VIRUS-L Digest Thursday, 31 Oct 1996 Volume 9 : Issue 206
Today's Topics:
Special Mac issue (ADMIN)
Viruses and the Mac FAQ (MAC)
VIRUS-L is a moderated, digested mail forum for discussing computer
virus issues; comp.virus is a gatewayed and non-digested USENET
counterpart. Discussions are not limited to any one hardware/software
platform--diversity is welcomed. Contributions should be relevant,
concise, polite, etc. (The complete set of posting guidelines is
available by FTP on ftp.cs.ucr.edu (IP number 138.23.169.122) or upon
request.) Please sign submissions with your real name; anonymous
postings will not be accepted. Information on accessing antivirus,
documentation, and back-issue archives is distributed periodically on
the list. A FAQ (Frequently Asked Questions) document and all of the
back-issues are available at ftp://ftp.cs.ucr.edu/pub/virus-l. The
current FAQ document is in a file called vlfaq200.txt.
Administrative mail (e.g., comments or suggestions) should be sent to
me at: n.fitzgerald@csc.canterbury.ac.nz. (Beer recipes should still
be sent to Ken van Wyk at: krvw@mnsinc.com.)
VIRUS-L subscribers wanting help with list-processor commands should
send a message to listserv@lehigh.edu with the command "help virus-l"
in the body of the message (the listserv ignores Subject: lines).
All submissions should be sent to: VIRUS-L@lehigh.edu.
Nick FitzGerald
----------------------------------------------------------------------
Date: Thu, 31 Oct 1996 00:01:35 +1300
From: Nick FitzGerald <n.fitzgerald@csc.canterbury.ac.nz>
Subject: Special Mac issue (ADMIN)
X-Digest: Volume 9 : Issue 206
I was about to leave work when David Harley's submission of the first
official release of his Mac virus FAQ arrived. Being too large to
accomodate in a normal digest, but not "too large" in absolute terms,
I've quickly bundled out another digest tonight. As the Macophiles
amongst our readers tend to be the poor relations in terms of posted
material directly relevant to them, I hope this posting of David's FAQ
will help redress the balance.
Regards,
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Nick FitzGerald, PC Applications Consultant, CSC, Uni of Canterbury, N.Z.
n.fitzgerald@csc.canterbury.ac.nz TEL:+64 3 364 2337, FAX:+64 3 364 2332
Virus-L/comp.virus moderator and FAQ maintainer
PGP fingerprint = 2E 7D E9 0C DE 26 24 4F 1F 43 91 B9 C4 05 C9 83
------------------------------
Date: Wed, 30 Oct 1996 10:32:25 +0000 (GMT)
From: David Harley <harley@europa.lif.icnet.uk>
Subject: Viruses and the Mac FAQ (MAC)
X-Digest: Volume 9 : Issue 206
Viruses and the Macintosh
=========================
Release version 1.0 : 28rd October 1996
David Harley
[Changes from the previous version are flagged with + symbols
in the first two columns at the start of the relevant line or
section]
Table of Contents
- ----------------
1. Copyright Notice
2. Preface
3. Availability of this FAQ
4. Mission Statement
5. Where to get further information.
5.1 alt.comp.virus FAQ
5.2 VIRUS-L/comp.virus FAQ
5.3 Disinfectant on-disk manual
5.4 Virus Test Center, Hamburg
5.5 'Robert Slade's Guide to Computer Viruses'
5.6 Web Pages with Macintosh virus information
5.7 Virus Bulletin
5.8 Information on macro viruses
5.9 Kevin Harris's Virus Reference (Hypercard stack)
5.10 McAfee Mac Virus Encyclopaedia (includes macro viruses)
6. How many Mac viruses are there?
7. What viruses can affect Mac users?
8. What's the best antivirus package for the Macintosh?
9. Welcome Datacomp
10. Hoaxes and myths
10.1 Good Times virus
10.2 Psychic Neon Buddha Jesus virus
10.3 Modem virus
10.4 PKZIP300 trojan virus
10.5 Irina virus
10.6 E-mail viruses
10.7 JPEG/GIF viruses
11. Glossary
12. General Reference Section.
12.1 Mac Newsgroups and FAQs
12.2 References
12.3 Other Relevant Publications
13. Holes to Plug
13.1 Mac Troubleshootng
1.0 Copyright Notice
----------------
Copyright on this document remains with the author(s), and all
rights are reserved. However, it may be freely distributed
and quoted - accurately, and with due credit.
It may not be reproduced for profit or distributed in part or as
a whole with any product for which a charge is made, except with
the prior permission of the copyright holder(s). To obtain such
permission, please contact the maintainer of the FAQ.
Primary author of this document is David Harley, who at present
maintains it. Comments and additional material have been received
with gratitude from Susan Lesch, Ronnie Sutherland, and Eugene
Spafford. I'd also like to thank Michael Wright, David Miller, Jeremy
Goldman, Robert Slade, Robin Dover, and John Norstad for their
comments and suggestions.
2.0 Preface
-------
This document is intended to help individuals with computer
virus-related problems and queries, and clarify the issue
of computer viruses on Macintosh platforms. It should *not* be
regarded as being in any sense authoritative, and has no legal
standing. The author(s) accept(s) no responsibility for errors or
omissions, or for any ill effects resulting from the use of any
information contained in this document.
Corrections and additional material are welcome, especially if
kept polite.... Contributions will, if incorporated, remain the
copyright of the contributor, and credited accordingly within
the FAQ.
David Harley <D.Harley@icrf.icnet.uk>
3.0 Availability of this FAQ
------------------------
The latest version of this document will be available from:
* http://www.webworlds.co.uk/dharley/
4.0 Mission Statement
-----------------
This document is a little different to the alt.comp.virus FAQ,
which I also maintain. It's concerned with one platform only,
and though it deals with the Mac platform at more length than the
alt.comp.virus FAQ can be expected to, it's a great deal
shorter. Nor is there the same degree of urgency about the Mac
virus field, though I think the risk element is somewhat
underestimated in general, at present. My main concern is the
spread of macro viruses, a theme which is taken up below.
Since questions about Macs and viruses tend to appear more
often in the Mac groups than alt.comp.virus or Virus-L,
distribution of this FAQ may be wider: I'm open to suggestions.
In fact, this is less an FAQ document than an accretion of
hopefully useful information which contains the answers to some
Frequently Asked Questions.
5.0 Where to get further information
--------------------------------
5.1 The alt.comp.virus FAQ (not much Mac-specific material)
This is posted to alt.comp.virus approximately
fortnightly. It includes a document which summarizes
and gives contact information for a number of other
virus-related FAQs.
The latest version of is available from:
* http://www.webworlds.co.uk/dharley/
Other Sources:
* ftp.gate.net/pub/users/ris1/acvfaqht.zip
(hypertext version)
* ftp://ftp.gate.net/pub/users/ris1/acvfaq.zip
(text version)
* http://www.drsolomon.com/
* http://www.innet.net/~ewillems/
* http://www.agora.stm.it/N.Ferri/infos.htm
It is also available on AOL:
America Online: Virus Information Center: Keyword VIRUS
5.2 The VIRUS-L FAQ
The Virus-L/comp.virus FAQ (also fairly low on
Mac-specific information) is regularly posted to the
comp.virus newsgroup.
The latest version should be available as:
ftp://cert.org/pub/virus-l/FAQ.virus-l
You can get the Mk. 2 version at
ftp://ftp.datafellows.com/pub/misc/anti-vir/vlfaq200.zip
ftp://cs.ucr.edu/pub/virus-l/
(if this doesn't work, try
ftp://ftp.cs.ucr.edu/pub/virus-l)
This is very long and very thorough. This document is
subject to revision, so the file name may change.
5.3 Disinfectant on-disk documentation
The best single source of information on Mac viruses is
the online help included in the freeware package
Disinfectant. Contact details below.
You can also find some of this information at:
http://members.aol.com/macutility/macvirus
(AOL members have access to further information.)
5.4 AntiVirus Catalog/CARObase
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/catalog/
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/
ftp://ftp.uu.net/pub/security/virus/
ftp://sunsite.unc.edu/pub/docs/security/hamburg-mirror/virus/
5.5 "Robert Slade's Guide to Computer Viruses"
The disk included with the 2nd Edition of this excellent
general resource includes most of the information
available at the University of Hamburg (see 5.4). The
book also contains a reasonable quantity of Mac-friendly
information.
The disk also includes a copy of Disinfectant 3.6.
Very few books primarily about computer viruses deal at
any length with Mac viruses (I can't think of one, at
present). Some general books on the Mac touch on the subject,
but none I can think of add anything useful. Some of the
"Totally Witless User's Guide to......." books dealing with
security in general include information on PC -and- Mac
viruses. Unfortunately, the quality of virus-related
information in such publications is generally low.
5.6 Websites
Many major vendors have a virus information database online
on their websites. Symantec (www.symantec.com) and Datawatch
(www.datawatch.com) include Macintosh virus information.
Precise URLs tend to come and go, but you might like to try
the following:
Symantec Antivirus Research Center
Macintosh Virus Information
http://www.symantec.com/avcenter/macvir_info.html
Datawatch "Mac Viral Zoo"
Macintosh Virus Encyclopedia
http://www.datawatch.com/noframes/virus/maczoo.shtml
5.7 Virus Bulletin
The expensive (but, for the professional, essential)
periodical Virus Bulletin includes Mac-specific
information from time to time. However, if you have no
interest in PC issues, you probably won't consider it
worth the expense.
Virus Bulletin Ltd
21 The Quadrant
Abingdon
Oxfordshire
OX14 3YS
44 (0) 1234 555139
Compuserve 100070,1340
www.virusbtn.com
virusbtn@vax.ox.ac.uk
5.8 Macro virus information resources
http://www.drsolomon.com/
http://www.datafellows.com/macrovir.htm
http://www.symantec.com/
http://www.mcafee.com/
http://www.avp.ch/avpve/
http://www.sophos.com/ (under Virus Information)
[The following absolute URLs may change: such is the
way of web administrators..... If you get an error
message, try the first part of the URL, e.g.
http://www.symantec.com/
and drill down from there.]
Symantec AntiVirus Research Center
http://www.symantec.com/avcenter/data/wmacro.html
Dr Solomon's Software Ltd.
http://www.drsolomon.com/vircen/macrovir.html
McAfee Associates
http://www.mcafee.com/support/techdocs/vinfo/f_3057.html
Command Software Systems
http://www.commandcom.com/html/macro.html
Data Fellows
http://www.datafellows.com/macro/word.htm
Richard Martin has put together an FAQ on this subject,
though it doesn't seem to have been updated recently.
ftp.gate.net/pub/users/ris1/word.faq
http://learn.senecac.on.ca/~jeashe/hsdemonz.htm
or mail to
Bd326@TorFree.Net
Subject: PLEASE SEND FAQ
5.9 Kevin Harris's Virus Reference (Hypercard stack)
http://www.sperspect.com/sperspect/
ftp://ftp.el-grove.k12.il.us/pub/sperspect/
eWorld: shortcut "Perspective"
AOL: Hypercard, Operating Systems, and User
Group Connection areas.
++ 5.10 McAfee Mac Virus Encyclopaedia (includes macro viruses)
ftp://ftp.mcafee.com/pub/antivirus/vmacdat1.hqx
Version 2.3 of the data definitions for McAfee VirusScan 2.0
includes a free Macintosh virus encyclopedia in both SimpleText
and HTML formats, and includes macro viruses. The information
on Mac-specific viruses is pretty much the same as that included
in the original Disinfectant documentation.
6.0 How many Mac viruses are there?
-------------------------------
There are around 35 Mac-specific viruses that I know of, though
Apple are, I've heard, quoting 2-300 hundred. I don't know if
these include every minor variant, trojans, hypercard infectors
and other macro viruses. However, since Apple are not noticeably
in the business of virus detection and disinfection, I'd as soon
go with the estimates of those who are.
However, Mac users with Word 6 or versions of Excel supporting
Visual Basic for Applications are vulnerable to infection by
macro viruses which are specific to these applications. Indeed,
these viruses can, potentially, infect other files on any hardware
platform which can support these versions of these applications.
I don't know of a macro virus with a Mac-specific payload which
actually works at present, but such a payload is entirely possible.
Word Mac version 5.1 and below do not support WordBasic, and are
not, therefore, vulnerable to direct infection. Not only do these
versions not only understand embedded macros, but they can't read
the Word 6 file format unaided. There is, however, at least one
freeware utility which allows Word 5.x users to read Word 6 files.
This will not (presumably) support execution of Word 6 (or WinWord
2) macros in Word 5.x, so I would not expect either an infection
routine or a payload routine to be able to execute within this
application.
However, Word 5.x users may contribute indirectly to the spread of
infected files across platforms and systems, since it is perfectly
possible for a user whose own system is uninfectable to act as a
conduit for the transmission of infected documents, whether or not
s/he reads it personally.
Files infected with a PC-specific file virus (this excludes macro
viruses) can only execute on a Macintosh running DOS or DOS/Windows
emulation, if then. They can, of course, spread across platforms
simply by copying infected files from one system to another.
DOS diskettes infected with a boot sector virus can be read on a
Mac with Apple File Exchange, PC Exchange, DOS Mounter etc. without
(normally) risk to the Mac. However, leaving such an infected disk
in the drive while booting an emulator such as SoftPC can mean that
the virus attempts to infect the logical PC drive with unpredictable
results.
I am aware of at least one instance of a Mac diskette which, when read
on a PC running a utility for reading Mac-formatted disks which became
infected with a boot-sector infector, became unreadable as a
consequence of the boot track infection.
7.0 What viruses can affect Macintosh users?
----------------------------------------
Not all variants are listed here, yet, though I intend to reference
all the major variants at least by name eventually, but there might be
enough to get you going....
The following varieties are listed below:
7.1 Mac-specific system and file infectors
7.2 Hypercard Infectors
7.3 Mac Trojans
Section 7.4 does not attempt to list macro viruses and trojans, of
which there are 70-80 at the time of writing, but discusses the risks
and consequences to Mac users. Sources of further information on macro
and other viruses are given in section 5.x
It appears also that some Mac viruses may damage files on Sun systems
running MAE or AUFS.
7.1 Mac-specific viruses, excluding hypercard infectors
AIDS - infects application and system files. No
intentional damage. (nVIR B strain)
Aladin - close relative of Frankie
Anti (Anti-A/Anti-Ange, Anti-B, Anti Variant) - can't
spread under system 7.x, or System 6 under multifinder.
Can damage applications so that they can't be 100%
repaired.
CDEF - infects desktop files. No intentional damage, and
doesn't spread under system 7.x.
CLAP: nVir variant which spoofs Disinfectant to avoid
detection (Disinfectant 3.6 recognises it).
Code 1 - file infector. Renames the hard drive to "Trent
Saburo". Accidental system crashes possible.
Code 252 - infects application and system files. Triggers
when run between June 6th and December 31st. Runs a
gotcha message ("You have a virus. Ha Ha Ha Ha Ha Ha Ha
Now erasing all disks... [etc.]"), then self-deletes.
Despite the message, no intentional damage is done,
though shutting down the Mac instead of clicking to
continue could cause damage. Can crash system 7 or damage
files, but doesn't spread beyond the system file. Doesn't
spread under system 6 with Multifinder beyond System and
Multifinder. Can cause various forms of accidental
damage.
Frankie - only affects the Aladdin emulator on the Atari
or Amiga. Doesn't infect or trigger on real Macs or the
Spectre emulator. Infects application files and the
Finder. Draws a bomb icon and displays 'Frankie says: No
more piracy!"
Fuck: infects application and System files. No
intentional damage. (nVir B strain)
Init 17: infects System file and applications. Displays
message "From the depths of Cyberspace" the first time it
triggers. Accidental damage, especially on 68k machines.
Init 29 (Init 29 A, B): Spreads rapidly. Infects system
files, applications, and document files (document files
can't infect other files, though). May display a message
if a locked floppy is accessed on an infected system 'The
disk "xxxxx" needs minor repairs. Do you want to repair
it?'. No intentional damage, but can cause several
problems - Multiple infections, memory errors, system
crashes, printing problems, multifinder problems, startup
document incompatibilities.
Init 1984: Infects system extensions (INITs). Works under
Systems 6 and 7. Triggers on Friday 13th. Damages files
by renaming them, changing file types and file creators,
creation and modification dates, and sometimes by
deleting them.
Init-9403 (SysX): Infects applications and Finder under
systems 6 and 7. Attempts to overwrite whole startup
volume and disk information on all connected hard drives.
Only found on Macs running the Italian version of MacOS.
Init-M: Replicates under System 7 only. Infects INITs and
application files. Triggers on Friday 13th. Similar
damage mechanisms to INIT-1984. May rename a file or
folder to "Virus MindCrime". Rarely, may delete files.
MacMag (Aldus, Brandow, Drew, Peace) - first distributed
as a hypercard stack trojan, but only infected System
files. Triggered (displayed a peace message and
self-deleted on March 2nd 1988, so very rarely found.
MBDF (A,B): originated from the Tetracycle, Tetricycle or
"tetris-rotating" trojan. The A strain was also
distributed in Obnoxious Tetris and Ten Tile Puzzle.
Infect applications and system files including System and
Finder. Can cause accidental damage to the System file
and menu problems.
MDEF (MDEF A/Garfield, MDEF B/Top Cat, C, D): infect
System file and application files (D doesn't infect
System). No intentional damage, but can cause crashes and
damaged files.
nCAM: nVir variant
nVir (nVir A, B, C - AIDS, Fuck, Hpat, Jude, MEV#, nFlu):
infect System and any opened applications. Extant
versions don't cause intentional damage. Payload is
either beeping or (nVir A) saying "Don't panic" if
MacInTalk is installed.
nVIR-f: nVir variant.
prod: nVir variant
Scores (Eric, Vult, NASA, San Jose Flu): aimed to attack
two applications which were never generally released. Can
cause accidental damage, though - system crashes,
problems printing or with MacDraw and Excel. Infects
applications, Finder, DA Handler.
T4 (A, B, C): infects applications, Finder, and tries to
modify System so that startup code is altered. Under
System 6 and 7.0, INITs and system extensions don't load.
Under 7.0.1, the Mac may be unbootable. Damage to
infected files and altered System is not repairable by
Disinfectant. The virus masquerades as Disinfectant, so
as to spoof behaviour blockers such as Gatekeeper.
Originally included in versions 2.0/2.1 of the public
domain game GoMoku.
WDEF (A,B): infects desktop file only. Doesn't spread
under System 7. No intentional damage, but causes
beeping, crashes, font corruption and other problems.
zero: nVir variant.
Zuc (A, B, C): infects applications. The cursor moves
diagonally and uncontrollably across the screen when the
mouse button is held down when an infected application is
run. No other intentional damage is done.
7.2 Hypercard infectors
These are a somewhat esoteric breed, but a couple have been
seen since Disinfectant was last upgraded in 1995, and most
of the commercial scanners detect them.
Dukakis - infects the Home stack, then other stacks used
subsequently. Displays the message "Dukakis for
President", then deletes itself, so not often seen.
HC 9507 - infects the Home stack, then other running
stacks and randomly chosen stacks on the startup disk.
On triggering, displays visual effects or hangs the
system. Overwrites stack resources, so a repaired stack
may not run properly.
HC 9603 - infects the Home stack, then other running
stacks. No intended effects, but may damage the Home
stack.
HC virus/Hypercard/Two Tunes - infects stack scripts.
Visual/Audio effects: 'Hey, what are you doing?' message;
plays the tune "Muss I denn"; plays the tune "Behind the
blue mountains"; displays Hypercard toolbox and pattern
menus; 'Don't panic!' fifteen minutes after activation.
MerryXmas - appends to stack script. On execution,
attempts to infect the Home stack, which then infects
other stacks on access. There are several strains,
most of which cause system crashes and other anomalies.
At least one strain replaces the Home stack script and
deletes stacks run subsequently.
7.3 Trojans
These are often unsubtle and immediate in their effects:
while these effects may be devastating, trojans are
usually very traceable to their point of entry. The few
Mac-specific trojans are rarely seen, but of course the
commercial scanners detect them.
ChinaTalk - system extension - supposed to be sound
driver, but actually deletes folders.
CPro - supposed to be an update to Compact Pro, but
attempts to format currently mounted disks.
FontFinder - supposed to lists fonts used in a document,
but actually deletes folders.
MacMag - Hypercard stack (New Apple Products) which was
the origin of the MacMag virus. When run, infected the
System file, which then infected System files on
floppies. Set to trigger and self-destruct on March 2nd,
1988, so rarely found.
Mosaic - supposed to display graphics, but actually
mangles directory structures.
NVP - modifies the System file so that no vowels can be
typed. Originally found masquerading as 'New Look', which
redesigns the display.
Steroid - Control Panel - claims to improve QuickDraw
speed, but actually mangles the directory structure.
Tetracycle - implicated in the original spread of MBDF
Virus Info - purported to contain virus information but
actually trashed disks. Not to be confused with Virus
Reference.
Virus Reference 2.1.6 mentions an 'Unnamed postscript
hack' which disables postscript printers and requires
replacement of a chip on the printer logic board to
repair. I'm indebted to Gene Spafford for the following
summary.
"The PostScript "trojan" was basically a PostScript job
that toggled the printer password to some random string
a number of times. Some Apple laser printers have a
firmware counter that allows the password to only be
changed a set number of times (because of PRAM behavior
or licensing -- I don't remember which), so eventually
the password would get "stuck" at some random string that
the user would not know. I have not heard any reports
of anyone suffering from this in many years."
7.4 Macro viruses/Trojans
At the time of the last upgrade of Disinfectant (version 3.6
in early 1995), there were no known macro viruses in the
wild, apart from Hypercard infectors. In any case, Disinfectant
was always intended to deal with system viruses, not trojans
or macro/script viruses. However, many users are unaware of
these distinctions and assume that Disinfectant is a complete
solution.
Unfortunately, the number of known macro viruses is at the time
of writing nudging three figures, though the number known to be
in the wild is far fewer.
Most macro viruses (if they have a warhead at all) target Intel
platforms and assume FAT-based directory structures, so they
usually have no discernable effect on Macs when they trigger.
However, the main costs of virus control are not recovery
from virus payloads, but the costs of establishing detection
and protection (or of not establishing them). The costs of
not establishing these measures can be considerable,
irrespective of damage caused on infected machines,
especially in corporate environments. Secondary distribution
of infected documents may result in:
* civil action - for instance, inadvertant
distribution of an infected document to external
organisations may be in breach of contractual obligations
* legal action in terms of breach of data-protection
legislation such as the UK Data Protection Act or the
European Data Protection directive. The eighth principle
of the Data Protection Act, for instance, requires that
security measures are taken to protect against
unauthorised access to, and alteration, disclosure and
destruction of personal data, or its accidental loss.
* damage to reputation - no legitimate organisation wants
to be seen as being riddled with viruses.
Since Word 6.x for Macintosh supports WordBasic macros, it
is as vulnerable as Word 6.x and 7.x on Intel platforms to
being infected by macro viruses, and therefore to generating
other infected documents (or, strictly speaking, templates).
Working Excel viruses are now beginning to appear also, and
any future Macintosh application which supports Visual Basic
for Applications will also be vulnerable.
Macro viruses are therefore highly transmissible via
Macintoshes, even if they don't have a destructive effect on
Motorola platforms, if there is an equivalent application
available on the Macintosh. For instance, although Word for
Windows versions before vs. 6 support WordBasic, Word
versions for the Mac up to and including version 5.1 do not.
[Thus Word 5.1 users can not be directly infected, but may
pass on infected documents to vulnerable systems.]
The Green Stripe macro virus is not normally a danger on
Macs, since there is no AmiPro/Wordpro for Macintosh. On the
other hand, any Mac running any sort of DOS or Windows emulation
such as SoftPC, SoftWindows, or a DOS compatibility card is
a potential target for any PC virus, including Boot Sector
Infectors/Multipartites (effects will vary). It is highly
recommended that anyone with such a system should run a reputable,
up-to-date PC antivirus program under emulation, as well as a good
Mac antivirus program. [Dr. Solomon's for the Mac detects PC boot
sector infectors as well as Mac viruses, but doesn't detect PC file
viruses (apart from macro viruses), and so is not sufficient
protection for a Mac with DOS emulation.]
McAfee, Symantec, Datawatch and S&S International all make
known-virus scanners which detect a range of macro viruses.
(See below.)
Microsoft's Macro Virus Protection Tool detects Concept (Nuclear
and DMV are also mentioned in the doumentation, but there is no
indication that it actually recognises them), but its principal
purpose is simply to warn users that the document they are about
to open contains macros and offer the choice of opening the file
without macros, opening it with macros, or cancelling the File
Open. It can be obtained from:
http://www.microsoft.com/msoffice/
(look for mvtool1222.hqx)
MSN: GO MACROVIRUSTOOL
AOL: the Word forum
CompuServe: the Word forum
Microsoft Product Support Services
206-462-9673 (Winword)
206-635-7200 (Word Mac)
email: wordinfo@microsoft.com
NB The Protection Tool traps some File Open operations, but not all.
There are a number of ways of opening a document which bypass it.
The Protection Tool can be used to scan for Concept-infected files,
but there are a number of possible problems with it.
* Earlier versions could only handle a limited size of directory
tree, and ran very slowly if a large number of files required
scanning. Speed is certainly still a problem: I can't say about
the overflow problem.
* Files created in Word for Windows won't be scanned until they've
been opened in Word 6 for Mac (this is a system issue, not a
bug in the code). However, Microsoft suggest that you open the
file in Word for the Macintosh and save it before scanning.
This will do the job, but will also infect your system, if the
file is infected. If it's infected with a virus -other- than
Concept, this could create problems if the Protection Tool is
bypassed on a subsequent file open.
* Infected files embedded in OLE files or e-mail files will not
be detected.
Windows 95 users should be aware that this tool is not recommended
for use with MS Word 7.0a for Windows with internal detection
enabled, as these two tools will cancel each other out.
For further information on specific macro viruses, try one of
the information resources given earlier.
8.0 What's the best anti-virus package for the Macintosh?
-----------------------------------------------------
As ever, I can't give a definitive answer to this. Here are some
thoughts on the main contenders.
8.1 Disinfectant
Disinfectant is an excellent anti-virus package with exemplary
documentation, and doesn't cost a penny: however, it doesn't
detect all the forms of malware that a commercial package usually
does, including hypercard infectors, most trojans, jokes or macro
viruses. Unlike some commercial packages, it doesn't scan
compressed files, either: compressed files should be expanded
before scanning. Self-extracting archives should probably be
scanned before unpacking, then again when unpacked.
Anyone using recent versions of Microsoft Office applications
should be aware that macro viruses -do- infect on these software
platforms and may, in the future, trigger on them too.
Disinfectant is, therefore, no longer sufficient protection
by itself for systems which are loaded with these applications.
Arguably, systems which don't have these applications should also
be protected:
* With a view to protection in the future from infected files
acquired now, if the user should change to Office in the future.
* To guard against the spreading of infected files by way of
uninfectable systems.
Disinfectant is available from:
ftp://ftp.acns.nwu.edu/pub/disinfectant
CompuServe
GEnie
America Online
Calvacom
Delphi
BIX
sumex-aim.stanford.edu
rascal.ics.utexas.edu
comp.binaries.mac
A copy of version 3.6 is also included on the disk supplied with
the 2nd edition of Robert Slade's book. While antivirus software
bundled with books can be out-of-date before it hits the
bookshops, new Mac viruses and consequent upgrades to
Disinfectant are rare enough to include this information here.
It is widely available from other disks, collections, archives
and websites, though.
++ 8.2 McAfee
McAfee have a virus scanner for the Mac which is based on
Disinfectant: version 2 of VirusScan, however, includes detection
of trojans, macro viruses etc. (though I don't think it actually
disinfects macro viruses). It also includes an installation
wizard which I found a little inflexible, but could save effort.
It provides background scanning, monitoring, scans compressed
files, has a scheduling option, and can be administered remotely.
Version 2.3 of the data definitions includes a free Mac virus
encyclopaedia. (See section 5.10.)
A fully-functional 30-day evaluation copy can be downloaded from
their website.
McAfee Associates
2710 Walsh Ave
Santa Clara, CA 95051
95054-3107 USA
Voice (408) 988-3832
FAX (408) 970-9727
BBS (408) 988-4004
CompuServe ID: 76702,1714 or GO MCAFEE
mcafee@netcom.com
ftp://ftp.mcafee.com/pub/antivirus/
http://www.mcafee.com/
8.3 Other freeware/shareware packages
For other freeware\shareware mac packages, try
Info-Mac mirrors like:
ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/
The University of Texas holds the latest versions of Disinfectant
and some documentation on Mac viruses.
http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html
Gatekeeper was not a scanner, but a generic tool. It is no
longer supported by its author, but is still available on
some sites. It is probably not safe to use or rely on modern
systems, and I believe the author recommends that people
don't attempt to use it.
8.4 Commercial packages
Commercial packages include SAM (Symantec Antivirus for Macintosh),
Virex for Macintosh, McAfee VirusScan (see above) and Dr. Solomon's
AntiVirus ToolKit for Macintosh.
SAM and Virex offer checksumming/integrity checking (detecting
possible infection by unknown viruses, by monitoring changes in
infectable files - the correct checksums or fingerprints for
individual files are kept in a database file. Both applications
are also able to check files compressed with utilities such as
StuffIt.
SAM is particularly oriented towards behaviour blocking: the
Intercept tool can be configured to raise an alert at the
slightest whiff of a 'suspicious' operation. Unfortunately, this
can be counterproductive in real life, since an over-stringent
alert policy is apt to result in the facility being turned off
altogether. However, configuration is very flexible.
Virex offers very fast scanning, is easy to update, and
includes checksumming for the detection of unknown viruses.
I've not yet used it, but authoritative sources have
commended it highly.
Dr. Solomon's for Mac has the unusual capacity for detecting (not
cleaning) PC boot-sector viruses on DOS floppies, which could be
very useful in a mixed environment. It doesn't detect compressed
files (oddly, since this is one of the strengths of the
DOS/Windows version). Nor does it include checksumming.
All three packages address trojans, macro viruses etc., can do
scheduled scanning, and are likely to be considered
in more detail in a future version of this FAQ.
Sophos, who supply the Sweep scanner for PCs etc., do not have
a stand-alone Macintosh scanner, but do have a Macintosh client
version of their InterCheck technology. This runs as an extension
and communicates with the InterCheck server when an application
is run on the client machine.
8.5 Contact Details
Datawatch Corporation (for Virex)
234 Ballardvale Street
Wilmington MA 01887
+1 508 988 9700
fax: +1 508 988 0105
http://www.datawatch.com/
ftp://gateway.datawatch.com/pub/
S&S International (for Dr. Solomon's AntiVirus ToolKit)
Alton House
Gatehouse Way
Aylesbury
Buckinghamshire HP19 3XU
United Kingdom
UK Support: support@uk.drsolomon.com
US Support: support@us.drsolomon.com
UK Tel: +44 (0)1296 318700
USA Tel: +1 617-273-7400
CompuServe: GO DRSOLOMON
Web: http://www.drsolomon.com
FTP: ftp://ftp.drsolomon.com
Symantec Corporation (for SAM)
10201 Torre Avenue
Cupertino CA 95014
+1 408 725 2762
Fax: +1 408 253 4992
US Support: 541-465-8420
AOL: SYMANTEC
European Support: 31-71-353-111
Australian Support: 61-2-879-6577
http://www.symantec.com/
ftp://ftp.symantec.com
++ Sophos plc
The Pentagon
Abingdon
Oxon
England OX14 3YP
http://www.sophos.com/
9.0 Welcome Datacomp
----------------
>From time to time there are reports from Mac users that the
message 'welcome datacomp' appears in their documents without
having been typed. This appears to be the result of using a
trojanised 3rd-party Mac-compatible keyboard with this 'joke'
hard-coded into the keyboard ROM. It's not a virus - it can't
infect anything - and the only cure is to replace the keyboard.
10.0 Hoaxes and myths
----------------
Some of these are PC-specific, rather than Mac-specific, while
some have no basis in reality on any system. [I look forward to
hearing about the first Turing machine infector....] They are
included here (a) because Mac support staff are accustomed to
being asked about them (b) because anything which -might- work
on a real PC -might- also work with DOS emulation, in principle.
10.1
There is *no* Good Times virus that trashes your hard disk
and launches your CPU into an nth-complexity binary loop when
you read mail with "Good Times" in the Subject: field.
You can get a copy of Les Jones' FAQ on the Good Times Hoax from:
Via FTP:
ftp://usit.net/pub/lesjones/good-times-virus-hoax-faq.txt
ftp://members.aol.com/macfaq/good-times-virus-hoax-faq.txt
On the World Wide Web:
http://www.nsm.smcm.edu/News/GTHoax.html
There's a Mini-FAQ available as:
ftp://usit.net/pub/lesjones/Good-Times-Virus-Hoax-Mini-FAQ.txt
10.2
The Psychic Neon Buddha Jesus virus is an allegedly humorous bit of
javascript programming that found its way onto a website. On clicking
on a particular button, you may be told that this virus has been
detected.Javascript has many interesting properties, but virus
detection is not one of them. It's a joke.
10.3
There is no modem virus that spreads via an undocumented
subcarrier - whatever that means....
10.4
The PKZIP300 trojan (not a virus) is not exactly a hoax, but
some mythology has gathered around it. In particular, it has no
particular effect on V32 modems. It is rarely found, and can't
affect Macintoshes unless you're running SoftWindows or other DOS
emulation. NB This is not the same as running software such
as PC-Exchange to read DOS disks.
10.5
The "Good Times"-like Irina virus is a publicity stunt
orchestrated by Penguin books to hype an interactive book.
There is no Irina virus, no College of Slavonic Studies in
London, and no Professor Edward Prideaux working there.
It has been pointed out to me that at least two of these names
seem to echo John Le Carre's novel 'Tinker, Tailor, Soldier,
Spy'. Which seems to merit a Smiley..... B-)
10.6
Any file virus can be transmitted as an E-mail attachment.
However, the virus code has to be executed before it actually
infects. Sensibly configured mailers and browsers don't allow
this: check yours. In particular, check that your web browser
doesn't automatically pass Word documents to Word 6 to open,
since this may result in embedded macros being launched.
10.7
There is no known way in which a virus could sensibly be spread
by a graphics file such as a JPEG or .GIF file, which does not
contain executable code. Macro viruses work because the files to
which they are attached are not 'pure' data files.
11.0 Glossary
--------
* Change Detectors/Checksummers/Integrity Checkers - programs that
keep a database of the characteristics of all executable files on
a system and check for changes which might signify an attack by
an unknown virus.
* Cryptographic Checksummers use an encryption algorithm to lessen
the risk of being fooled by a virus which targets that particular
checksummer.
* Dropper - a program which installs a virus or Trojan, often
covertly.
* Generic - catch-all name for antivirus software which doesn't
know about individual viruses, but attempts to detect viruses
by detecting virus-like code, behaviour, or changes in files
containing executable code.
* Heuristic scanners - scanners that inspect executable files for
code using operations that might denote an unknown virus.
* Monitor/Behaviour Blocker - a TSR that monitors programs while
they are running for behaviour which might denote a virus.
* Scanner (conventional scanner, command-line scanner, on-demand
scanner) - a program that looks for known viruses by checking for
recognisable patterns ('scan strings', 'search strings',
'signatures').
* Trojan (Trojan Horse) - a program intended to perform some covert
and usually malicious act which the victim did not expect or want.
It differs from a destructive virus in that it doesn't reproduce,
(though this distinction is by no means universally accepted).
* Virus - a program (a block of executable code) which attaches
itself to, overwrites or otherwise replaces another program in
order to reproduce itself without the knowledge of the computer
user. Most viruses are comparatively harmless, and may be present
for years with no noticeable effect: some, however, may cause
random damage to data files (sometimes insidiously, over a long
period) or attempt to destroy files and disks. Others cause
unintended damage. Even benign viruses (apparently non-destructive
viruses) cause significant damage by occupying disk space and/or
main memory, by using up CPU processing time, and by the time and
expense wasted in detecting and removing them.
12.0 General Reference Section
-------------------------
12.1 Mac newsgroups and FAQs
comp.sys.mac.apps
comp.sys.mac.comm
comp.sys.mac.misc
comp.sys.mac.system
[
comp.virus
alt.comp.virus
The focus on these two groups tends to be IBM-compat, but Mac issues are
certainly aired - alt.comp.virus is unmoderated, and the quality of the
advice and opinions aired there is very variable - there are many
reputable and expert posters, and many mischievous and misleading
contributions. Caveat lector....
]
FAQs for c.s.m.misc and c.s.m.system
http://www.macfaq.com/miscfaq.html
http://www.macfaq.com/systemfaq.html
FAQ for c.s.m.comm
http://www.cs.ruu.nl/wais/html/na-bng/comp.sys.mac.comm.html
Word for Macintosh FAQ
ftp://mirrors.aol.com/pub/info-mac/info/sft/word-mac-faq-04.hqx
12.2 References
Sensei Consulting Macintosh WAIS Archives
http://wais.sensei.com.au/searchform.html
Inside the Apple Macintosh - Peter Norton & Jim Heid (Brady)
(The 2nd Edition is pre-PowerMac, and I haven't seen a later one,
but there's some surprisingly useful stuff in there).
Inside Macintosh (Addison Wesley).
(Umpteen volumes of low-level info. Expensive, and whenever you
get near some useful info, it refers you to one of the volumes
you haven't got. However, the series has been re-vamped since I
acquired my copies, and this may be less than just. If you're
unfortunate enough to be a Mac programmer, you'll need at least
some of it.)
12.3 Other relevant publications
MacWEEK magazine
http://www.macweek.com/
Macworld magazine
http://www.macworld.com/
MacUser magazine
http://www.macuser.com/
TidBITS
http://www.tidbits.com/
13.0 Holes to Plug
-------------
13.1 Mac troubleshooting
End of Mac virus FAQ
------------------------------
End of VIRUS-L Digest [Volume 9 Issue 206]
******************************************