Two New Macintosh Virus Variants Discovered 25 Feb 1993 First Virus (variant): CDEF Damage: as with CDEF Spread: unknown Systems affected: Apple Macintosh computers running pre-Version 7. A minor variant of the CDEF virus has been discovered. The damage and effects are identical to the original CDEF virus. CDEF viruses only affect Macintoshes running a version of the Mac OS prior to Version 7. Almost all Macintosh anti-virus tools already detect this new strain of CDEF. The authors of all other major Macintosh anti-virus tools are planning updates to their tools to recognize this virus variant. Some of these are listed below. We recommend that you obtain and run a CURRENT version of AT LEAST ONE of these programs. Second Virus (variant): T4-C Damage: altered boot code; altered/damaged applications; damaged system Spread: unknown Systems affected: Apple Macintosh computers. All types. The T4 virus was discovered in June of 1992. A previously unseen variant, being called T4-C, has recently been discovered. Many machines at the discovering site have been affected by T4-C, and the potential for wider dissemintion exists. Like the other T4 strains, this virus attempts to modify system boot code, and also changes the names of some applications to "Disinfectant". The virus does not work as (we assume) the author intended, and files may be left with changed names and possibly other damage. The system file may also be altered, and the damage may render some systems unbootable. The virus also attempts to modify application files on the system disk. These alterations may damage some applications by overwriting portions of the programs with the virus code; as a result, some damaged applications may need to be reinstalled after the virus has been removed. Once installed and active, the T4-C virus does not appear to perform any other overt damage. The virus, when active, may print a message indicating that the system is infected with the T4 virus. Some Macintosh anti-virus tools already detect this new strain of T4. The authors of all other major Macintosh anti-virus tools are planning updates to their tools to locate and/or eliminate this virus. Some of these are listed below. We recommend that you obtain and run a CURRENT version of AT LEAST ONE of these programs. Some specific information on updated Mac anti-virus products follows: Tool: Central Point Anti-Virus Status: Commercial software Revision to be released: 2.01c Where to find: Compuserve, America Online, sumex-aim.stanford.edu, Central Point BBS, (503) 690-6650 When available: immediately Notes: Users do not need a revision of the AV application. Users need to obtain the 2/24/93 version of the MacSig file. Tool: Disinfectant Status: Free software (courtesy of Northwestern University and John Norstad) Revision to be released: 3.0 Where to find: usual archive sites and bulletin boards -- ftp.acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, AppleLink, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac When available: immediately Note: release 3.0 is *not* a major new release of Disinfectant. Be sure to read the release notes for details of the version number change. Tool: Gatekeeper Status: Free software (courtesy of Chris Johnson) Revision to be released: No new revision needed; 1.2.7 works for both. Where to find: usual archive sites and bulletin boards -- microlib.cc.utexas.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac When available: immediately Tool: Rival Status: Commercial software Revision to be released: All current versions starting with 1.1.9w are effective; no new release is needed. Where to find it: AppleLink, America Online, Internet, Compuserve. When available: Immediately. Tool: SAM (Virus Clinic and Intercept) Status: Commercial software Revision to be released: 3.5.3 Where to find: CompuServe, America Online, Applelink, Symantec's Customer Service @ 800-441-7234 When available: immediately Notes: SAM 3.5 and SAM Intercept 3.0 both recognize these viruses, and both can remove the CDEF strain. An update is required to remove the T4-C strain from undamaged files. This may be obtained from the locations listed above, or by ftp from rascal.ics.utexas.edu in the mac/virus-catchers/SAM directory. Tool: Virex Status: Commercial software Revision to be released: Current version is effective: 3.91 Where to find: Microcom, Inc (919) 490-1277 When available: February 28 Comments: Virex 3.91 will detect the viruses in any file, and repair any file that has not been permanently damaged. Users of Virex, version 3.82 or greater, are already able to detect the T4-C infection. The CDEF virus is detected and repaired in versions 3.0 and greater. All Virex subscribers will automatically be sent an update on diskette. All other registered users will receive a notice by mail. Datawatch's BBS number is: (919) 419-1602. Tool: VirusDetective Status: Shareware Revision to be released: no new release is needed; current version is 5.0.6 When available: immediately If you discover what you believe to be a virus on your Macintosh system, please report it to the vendor/author of your anti-virus software package for analysis. Such reports make early, informed warnings like this one possible for the rest of the Mac community. If you are otherwise unsure of who to contact, you may send e-mail to spaf@cs.purdue.edu as an initial point of contact. Also, be aware that writing and releasing computer viruses is more than a rude and damaging act of vandalism -- it is also a violation of many state and Federal laws in the US, and illegal in several other countries. If you have information concerning the author of this or any other computer virus, please contact any of the anti-virus providers listed above. Several Mac virus authors have been apprehended thanks to the efforts of the Mac user community, and some have received criminal convictions for their actions. This is yet one more way to help protect your computers.