|
CIAC Advisory number A- 9
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
________________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
CIAC
INFORMATION BULLETIN
________________________________________________________________________
Information about the WDEF virus
December 18, 1989, 1400 PST Number A-9
Summary
A new Macintosh virus called WDEF is spreading rapidly. It is not
necessary to run a program for the virus to spread. The WDEF virus is
not programmed to damage a system, but due to software errors in this
virus, it can cause serious problems such as system crashes, poor
performance, and damage to disks. Disinfectant 1.5, VirusDetective and
GateKeeper Aid V1.0 can be used to detect and eradicate this virus.
Critical WDEF Facts
Name: WDEF
Types: WDEF A, WDEF B
Platform: Apple Macintosh
Damage: No intentional damage, see symptoms.
Symptoms: The virus can cause:
- both the Macintosh IIci and the portable to crash.
- severe performance problems on AppleTalk networks
with AppleShare servers.
- frequent crashes when users try to save files in
applications under MultiFinder.
- problems with the proper display of font styles (the
outline style in particular).
- damage to disks.
- Macintoshes with 8 megabytes of memory to crash.
- Erratic system behavior due to incompatibility with
the "Virtual" INIT from Connectix.
Detection/Eradication: GateKeeper Aid, Disinfectant 1.5;
others should be available in the next few weeks.
Introduction
A new form of computer virus called WDEF has been released into the
Macintosh world. WDEF only infects the invisible "Desktop" files used
by the Macintosh operating system's "Finder." WDEF does not infect
applications, document files, or other system files. Unlike the other
viruses, it does not at this time appear to spread through the sharing
of applications, but rather through the sharing of diskettes. WDEF
spreads from disk to disk very rapidly. It is not necessary to run a
program for the virus to spread. WDEF has been in existence since mid-
October of this year and has been found at many locations throughout the
United States.
At this time their appears to be two strains of WDEF, WDEF A and WDEF B.
These strains are similar except WDEF B beeps every time it infects a
new Desktop file.
Symptoms
The WDEF virus is not programmed to damage a system. However, due to
errors in the virus code itself, it can cause serious problems. Below
is a list of known symptoms:
The virus causes both the Mac IIci and the portable to crash.
Under some circumstances the virus can cause severe performance
problems on AppleTalk networks with AppleShare servers.
Many people have reported frequent crashes when trying to save
files in applications under MultiFinder.
The virus causes problems with the proper display of font styles
(the outline style in particular).
The virus can damage disks.
The virus causes Macintoshes with 8 megabytes of memory to crash.
The virus may be incompatible with the "Virtual" INIT from
Connectix.
Prevention
With AppleShare servers you do not need a Desktop. If you are
comfortable using a software developers' package called ResEdit, you
should remove the Desktop. You should also not allow the "make changes"
privilege to the root directory on the server. This should eliminate
any possibility that this virus from spreading to an AppleShare server.
Detection
Packages which claim to detect WDEF are Disinfectant 1.5 and GateKeeper
Aid V1.0 (to be used in conjunction with GateKeeper 1.11). Virus
Detective 3.1 can also be used to find the WDEF virus. You will,
however, have to add the search string:
Creator=ERIK & Resource WDEF & Any
Disinfectant 1.3 , Vaccine 1.0.1, GateKeeper 1.1.1, Symantec's SAM
Intercept 1.10, and HJC's Virex INIT 1.12 do not detect WDEF, although
new versions of many of these products which claim to be able to detect
WDEF are rapidly being developed. Please also note that Disinfectant
1.4 detects only one strain of the WDEF virus.
Eradication
Disinfectant 1.5 should be used to eradicate WDEF. When using
Disinfectant to repair WDEF infections, you must use Finder instead of
MultiFinder. Otherwise Disinfectant cannot write to the normally 'Busy'
Desktop file. If you do not prefer use Disinfectant 1.5, CIAC can
advise you of alternate eradication procedures using ResEdit.
For further information, or for a copy of Disinfectant 1.5, please
contact CIAC:
David S. Brown
(415) 423-9878 or (FTS) 543-9878
FAX: (415) 294-5054
or send e-mail to: [email protected]
|
|
