Newsgroups: comp.virus Path: network.ucsd.edu!ihnp4.ucsd.edu!ucsnews!sol.ctr.columbia.edu!howland.reston.ans.net!newsserver.jvnc.net!netnews.upenn.edu!netnews.cc.lehigh.edu!news From: spaf@cs.purdue.edu Subject: New Mac Virus Announcement -- Please circulate (Mac) Sender: virus-l@lehigh.edu Message-ID: <0001.9403071055.AA01642@bull-run.ims.disa.mil> Approved: news@netnews.cc.lehigh.edu Date: Fri, 04 Mar 94 13:29:58 -0500 Distribution: world Lines: 126 This is NOT an official posting from the PCERT. New Macintosh Virus Discovered (INIT-9403) 3 March 1994 Virus: INIT-9403 Damage: Alters applications and system files. May destroy all disk volumes. Spread: only in Italian version of MacOS so far, but extensive there. Systems affected: All Apple Macintosh computers, all systems. The INIT-9403 virus was recently discovered in Italy. It appears that the virus is being spread (initially) by an altered version of some pirated commercial software. This software, when run, installs the virus on the affected system. Once present, the virus alters the Finder file, and may insert copies of itself in various compaction, compression, and archive programs. These infected files can then spread the virus to other Macintoshes. This virus can only spread under the Italian release of MacOS. After a certain number of other files have been infected, the virus will erase disks connected to the system: it attempts to destroy disk information on all connected hard drives (> 16 Mb) and attempts to completely erase the boot volume. The authors of all major Macintosh anti-virus tools are planning updates to their tools to locate and/or eliminate this virus. Some of these are listed below. We recommend that you obtain and run a CURRENT version of AT LEAST ONE of these programs. Some specific information on updated Mac anti-virus products follows: Tool: Central Point Anti-Virus Status: Commercial software Revision to be released: 3.0c Where to find: Compuserve, America Online, sumex-aim.stanford.edu, Central Point BBS, (503) 690-6650 When available: immediately Comments: New 'MacSig' antidote file available - dated 3/4/94. Tool: Disinfectant Status: Free software (courtesy of Northwestern University and John Norstad) Revision to be released: 3.4 When available: immediately Where to find: usual archive sites and bulletin boards -- ftp.acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, AppleLink, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac Tool: Gatekeeper Status: Free software (courtesy of Chris Johnson) Revision to be released: 1.3.1 When available: On or before March 11th Where to find: usual archive sites and bulletin boards -- microlib.cc.utexas.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac Comments: Some uncertainty remains as to the need for an update, but it is most likely that one will be required. People on the gatekeeper-news mailing list will be updated as details become available. Tool: Rival Status: Commercial software Revision to be released: INIT-9403 Vaccine When available: Immediately. Where to find it: Contact the authors if you haven't upgraded to 1.2.5 yet. Otherwise, the vaccine will be sent directly to your account. America Online: RIVAL, AppleLink: TESTNONE, Compuserve: 73112,2144, Internet: miserey@laguna.ics.uci.edu Tool: SAM (Virus Clinic and Intercept) Status: Commercial software Revision to be released: 3.5.11 When available: immediately Where to find: CompuServe, America Online, Applelink, Symantec's Customer Service @ 800-441-7234 Comments: Updates to various versions of SAM to detect and remove INIT-9403 are available from the above sources. Tool: Virex Status: Commercial software Revision to be released: 5.02 Where to find: Datawatch Corporation, (919) 549-0711 When available: Detection Strings will be available 3/3 on AOL and on the "DataGate" BBS @ (919) 549-0042. Updated version with detection, repair and prevention capabilities will be available March 3. Comments: Virex 5.02 will detect the virus in any file, and repair any file that has not been permanently damaged. All Virex Protection Service subscribers will automatically be sent an update on diskette. Guide Number: 14713088 1: 0053 7973 3620 04D0 / B7 2: 3001 FC90 7714 0053 / E9 3: 7973 3642 6700 02A9 / 25 4: AB00 1DA9 AB81 8090 / 7B Tool: VirusDetective Status: Shareware Revision to be released: 5.0.11 When available: immediately Where to find: various Mac archives Comments: VirusDetective is shareware. Search strings for the new virus will be sent only to registered users. If you discover what you believe to be a virus on your Macintosh system, please report it to the vendor/author of your anti-virus software package for analysis. Such reports make early, informed warnings like this one possible for the rest of the Mac community. If you are otherwise unsure of who to contact, you may send e-mail to spaf@cs.purdue.edu as an initial point of contact. Also, be aware that writing and releasing computer viruses is more than a rude and damaging act of vandalism -- it is also a violation of many state and Federal laws in the US, and illegal in several other countries. If you have information concerning the author of this or any other computer virus, please contact any of the anti-virus providers listed above. Several Mac virus authors have been apprehended thanks to the efforts of the Mac user community, and some have received criminal convictions for their actions. This is yet one more way to help protect your computers. .