Abstracts from files in info-mac/vir as of Sun 17 Aug 1997 #### TEXT 00what-to-use.txt **** Here are our current recommendations for virus-related tools. Such tools can be divided into three classes: those that prevent infections, those that warn you when an infection is present, and those that remove infection. This message only discusses non-commercial software. 1. Prevention Two excellent tools for prevention of viral infections are the Disinfectant extension (distributed as part of the Disinfectant application) and the Gatekeeper package. The Disinfectant extension is very easy to install and requires no user configuration. However, it is important to stay up-to-date with this tool, because it only recognizes viruses it has been taught about. Gatekeeper is an effective virus-prevention method for the more technically inclined. It requires some customization to work well in a particular environment. The benefit of Gatekeeper is that it provides some protection against some possible kinds of future virus, not just #### TEXT a-toast-to-disinfectant.txt **** From: bmunday@tecnet1.jcte.jcs.mil Date: Thu, 29 Sep 94 13:51:40 EDT Subject: Disinfectant: A Toast (Summary) To the moderators: This is a summary of the two files in the \info-mac\vir\ subdirectory entitled "a-toast-to-disinfectant.txt" and "a-toast-to-disinfectant-pt4.txt". It combines the two files into one, and I have also removed a lot of padding with spaces that somehow crept into the subfiles. As a result, this file is only 48k while the two subfiles total 72k. This should reduce (a little bit, at least) the required disk space. Please remove the two older files for me. Thank you. To everyone else: This is a complete summary of the 95 messages I received in response to my request for messages thanking John Norstad and all the other folks who have helped with Disinfectant over the years. Thanks to everyone who wrote; John sent me his thanks for the mailing, which I pass #### BINHEX alternate-sam-35-install.hqx **** From "gt3017c@prism.gatech.edu (William Homer Waits)" Tue Aug 24 17:03:34 1993 Date: Mon, 23 Aug 1993 22:55:39 -0400 From: gt3017c@prism.gatech.edu (William Homer Waits) Subject: SAM Installer Scripts In response to some complaints on the Internet regarding the un-intuitive installer script for Symmantec's popular virus program SAM* 3.5. Symmantec's script will not do an installation if you have replaced the original Virus Definition file. Go figure! I don't know about you, but I update mine when necessary on the original disks. I have created my own scripts which should work fine. I have System 7.1, and I know it works there, but I also have created a System 6 installer. It should work fine, but I have no place to test it. Only the target folders have changed. These scripts only recognize the Virus Definitions file on the Decontamination Disk, so make sure that is where you place your updated Definition file. If you decide to use these, please just e-mail me and let me know that you have used it. Also, let me know about any troubles you may have. I can be reached at the following addresses: gt3017c@prism.gatech.edu (until 6/94) or Heathen@aol.com SAM* is copyrighted by Symmantec Corp. I have no affiliation with them. Al Bloom, this one's for you! #### BINHEX disinfectant-37.hqx **** From: ace@tidbits.com Subject: Disinfectant 3.7, an essential anti-virus utility This is version 3.7 of Disinfectant, John Norstad's venerable freeware anti-virus utility. It has been updated to detect a variant on the MBDF B virus that the Disinfectant INIT in version 3.6 caught, but which the 3.6 application missed. This file has been scanned and is free of all known viruses. All Disinfectant users should udpate to this version, and anyone currently not using anti-virus software should seriously consider using Disinfectant to protect against potentially dangerous code viruses. Note that Disinfectant does NOT attempt to detect or remove macro viruses such as those that infect Microsoft Word documents. #### BINHEX disinfectant-371.hqx **** From: j-norstad@nwu.edu Subject: Disinfectant 3.7.1 Disinfectant 3.7.1 is a new release of our free anti-viral utility for the Macintosh. 3.7.1 Release Notes (July 9, 1997) ---------------------------------- Version 3.7.1 fixes an error which could sometimes cause crashes when scanning very rare kinds of files while pass the new "more lenient" check for damaged resource forks which was introduced in 3.7. 3.7 Release Notes (July 7, 1997) -------------------------------- Version 3.7 detects a minor variation of the MBDF B virus which was properly detected by the 3.6 INIT but not by the 3.6 application. The Disinfectant manual now discusses the Microsoft macro virus problem. The introductory text displayed in Disinfectant's main window warns that Disinfectant does not recognize the macro viruses and refers the user to the manual for more details. The "All Disks" command in the "Scan" menu has been changed to "All Local Disks". This command now only scans local disks, not network AppleShare servers. The "All Disks" command in the "Disinfect" menu has been changed to "All Local Unlocked Disks". This command now only disinfects local unlocked disks, not network AppleShare servers or locked disks like CD-ROMs or locked floppies. If you want to scan or disinfect servers, scan or disinfect them individually, or use the "Some Disks" commands in the "Scan" and "Disinfect" menus. -- John Norstad #### BINHEX gatekeeper-130.hqx **** Date: Fri, 12 Nov 1993 16:38:22 -0600 From: chrisj@mbs.telesys.utexas.edu (Chris W. Johnson) Subject: Gatekeeper 1.3 (yes, two in as many days) --========================_36297202==_ Content-Type: text/plain; charset="us-ascii" Gatekeeper 1.3 is a set of Macintosh system extensions (INITs) and related control panels (cdevs) which, when active (i.e. allowed to install themselves during the boot process) offer protection against attacks by all known viruses (to the author at the time of this release). Gatekeeper also monitors computer activities for what are considered to be suspicious 'events' or 'operations', in an attempt to intercept what could be variants of known viruses or even completely new viruses. Since its initial release in January of 1989, Gatekeeper has repeatedly demonstrated its ability to stop the spread of viruses which were unknown during its design. Like any anti- virus system, however, it cannot guarantee complete protection. Of course, no claims or promises are made regarding Gatekeeper's effectiveness or suitability, and some functions and capabil- ities of Gatekeeper are non-trivial to use and may require a careful reading of the documentation. Gatekeeper 1.3 Release Notes 12-Nov-93 --------------------------------------------------- Gatekeeper 1.3 was created the day after 1.2.9 was released to fix a bug that caused all pre-7 systems to hang during startup, and crashed some System 7.x machines. For those of you wondering about the story behind the bug, and why 1.2.9 missed its scheduled release date by three days, it's pretty simple. When the new viruses appeared, I was in the middle of work on a new and improved Gatekeeper which was going to be version 1.2.9 in a couple of months. Unfortunately the work, while mostly complete, still wasn't quite finished at the time those viruses appeared. So I had to either (a) try to finish the new improvements very quickly, or (b) rip them all out and return, more or less, to the functionality of 1.2.8. I went for option 'b'. Unfortunately, while I was ripping out the nifty new code, I overlooked one file in one of the ten or so projects that currently combine to form Gatekeeper. Consequently, some of that new code which wasn't quite finished was built into one portion of version 1.2.9. Since it was mostly working, it passed all my in-house (actually "in-office" would be more accurate) tests prior to release, but failed when it finally met up with the real world. Why didn't I just go back to the archived 1.2.8 source? Because there were some bug fixes and various uncontroversial (but significant) improvements already in 1.2.9 which I certainly wanted to be part of any new release. So, here's 1.3; use it in good health. Please delete any copies of 1.2.9 that you may have laying around and spread the word that 1.3 is available. [Thanks, BTW, go to Brian Price for allowing himself to be dragooned into running some last minute tests.] ----Chris --========================_36297202==_ Content-Type: application/mac-binhex40; name="gatekeeper-13.sit" #### BINHEX good-times-virus-hoax-faq.hqx **** Date: Tue, 9 May 1995 12:29:23 -0400 From: lesjones@usit.net (Leslie Jones) Subject: Good Times Virus Hoax FAQ 5/9/95 As you probably know, the Good Times virus is a hoax. The FAQ provides answers to many questions about the hoax, gives a history, debunks some myths, and points to some other sources of information. The FAQ also gives directions for finding the two-page mini FAQ. #### BINHEX hyper-gatekeeper-127.hqx **** From: Wolfgang McKeown Subject: hyper-gatekeeper-127 HyperGatekeeper is an anti-viral stack for all known HyperCard script viruses. It is designed to detect unknown viruses as well, but whether that will work or not depends on the individual viruses. This stack has been tested with all the viruses I had on hand (for some reason, HyperCard viruses are hard to find; I had to write almost all of the test viruses myself). I have tried to make this stack the best it can be, but then no security is perfect. Any suggestions or complaints are welcome. (Please give a reason for your complaint, not just "I hate this thing; I'm not using it.") This version (1.2.7) will detect viruses that try to evade HGK by unlocking a stack, infecting it, and then locking it again. To prevent the annoying problem of having to answer modification dialogs on old stacks after installing a new version of HGK, this version includes an updater that will upgrade an installed (in the Home stack) copy of version 1.2.5. Wolfgang McKeown 8-) #### BINHEX mac-sig-95-02-02.hqx **** Date: Mon, 06 Feb 95 12:25:34 pst From: "Matt Riley" Subject: MacSig 2/2/95.sea Will update MacTools to find and clean the NVP trojan Horse. #### BINHEX mactools-antidotes-94-04-02.hqx **** From: "Chall Fry" Subject: Mac CPAV Antidotes 4/2/94 Date: 6 Apr 1994 14:47:25 -0800 Here's the MacTools CPAV antidotes file (aka MACSIG), dated 4/2/94. This has the README file included, and is ready to be placed on FTP sites. I'll also be sending this off to info-mac. --Chall Fry-- (Central Point Software) #### BINHEX mcafee-virus-scan-101.hqx **** From: (Raul Almquist) strider@shadowmac.org Subject: McAfee VirusScan v1.0.1 for the Mac. Complete descriptive is included in the MacFile.ID textual descriptive file included in the archive. #### BINHEX merry-xmas-killer.hqx **** From LTAYLOR@CSBINA.CSUBAK.EDU Thu Sep 2 10:50:01 1993 Date: Wed, 1 Sep 1993 22:07:07 -0700 (PDT) From: LTAYLOR@CSBINA.CSUBAK.EDU Subject: "Merry Xmas" Killer I have recently experienced one of the most annoying Macintosh para- sites of all time -- the virus. Although only a HyperCard virus, "Merry Christmas" is an annoying little bugger to have, like any virus. Fortunately, I was able to spot it before it infected anything really important. I highly suggest that anyone with HyperCard download this file. It will scan your stacks for Merry Christmas and permanently zap it. Although small (less than 12K) it does its job very efficiently. Have fun with HyperCard! *Stiles ============================= cut here ============================= #### BINHEX merry-xmas-vaccine-32-hc.hqx **** From: BillDS@aol.com Subject: merryxmas Vaccine 3.2 KEYWORDS: VIRUS MERRYXMAS VACCINE XMAS PICKLE ANTIBODY INOCULATE This stack eliminates script based viruses which spread themselves by appending the scripts of other stacks with additional instructions which in turn infects every stack they come in contact with. The original virus of this ilk is called "merryxmas." Since the appearance of merryxmas, other strains have surfaced such as merry2xmas, Lopez and others too crude to mention. merryxmas Vaccine catches them all-and it's FREE! NEW in v3.2 ---------- A well meaning merryxmas "antibody" has appeared. Unfortunately, while it may have good intentions, it is by definition a virus itself. It doesn't do any harm, but it does quietly insert itself into the Home stack and others in much the same way merryxmas does. Version 3.2 removes the antibody. Requirements ------------ HyperCard v2.1 or later. Color monitors (optional) will display "status colors." #### BINHEX merry-xmas-watcher-20.hqx **** Date: Tue, 28 Feb 95 10:05:21 PST From: kdunham@eosc.osshe.edu (Ken Dunham) Subject: merryxmasWatcher2.0.cpt.hqx merryxmasWatcher2.0.cpt.hqx is a free HyperCard 2.1 stack that scan and erradicates for the merryxmas and merry2xmas viruses. The watcher script, which is installed in the Home stack of HyperCard, will watch stacks for you as you work. By making use of the watcher script you won't need to scan each new HyperCard stack - you can work freely without the fear of being infected. You have my permission to include this in your cd-rom. Ken Dunham, La Grande Middle School kdunham@eosc.osshe.edu, kdunham@ednet1.osl.or.gov Science and Math Education, Merryxmas Virus Killer, HyperCard Developer #### BINHEX rival-defs-9304b.hqx **** Date: 22 Apr 93 09:22 GMT From: NONE.FRED@AppleLink.Apple.COM (France - nOne Corp, F Miserey,IDV) Subject: Re2: INIT-M Vaccine ready Bill, Will you please post the above "INIT-M Vaccine" for Rival below. Yours, Frederic ------------ #### BINHEX rudolph-20.hqx **** From: jinglis@flannet.middlebury.edu (Jeff Inglis) Subject: Rudolph Rudolph is an automated merryxmas and merry2xmas virus fighter. It can detect and disinfect stacks infected with the merryxmas virus. Further, it inoculates stacks against ever being infected. Rudolph is a major improvement over other anti-merryxmas stacks in the following ways: 1) automated execution and quitting (runs unattended in "Startup Items" or "Shutdown Items") 2) inoculation of stacks - prevent infection before it happens! 3) an option for single-file checking, disinfection, and inoculation (and not just an entire volume) Rudolph was created by Jeff Inglis and Jim Rodda, of the Middlebury College Language Schools. The merryxmas and merry2xmas viruses are HyperCard-only viruses. Jeff Inglis #### BINHEX sam-install-scripts-12.hqx **** From: gt3017c@prism.gatech.edu (William Homer Waits) Subject: SAM Install Scripts 1.2 Date: Sun, 9 Jan 1994 00:16:40 -0500 In response to some complaints on the Internet regarding the un-intuitive installer script for Symmantec's popular virus program SAM* 3.5. Symmantec's script will not do an installation if you have replaced the original Virus Definition file. Go figure! I don't know about you, but I update mine when necessary on the original disks. I have created my own scripts which should work fine. I have System 7.1, and I know it works there, but I also have created a System 6 installer. It should work fine, but I have no place to test it. Only the target folders have changed. These scripts only recognize the Virus Definitions file on the Decontamination Disk, so make sure that is where you place your updated Definition file. Also, it you are using System 7 or greater, SAM* Intercept and SAM* Intercept Jr. are both placed in the Extensions Folder. If you decide to use these, please just e-mail me and let me know that you have used it. Also, let me know about any troubles you may have. I can be reached at the following addresses: gt3017c@prism.gatech.edu or Heathen@aol.com My snail mail address is William Waits 1471 Ashwood Way Lawrenceville, GA 30243 SAM* is copyrighted by Symmantec Corp. I have no affiliation with them. Al Bloom, this one's for you! Version History -1.0 Initial Release -1.2 Added better icons to custom window Read Me file reflects more accurate data #### BINHEX sam-virus-defs-09-15-96.hqx **** From: (Al Bloom) abloom@vt.edu Subject: SAM-4 Virus Defs, Sep 96 Here is the latest set of SAM (v4 only) virus definitions from the Symantec ftp site. This latest version recognizes a bunch of new Word macro viruses, as specified in Symantec's readme below. Al Bloom >NEW WORD MACRO VIRUSES - > >As part of Symantec's commitment to virus protection, it is our >responsibility to inform you that 7 new Word macro viruses were >recently discovered, Color B, Divina, Friendly, Mad Dog, Nuclear B, >Phantom and Polite, as well as the 1st Excel Macro virus, Laroux. > >Infection Characteristics: >Color B >Contains hidden macros which are added to the Normal template. > >Divina >Contains AutoClose macro but doesn't spread on Macs. > >Friendly >Contains 20 macros but doesn't spread on Macs. Causes "Unknown >Command, Subroutine or Function" error when document is opened or >"Type Mismatch" error when New or Open selected. > >MadDog (a.k.a. Concept G) >Contains 6 macros but doesn't spread. > >Nuclear B >Contains 7 macros which spread to Normal and other templates. > >Phantom >Creates a new template and causes "Word cannot give a document the >same name as an open document" error when opened. > >Polite >Contains the FileClose and FileSaveAs macros; doesn't spread. > >Laroux >The first Excel macro virus. Laroux doesn't spread on Macs but causes >a "Path not found" error to be displayed when opened. > > >UPDATE INSTRUCTIONS > more... #### BINHEX sam-virus-help-94-04-02.hqx **** From: werner@rascal.ics.utexas.edu (Werner Uhrig) Subject: SAM anti-viral help file Date: Tue, 5 Apr 1994 00:21:17 -0500 --========================_13769660==_ Content-Type: text/plain; charset="us-ascii" Enclosed the updated Help file SAM_Virus_Help_940402_hqx in response to INIT-29-B --========================_13769660==_ Content-Type: application/mac-binhex40; name="SAM_Virus_Help.sit" Content-Disposition: attachment; filename="SAM_Virus_Help.sit" #### BINHEX sam3-virus-defs-95-07.hqx **** Date: Tue, 01 Aug 95 09:58:50 EDT From: "Allan M. Bloom" Subject: SAM 3.x Virus Defs 07/28/95 NOTE: this file is for SAM 3.0.x and SAM 3.5.x only.If you have SAM 4.0.x, then you'll need to download SAMDef.405. New Virus Definitions with a new def added for the HC9507 Hypercard virus. This is an .sea file. Download it. Expand it. Then drop these files onto the system folder and let them replace the files there now. Restart to verify that it is working correctly. #### BINHEX sam4-virus-defs-95-11.hqx **** From: "Allan M. Bloom" Subject: SAM 4 Virus Defs 11/95 This is the latest version (4.07, 11/22/95) of SAM virus definitions for version 4 of SAM. Do not use with version 3. Sorry, no equivalent for SAM-3 was on CompuServe's Symantec forum. The below message from Stephen Zeffren explains the update. Al Bloom New SAM Virus Definitions file and SAM Help file for DETECTION ONLY of the new MSWord Macro Viruses. Download this file, expand by double clicking on it, and then drop the two files onto your System folder to replace the older files there now. Restart and you're set. #### BINHEX scrooge-20-hc.hqx **** From: dickt@ucs.orst.edu (Thomas Dick) Subject: Scrooge Scrooge v2.0 kills the merryxmas hypercard virus and a good number of its possible mutations. Also at your option inserts "antibodies" into your stacks so that they become "immune" to this virus. The antibodies are quite inert, but they may trigger other merryxmas virus detection algorithms. There were never any bug reports from the old version, but it did contain a, er... design flaw. To depict graphically that the new version has a better design, the icon has been changed from an elderly man to an elderly woman. This stack is free; It is provided as a public service. Not as fancy or powerful as some of the other merryxmas vaccine programs, but smaller. Get merryxmas vaccine AND Scrooge even if you don't think you're infected to maximize herd immunity from this annoying pest. I hope the author of the merryxmas virus comes down with terminal crab lice. Scrooge may be freely copied and distributed as long as you don't modify it. Send comments, bug reports re: this stack to dickt@ucs.orst.edu or PlatySoft@aol.com http://users.aol.com/platysoft/ #### TEXT virex-viruses-detected.txt **** From: alanc@ocf.Berkeley.EDU (Alan Coopersmith) Date: Wed, 14 Jul 93 09:29:53 PDT Subject: Virex 3.x Virus Definitions The following text file lists viruses detected by all versions of Virex since 1.0. It also lists UDV codes for viruses discovered since version 3.5. The list came from the Datawatch forum on America Online. Disclaimer: I have no relation to Datawatch/Virex other than being a customer. If you have any problems with Virex, please contact Datawatch directly. -------------------------------------------------------------------------- Alan Coopersmith Internet: alanc@ocf.berkeley.edu U.C. Berkeley Open Computing Facilty America Online (AOL): AlanC Utah -------------------------------------------------------------------------- Virex Version Information and UDV Codes for Recently Discovered Viruses #### BINHEX virus-reference-216-hc.hqx **** From: dpettit@Phoenix.kent.edu (Douglas Pettit) Subject: VirusReference2.1.6 Virus Reference 2.1.6 Online Database of Macintosh Viruses Virus Reference is a HyperCard based database of Macintosh viruses and trojan horses. Includes search capabilities, and detailed descriptions of symptoms. This update includes information on the Word Macro 9508 virus, recently discovered. #### BINHEX virus-warning-20-hc.hqx **** From: Matthias Kahlert Subject: Virus Warning, Version 2.0 An AntiVirus HyperCard Stack. This stack helps you detecting and disinfecting your stacks, which may be infected with the "Merry XMas" Virus. You also can install an active virus protection in your home stack. For more information use: E-Mail: matthias.kahlert@rz.fh-regensburg.d400.de Internet: http://rfhs0002.fh.uni-regensburg.de/~s1830/hypercard_e.html Thanks Matthias Kahlert, Regensburg/Germany, January 4th 1996