please unlock and reinsert the disk or insert the next disk to be repaired.
This second form of the unlock alert is used only when the special “scanning station” option is checked in the preferences window. In this case, you can either unlock and reinsert the original disk or you can insert some other disk. There is no Cancel button in this case.
\endkeep
\keep
• The disk "xxxxxxxxxx" is infected by the WDEF virus. Use Disinfectant to remove the virus.
This alert is presented by the Disinfectant protection INIT when it detects a WDEF-infected disk.
\endkeep
\keep
• The file could not be saved because the disk is full.
This alert appears if you try to save a report or the document and there is not enough room on the disk to save the file. Click on the OK button. You may then try to save to a different disk.
\endkeep
\keep
• The font size must be in the range 1 through 24. Please correct it or click on the Cancel button.
This alert appears in the “Page Setup” dialog if you enter a ridiculous font size.
\endkeep
\keep
• The margins you specified are too large. Please make them smaller, or click on the Cancel button.
This alert appears in the “Page Setup” dialog if you specified margins that are too big. Disinfectant requires that there be at least a 4 inch square available for printing after taking into account the margins and page size.
\endkeep
\keep
• The protection INIT could not be installed because the startup disk is locked.
This alert is presented if you try to install the Disinfectant protection INIT on a locked startup disk.
\endkeep
\keep
• The report is too big. It must be saved before you can continue.
Disinfectant has an upper limit for the size of the report. Most people will never be affected by this limit. If you produce a very long report which approaches the size limit, you will get this alert, with two buttons, Save and Cancel. Save is the default button. It saves the partial report as a text file, clears the report field, and continues the scan. The Cancel button cancels the scan without clearing or saving the report. If you have a single floppy system, you may eject the disk being scanned, insert a different disk, and save the report on that disk. Disinfectant will then ask you to reinsert the disk being scanned.
\endkeep
\keep
• The stack "xxxxxxxxxx" is infected by the MacMag virus. Use Disinfectant to remove the virus.
This alert is presented by the Disinfectant protection INIT when it detects a MacMag-infected HyperCard stack.
\endkeep
\keep
• The System folder is infected by the yyyyy virus. Use Disinfectant to remove the virus.
This alert is presented by the Disinfectant protection INIT when it detects an infected system file at startup.
\endkeep
\keep
• This copy of Disinfectant has been damaged, infected by a virus, or otherwise modified. Please delete this copy and use an original unmodified copy.
Disinfectant checks itself when it starts up and notifies you if it has been modified. This may mean that it has been infected by a virus. If this notification occurs, you must remove this particular copy of Disinfectant from your disk and replace it with a known “good” copy of Disinfectant.
\endkeep
\keep
• You selected the page range xxx through yyy. There are no pages in this range.
This alert appears when printing if there are no pages in the range you requested. Nothing is printed in this case.
\endkeep
\str#
\page
\tcon Other Virus Tools
\only screen
\pict 309
\only print save
\style bold
\just center
\size 140
Other Virus Tools
There are many other free and shareware virus-fighting tools. Here is a list of the ones with which we are familiar, with brief comments about each one. You can get them from most good user groups, bulletin boards, commercial online services, and Internet archives.
Many of the tools in this list are obsolete or have limited utility. We have included them only for the sake of completeness and historical interest. Three exceptions are GateKeeper, Virus Rx and VirusDetective. These tools are actively supported by their authors, have general utility, and we highly recommend them.
• AntiPan 1.3. Michael Hamel. nVIR repair. Free. Scans disks and removes nVIR infections. Recognizes nVIR clones. Also “inoculates” the system to prevent future infections. Did a good job in our tests.
• AntiVirus 1.0E. Softhansa GmbH. nVIR repair. Free. Scans disks and removes nVIR infections. Also “inoculates” the system to prevent future infections.
• Assassin. Pete Gontier. nVIR repair. Free. Scans disks and removes nVIR infections. Did a good job in our tests. The author has reported a few problems with his application and recommends that you use Disinfectant instead.
• Eradicat’Em 1.0. Dave Platt. WDEF protection and repair. Free. A system start-up document which protects your system against infection by the WDEF virus and automatically removes any WDEF infections it encounters. Eradicat’Em may be used together with GateKeeper and/or the Disinfectant INIT.
• Ferret 1.1. Larry Nedry. Scores detection and repair. Free. Scans disks and removes Scores infections. Sometimes fails to properly detect and repair infected files.
• GateKeeper 1.1.1. Chris Johnson. Virus protection. Free. A control panel document (INIT/cdev) which monitors and blocks suspicious activity characteristic of viruses. GateKeeper is widely used and very popular. Chris provides excellent support and he continues to improve it. Highly recommended, though it does not offer WDEF virus protection (see GateKeeper Aid below).
• GateKeeper Aid 1.0.1. Chris Johnson. WDEF protection and repair. Free. A system start-up document which protects your system against infection by the WDEF virus and automatically removes any WDEF infections it encounters. GateKeeper Aid may be used together with GateKeeper and/or the Disinfectant INIT.
• Interferon 3.1. Robert Woodhead. Virus detection. Detects both Scores and nVIR. Cannot repair infected applications. Avoid using the “Eradicate Infection” or “Scan all Volumes” menu items—they do not work properly. Can also be told to report “anomalies,” but it may raise a false alarm in doing so. Unmounts all disks after scanning them, even hard drives. Interferon was one of the first virus-fighting tools. The author no longer supports Interferon and he recommends that you no longer use it. (Robert is the author of the commercial product Virex).
• KillScores 1.0. MacPack and the Apple Corps of Dallas, headed by Howard Upchurch. Scores detection and repair. Free. Scans disks and removes Scores infections. Did a good job in our tests.
• KillVirus. Matthias Urlichs. nVIR repair. Free. Also sometimes named “KillnVIR.” A system start-up document which repairs your System file and automatically repairs any infected applications when they are run. Adds an “nVIR 10 inhibitor” to your System file, which some of the other tools improperly report as an nVIR infection. Does not notify you when it finds and repairs an infected file.
• N.O.M.A.D. 1.0a1. Bill Pierce, CMS Enhancements. nVIR Repair. Free. Scans disks and removes nVIR infections from applications, but not from system files.
• QuickScores. Anthony Tuorto. Scores detection. Free. This desk accessory does a quick check to see if the currently active System file is infected by Scores.
• Repair 1.5. Steve Brecher, Software Supply. nVIR repair. Free. Does not do disk scanning—you must repair each infected application one at a time. Can repair an infected System file. Recognizes clones.
• RezSearch 1.0b. Wade Blomgren. Virus detection. Free. Searches a disk for files containing a specific resource or resource type. Configurable. Can also be useful for purposes other than virus detection.
• RWatcher 1.0. John Norstad. Virus protection. Free. A system start-up document which protects against Scores and nVIR. Configurable. For non-MPW programmers who will not use Vaccine because of its constant complaints about the creation of CODE resources. Has weaker checks than Vaccine’s. The author no longer supports RWatcher—he recommends that programmers use the Disinfectant INIT or GateKeeper instead.
• Vaccination 1.1. Mike Scanlin. nVIR repair. Free. Does not do disk scanning—you must repair each infected application one at a time. Cannot repair an infected System file.
• Vaccine 1.0.1. Don Brown, CE Software. Virus protection. Free. A control panel document (INIT/cdev) which monitors suspicious activity characteristic of viruses. Vaccine was the original Macintosh virus protection tool, and is still widely used. It is not supported, and it is not effective against some of the newer viruses. We recommend that you use the Disinfectant INIT or GateKeeper instead.
• Vaxene. Anonymous. Scores detection. Free. Does not do disk scanning—you must check each file one at a time. Cannot repair files. The only interesting thing about this tool is that the about box claims that the author is also the author of the Scores virus itself.
• VCheck 1.3. Albert Lunde. Virus detection. Free. Takes a “snapshot” of your system and compares it to previous snapshots. Tells you which files have changed.
• VirusBlockade II 1.0. Jeffrey S. Shulman. Virus detection. Shareware, $30. A control panel device. Among many other features, it can be used together with the author’s VirusDetective to automatically scan floppies for viruses when they are inserted in a disk drive.
• VirusDetective 4.0.2a. Jeffrey S. Shulman. Virus detection. Shareware, $40. A desk accessory which can be configured. Cannot repair infected applications except for WDEF. Configurability is one of VirusDetective’s strongest features. When a new virus appears, you can often configure VirusDetective to recognize it without having to wait for a new version to be released. For example, when the WDEF virus first appeared, VirusDetective was the only virus-fighting tool which could detect it (with proper configuration). It also does a good job of detecting clones. Jeff has established an excellent reputation for support and update service for registered users. Highly recommended. If you use VirusDetective, please remember to send Jeff the shareware fee.
• Virus Encyclopedia. Henry Schmidt. Virus information. Free. This detailed HyperCard stack presents information about Macintosh viruses.
• Virus Rx 1.6. Apple Computer. Virus detection. Free. Detects Scores, nVIR, INIT 29, ANTI, and WDEF. Cannot repair infected applications. It is very reliable and it does an excellent job of detecting clones. Highly recommended.
• VirusWarning. Mike Scanlin. nVIR detection. Free. A system start-up document which beeps when and if an nVIR attack occurs, but does not prevent the infection.
• Warning 1.1. William Lipa. Virus detection. Free. A system start-up document which checks your System file to see if it is infected by a virus and warns you with a dialog box if it discovers an infection.
\str#
\page
\tcon Version History
\only screen
\pict 310
\only print save
\style bold
\just center
\size 140
Version History
\keep
• Disinfectant Version 2.0b1. June 12, 1990.
Version 2.0 is a major new release. See the document for details.
Version 2.0 includes a new virus protection startup document (INIT).
Version 2.0 has a much-improved online document, with pictures, printing, and a context-sensitive help system.
Version 2.0 is a non-modal application with standard windows and menus. It supports desk accessories, printing, MultiFinder application switching, and scanning in the background.
There is new preferences window which you can use to specify miscellaneous options and parameters.
Other new features include more scan and disinfect options, new counters in the main window, and a much improved scanning station feature.
\endkeep
\keep
• Known problems in version 2.0b1, which we hope to fix before releasing 2.0:
2.0b1 does not work with the 64K ROMs (512K unenhanced).
Document printing with large font sizes (>12 points) can cause some pages to be truncated at the bottom.
It is not possible to print the document on an ImageWriter using a single floppy Mac—there isn't enough disk space.
\endkeep
• Disinfectant Version 1.8. May 20, 1990. Recognize MDEF virus, plus other miscellaneous changes.
• Disinfectant Version 1.7. April 2, 1990. Recognize ZUC virus, plus other miscellaneous changes.
• Disinfectant Version 1.6. January 30, 1990. Recognize generic nVIR clones, plus other miscellaneous changes. The nVIR clone detection and repair algorithm is based on the one used by Steve Brecher in his “Repair” application. Thanks to Steve for sharing his code with us.
• Disinfectant Version 1.5. December 14, 1989. Recognize WDEF B virus, plus other miscellaneous changes.
• Disinfectant Version 1.4. December 8, 1989. Recognize WDEF A virus, plus other miscellaneous changes.
• Disinfectant Version 1.3. November 29, 1989. Recognize another new nVIR B clone, plus other miscellaneous changes.
• Disinfectant Version 1.2. August 4, 1989. Recognize another new nVIR B clone, plus other miscellaneous changes.
• Disinfectant Version 1.1. April 16, 1989. Recognize a new nVIR B clone, plus other miscellaneous changes.
• Disinfectant Version 1.0. March 19, 1989. First public release.
\str#
\page
\tcon Programmer Notes
\only screen
\pict 311
\only print save
\style bold
\just center
\size 140
Programmer Notes
I wrote several reusable modules to implement Disinfectant’s human interface. You are welcome to write for copies of the source code and you have my permission to use it in your own projects. All I ask is that you give me and Northwestern University appropriate credit in your about box or document. The source code is in MPW C 3.1.
• vol.c - Volume selection via drive and eject buttons, as in standard file, with popup menu as an alternative.
• scn.c - Volume and folder scanning. HFS and MFS. Optional folder name, file name, and thermometer displays.
• rep.c - Report generation and display in scrolling fields.
• rpp.c - Report printing.
• hlp.c - Help window presentation, saving, and printing. Uses the report module.
• gff.c - A modified standard open file dialog which lets the user choose either a folder or a file.
• utl.c - Miscellaneous utilities used by the above.
• cvrt.c - An MPW tool to convert a text file to a sequence of STR# resources. Used with reports and about boxes.
• wrap.c - An MPW tool to word-wrap paragraphs of text. Used with about boxes.
To request a copy, write me at one of my electronic addresses below or mail me a floppy and a stamped self-addressed envelope. I will send you a complete sample application which uses all of the above modules, with all the C source code, the rez files, the tools, and a make file. The sample application is very similar to Disinfectant, but produces a disk directory listing instead of a virus scan or disinfection report.
You can also get a copy of the source code via anonymous FTP from site “acns.nwu.edu” [129.105.49.1].
The virus detection and disinfection code is not available.
\str#
\page
\tcon Author and Credits
\only screen
\pict 312
\only print save
\style bold
\just center
\size 140
Author and Credits
John Norstad
Academic Computing and Network Services
Northwestern University
2129 Sheridan Road
Evanston, Illinois 60208 USA
Bitnet: jln@nuacc
Internet: jln@acns.nwu.edu
AppleLink: a0173
CompuServe: 76666,573
I enjoy getting mail, especially electronic mail, and I invite your correspondence. If you send me a letter through the regular mail, please include a self-addressed stamped envelope if you expect a reply.
Please do not try to call me. I do not have the time to do free consulting over the phone and I cannot return long distance phone calls from people I do not know.
If you think that you might have a new virus which Disinfectant does not detect, please read the section in this document titled “Problem Clinic.” Follow the advice contained in that section before asking me for assistance.
With thanks to:
Mark Anbinder, BAKA Computers, Inc.
Wade Blomgren, University of California, San Diego
Chris Borton, Faculteit Wiskunde & Informatica, Universiteit van Amsterdam
Bob Hablutzel
Tim Krauskopf, National Center for Supercomputing Applications
Joel Levin, BBN Communications Corporation
Robert Lentz, Northwestern University
Bill Lipa, Stanford University
Albert Lunde, Northwestern University
James Macak, The Double Click Macintosh Users Group, Milwaukee
Lance Nakata, Stanford University
Dave Platt, Coherent Thought Inc.
Leonard Rosenthol, Software Ventures Corporation
Art Schumer, Microsoft Corporation
Dan Schwendener, Eidgenössische Technische Hochschule, Zurich
Please note that although we have included company and university names above, this in no way implies that those companies or universities endorse or support Disinfectant.
This international group of Macintosh virus experts, programmers and enthusiasts helped design and test Disinfectant, edit the document, locate copies of the viruses for testing, and analyze the viruses. I wrote all the code, but I could not have written the application without their help.
Disinfectant is an example of cooperative software development over the Internet. I send development and beta releases and technical design notes to the working group and they reply with error reports, suggestions, etc. This involves the exchange of many hundreds of electronic mail messages. The result is an application which is much better than any one of us could have produced individually.
Since the initial release of Disinfectant, many hundreds of users have supplied error reports, comments, and suggestions for features. The application has in many ways become a community project. The author thanks everybody who has contributed.
