Viruses and the Macintosh ========================= Release version 1.4h: 12th January 1998 David Harley [Significant changes from the previous version are flagged with + symbols in the first two columns at the start of the relevant line or section. Amendments of minor grammatical or syntactical errors are not flagged unless they affect factual accuracy or clarity.] Table of Contents ----------------- 1. Copyright Notice 2. Preface 3. Availability of this FAQ 4. Mission Statement 5. Where to get further information. 5.1 alt.comp.virus FAQ 5.2 VIRUS-L/comp.virus FAQ 5.3 Disinfectant on-disk manual 5.4 Virus Test Center, Hamburg 5.5 "Robert Slade's Guide to Computer Viruses" 5.6 Web Pages with Macintosh virus information 5.7 Virus Bulletin 5.8 Information on macro viruses 5.9 Kevin Harris's Virus Reference (HyperCard stack) 5.10 McAfee Mac Virus Encyclopaedia 5.11 Other resources 6. How many Mac viruses are there? 7. What viruses can affect Mac users? 7.1 Mac-specific system and file infectors 7.2 HyperCard Infectors 7.3 Mac Trojans 7.4 Macro viruses, trojans, variants 7.5 Other, when emulation is run on a Mac 8. What's the best antivirus package for the Macintosh? 9. Welcome Datacomp 10. Hoaxes and myths 10.1 Good Times virus 10.2 Modems and Hardware viruses 10.3 E-mail viruses 10.4 JPEG/GIF viruses 10.5 Hoaxes Help 11. Glossary 12. General Reference Section. 12.1 Mac Newsgroups and FAQs 12.2 References 12.3 Other Relevant Publications 13. Holes to Plug 13.1 Mac Troubleshootng 1.0 Copyright Notice ---------------- Copyright on this document remains with the author(s), and all rights are reserved. However, it may be freely distributed and quoted - accurately, and with due credit. It may not be reproduced for profit or distributed in part or as a whole with any product for which a charge is made, except with the prior permission of the copyright holder(s). To obtain such permission, please contact the maintainers of the FAQ. Primary author of this document is David Harley, who at present co-maintains it with contributor Susan Lesch. Comments and additional material have been received with gratitude from Ronnie Sutherland, Henri Delger, and Eugene Spafford. Thanks go also to Bruce Burrell, Michael Wright, David Miller, Ladd Van Tol, Jeremy Goldman, Kevin White, Robert Slade, Robin Dover, and John Norstad for their comments and suggestions. 2.0 Preface ------- This document is intended to help individuals with computer virus-related problems and queries, and clarify the issue of computer viruses on Macintosh platforms. It should *not* be regarded as being in any sense authoritative, and has no legal standing. The author(s) accept(s) no responsibility for errors or omissions, or for any ill effects resulting from the use of any information contained in this document. Corrections and additional material are welcome, especially if kept polite.... Contributions will, if incorporated, remain the copyright of the contributor, and credited accordingly within the FAQ. David Harley 3.0 Availability of this FAQ ------------------------ The latest version of this document will be available from: * http://www.macvirus.com/reference/ * http://webworlds.co.uk/dharley/ The webworlds site is semi-mirrored at: * http://www.totalweb.co.uk/dharley/ It's also available from Henri Delger's Prodigy Anti-Virus Center file library, as is the alt.comp.virus FAQ. There are HTML versions at: http://www.bocklabs.wisc.edu/~janda/macvir_faq.html http://www.cis.ohio-state.edu/hypertext/faq/usenet/computer-virus/ macintosh-faq/faq.html http://www.faqs.org/faqs/computer-virus/macintosh-faq/ http://emt.doit.wisc.edu/macvir/macvir.html 4.0 Mission Statement ----------------- This document is a little different to the alt.comp.virus FAQ, which David Harley also co-maintains (at time of writing). It is concerned with one platform only, and though it deals with the Macintosh platform at more length than the alt.comp.virus FAQ can be expected to, it is a great deal shorter. Nor is there the same degree of urgency about the Mac virus field, though the risk element may be somewhat underestimated in general, at present. This FAQ originated from a concern over the spread of macro viruses, a theme that is taken up below. Since questions about Macs and viruses tend to appear more often in the Mac groups than alt.comp.virus or Virus-L, distribution of this FAQ is wider. So far, though, there has been no direct feedback from the Mac-specific groups to which it has been posted. 5.0 Where to get further information -------------------------------- 5.1 The alt.comp.virus FAQ (not much Mac-specific material) This is posted to alt.comp.virus approximately fortnightly. It includes a document that summarizes and gives contact information for a number of other virus-related FAQs. The latest version of is available from: * http://www.webworlds.co.uk/dharley/ Other Sources: * ftp.gate.net/pub/users/ris1/acvfaqht.zip (hypertext version) * ftp://ftp.gate.net/pub/users/ris1/acvfaq.zip (text version) * http://www.drsolomon.com/ * http://www.innet.net/~ewillems/ 5.2 The VIRUS-L FAQ The Virus-L/comp.virus FAQ (also fairly low on Mac-specific information) is regularly posted to the comp.virus newsgroup (version 2.0 at time of writing). The latest version may be found at: ftp://ftp.infospace.com/pub/virus-l/comp.virus-FAQ.09-Oct-95 ftp://ftp.datafellows.com/pub/misc/anti-vir/vlfaq200.zip This FAQ is very long and very thorough. The document is subject to revision, so the file name may change. 5.3 Disinfectant on-disk documentation The best single source of information on Mac viruses is the online help included in the freeware package Disinfectant. Contact details below. 5.4 AntiVirus Catalog/CARObase (early work) ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/catalog/ ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/ ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/ 5.5 "Robert Slade's Guide to Computer Viruses" The disk included with the 2nd Edition of this excellent general resource includes most of the information available at the University of Hamburg (see 5.4). The book also contains a reasonable quantity of Mac-friendly information. The disk includes a copy of Disinfectant 3.6, which is now out-of-date. http://www.amazon.com/exec/obidos/ISBN=0387946632/ Very few books primarily about computer viruses deal at any length with Mac viruses (I can't think of one, at present). Some general books on the Mac touch on the subject, but none I can think of add anything useful. Some of the "Totally Witless User's Guide to......." books dealing with security in general include information on PC -and- Mac viruses. Unfortunately, the quality of virus-related information in such publications is generally low. 5.6 Web Sites Many major vendors have a virus information database online on their Web sites. Symantec (www.symantec.com), McAfee (www.mcafee.com) and Dr. Solomon's (www.drsolomon.com) include Macintosh virus information. Precise URLs tend to come and go, but you might like to try the following: Dr Solomon's "Mac Viral Zoo" Macintosh Virus Encyclopedia http://www.drsolomon.com/products/virex/zoo/maczoopg.html Symantec Antivirus Research Center ++ Virus Encyclopedia [updated] ++ Includes a new complete Macintosh virus database http://www.symantec.com/avcenter/vinfodb.html Network Associates, McAfee: Virus Information Library http://www.mcafee.com/support/techdocs/vinfo/ ++ http://www.mcafee.com/support/techdocs/vinfo/f_13707.asp 5.7 Virus Bulletin The expensive (but, for the professional, essential) periodical Virus Bulletin includes Mac-specific information from time to time. However, if you have no interest in PC issues, you probably won't consider it worth the expense. Virus Bulletin Ltd 21 The Quadrant Abingdon Oxfordshire OX14 3YS 44 (0) 1234 555139 Compuserve 100070,1340 www.virusbtn.com virusbtn@vax.ox.ac.uk The proceedings of the 1997 Virus Bulletin conference contained a paper by David Harley which significantly expands on many of the issues addressed in this FAQ. Contact Virus Bulletin for further information on the conference and on obtaining the proceedings. 5.8 Macro virus information resources University of Hamburg Virus Test Center Macro Virus List The definitive listing. All known macro viruses, some only found in research labs, some in the wild. ftp://agn-www.informatik.uni-hamburg.de/pub/texts/macro/ Other Sources: http://www.drsolomon.com/ http://www.datafellows.com/vir-info/ http://www.symantec.com/avcenter/ http://www.mcafee.com/ http://www.avp.ch/avpve/ http://www.sophos.com/ (under Virus Information) [The following absolute URLs may change: such is the way of Web administrators..... If you get an error message, try the first part of the URL, e.g. http://www.mcafee.com/ and drill down from there.] Dr Solomon's Software Ltd. http://www.drsolomon.com/vircen/enc/ Network Associates, McAfee http://www.mcafee.com/support/techdocs/vinfo/f_3057.asp Data Fellows http://www.datafellows.com/macro/word.htm Richard Martin put together an FAQ on this subject, though it doesn't seem to have been updated recently. ftp.gate.net/pub/users/ris1/word.faq 5.9 Kevin Harris's Virus Reference (Describes WM.Concept.A.) Last updated 31-Aug-95. HyperCard stack; requires HyperCard 2.1 or later. ftp://mirrors.aol.com/pub/info-mac/vir/virus-reference-216-hc.hqx 5.10 McAfee Mac Virus Encyclopaedia ftp://ftp.mcafee.com/pub/antivirus/mac/vencyc.hqx The data definitions for McAfee VirusScan 2.0 included a free Macintosh virus encyclopaedia in both SimpleText and HTML formats. The information on Mac-specific viruses is pretty much the same as that included in the original Disinfectant documentation. Covers the viruses detected and repaired by VirusScan 2.0.9, including about 120 macro viruses. Current as of about March '97. 5.11 Additional Resources There are excellent pages on HyperCard viruses at HyperActive Software. There is information on HyperCard infectors, a link to Bill Swagerty's free Vaccine utility for detecting and cleaning them, a note on false positives reported by commercial software, innoculation, and a free HyperCard virus detection service. http://www.hyperactivesw.com/Virus1.html The CIAC virus database includes entries for PC, Macintosh, and a number of other platforms. The Macintosh section also includes a number of joke programs and one or two apparent hoaxes. http://ciac.llnl.gov/ciac/CIACVirusDatabase.html Last we checked [03-Sep-97], these sites probably need updating, though some older files do have historical value. Info-Mac mirrors have Macintosh information and Disinfectant, but some outdated virus definitions and software at this writing; still, always worth a visit. Also of interest, again sometimes outdated: http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html http://www.unt.edu/virus/macgeneral.html A list of Mac viruses is available at: http://www.totalweb.co.uk/dharley/macvir.html At present, this mirrors information in this FAQ, but further development will be on the website database rather than on these portions of the FAQ. 6.0 How many Mac viruses are there? ------------------------------- There are around 35 Mac-specific viruses that I know of, though Apple are, I've heard, quoting 2-300 hundred. I don't know if these include every minor variant, Trojans, HyperCard infectors and other macro viruses. However, since Apple are not noticeably in the business of virus detection and disinfection, I'd as soon go with the estimates of those who are. Mac users with Word 6 or versions of Excel supporting Visual Basic for Applications, however, are vulnerable to infection by macro viruses which are specific to these applications. Indeed, these viruses can, potentially, infect other files on any hardware platform supporting these versions of these applications. I don't know of a macro virus with a Mac-specific payload that actually works at present, but such a payload is entirely possible. Word Mac version 5.1 and below do not support WordBasic, and are not, therefore, vulnerable to direct infection. Not only do these versions not only understand embedded macros, but they can't read the Word 6 file format unaided. There is, however, at least one freeware utility which allows Word 5.x users to read Word 6 files. This will not support execution of Word 6 (or WinWord 2) macros in Word 5.x, so I would not expect either an infection routine or a payload routine to be able to execute within this application. However, Word 5.x users may contribute indirectly to the spread of infected files across platforms and systems, since it is perfectly possible for a user whose own system is uninfectable to act as a conduit for the transmission of infected documents, whether or not s/he reads it personally. Files infected with a PC-specific file virus (this excludes macro viruses) can only execute on a Macintosh running DOS or DOS/Windows emulation, if then. They can, of course, spread across platforms simply by copying infected files from one system to another. DOS diskettes infected with a boot sector virus can be read on a Mac with Apple File Exchange, PC Exchange, DOS Mounter etc. without (normally) risk to the Mac. However, leaving such an infected disk in the drive while booting an emulator such as SoftPC can mean that the virus attempts to infect the logical PC drive with unpredictable results. I am aware of at least one instance of a Mac diskette which, when read on a PC running a utility for reading Mac-formatted disks after being infected with a boot-sector infector, became unreadable as a consequence of the boot track infection. 7.0 What viruses can affect Macintosh users? ---------------------------------------- Not all variants are listed here, yet, though I intend to reference all the major variants at least by name eventually, but there might be enough to get you going.... The following varieties are listed below: 7.1 Mac-specific system and file infectors 7.2 HyperCard Infectors 7.3 Mac Trojans 7.4 Macro viruses, trojans, variants 7.5 Other OS viruses and malware when emulation is run on a Mac It appears also that some Mac viruses may damage files on Sun systems running MAE or AUFS. 7.1 Mac-specific viruses, excluding HyperCard infectors AIDS - infects application and system files. No intentional damage. (nVIR B strain) Aladin - close relative of Frankie Anti (Anti-A/Anti-Ange, Anti-B, Anti Variant) - can't spread under system 7.x, or System 6 under MultiFinder. Can damage applications so that they can't be 100% repaired. CDEF - infects desktop files. No intentional damage, and doesn't spread under system 7.x. CLAP: nVIR variant that spoofs Disinfectant to avoid detection (Disinfectant 3.6 recognizes it). Code 1 - file infector. Renames the hard drive to "Trent Saburo". Accidental system crashes possible. Code 252 - infects application and system files. Triggers when run between June 6th and December 31st. Runs a gotcha message ("You have a virus. Ha Ha Ha Ha Ha Ha Ha Now erasing all disks... [etc.]"), then self-deletes. Despite the message, no intentional damage is done, though shutting down the Mac instead of clicking to continue could cause damage. Can crash System 7 or damage files, but doesn't spread beyond the System file. Doesn't spread under System 6 with MultiFinder beyond System and MultiFinder. Can cause various forms of accidental damage. Frankie - only affects the Aladdin emulator on the Atari or Amiga. Doesn't infect or trigger on real Macs or the Spectre emulator. Infects application files and the Finder. Draws a bomb icon and displays 'Frankie says: No more piracy!" Fuck: infects application and System files. No intentional damage. (nVIR B strain) Init 17: infects System file and applications. Displays message "From the depths of Cyberspace" the first time it triggers. Accidental damage, especially on 68K machines. Init 29 (Init 29 A, B): Spreads rapidly. Infects system files, applications, and document files (document files can't infect other files, though). May display a message if a locked floppy is accessed on an infected system 'The disk "xxxxx" needs minor repairs. Do you want to repair it?'. No intentional damage, but can cause several problems - Multiple infections, memory errors, system crashes, printing problems, MultiFinder problems, startup document incompatibilities. Init 1984: Infects system extensions (INITs). Works under Systems 6 and 7. Triggers on Friday 13th. Damages files by renaming them, changing file T?YPE and file CREATOR, creation and modification dates, and sometimes by deleting them. Init-9403 (SysX): Infects applications and Finder under systems 6 and 7. Attempts to overwrite whole startup volume and disk information on all connected hard drives. Only found on Macs running the Italian version of MacOS. Init-M: Replicates under System 7 only. Infects INITs and application files. Triggers on Friday 13th. Similar damage mechanisms to INIT-1984. May rename a file or folder to "Virus MindCrime". Rarely, may delete files. MacMag (Aldus, Brandow, Drew, Peace) - first distributed as a HyperCard stack Trojan, but only infected System files. Triggered (displayed a peace message and self-deleted on March 2nd 1988, so very rarely found. MBDF (A,B): originated from the Tetracycle, Tetricycle or "tetris-rotating" Trojan. The A strain was also distributed in Obnoxious Tetris and Ten Tile Puzzle. Infect applications and system files including System and Finder. Can cause accidental damage to the System file and menu problems. A minor variant of MBDF B appeared in summer 1997: Disinfectant and Virex have been updated accordingly. MDEF (MDEF A/Garfield, MDEF B/Top Cat, C, D): infect System file and application files (D doesn't infect System). No intentional damage, but can cause crashes and damaged files. nCAM: nVIR variant nVIR (nVIR A, B, C - AIDS, Fuck, Hpat, Jude, MEV#, nFlu): infect System and any opened applications. Extant versions don't cause intentional damage. Payload is either beeping or (nVIR A) saying "Don't panic" if MacInTalk is installed. nVIR-f: nVIR variant. prod: nVIR variant Scores (Eric, Vult, NASA, San Jose Flu): aimed to attack two applications that were never generally released. Can cause accidental damage, though - system crashes, problems printing or with MacDraw and Excel. Infects applications, Finder, DA Handler. T4 (A, B, C): infects applications, Finder, and tries to modify System so that startup code is altered. Under System 6 and 7.0, INITs and system extensions don't load. Under 7.0.1, the Mac may be unbootable. Damage to infected files and altered System is not repairable by Disinfectant. The virus masquerades as Disinfectant, so as to spoof behaviour blockers such as Gatekeeper. Originally included in versions 2.0/2.1 of the public domain game GoMoku. WDEF (A,B): infects desktop file only. Doesn't spread under System 7. No intentional damage, but causes beeping, crashes, font corruption and other problems. zero: nVIR variant. Zuc (A, B, C): infects applications. The cursor moves diagonally and uncontrollably across the screen when the mouse button is held down when an infected application is run. No other intentional damage is done. 7.2 HyperCard infectors These are a somewhat esoteric breed, but a couple have been seen since Disinfectant was last upgraded in 1995, and most of the commercial scanners detect them. Dukakis - infects the Home stack, then other stacks used subsequently. Displays the message "Dukakis for President", then deletes itself, so not often seen. HC 9507 - infects the Home stack, then other running stacks and randomly chosen stacks on the startup disk. On triggering, displays visual effects or hangs the system. Overwrites stack resources, so a repaired stack may not run properly. HC 9603 - infects the Home stack, then other running stacks. No intended effects, but may damage the Home stack. HC virus/HyperCard/Two Tunes - infects stack scripts. Visual/Audio effects: 'Hey, what are you doing?' message; plays the tune "Muss I denn"; plays the tune "Behind the Blue Mountains"; displays HyperCard toolbox and pattern menus; 'Don't panic!' fifteen minutes after activation. MerryXmas - appends to stack script. On execution, attempts to infect the Home stack, which then infects other stacks on access. There are several strains, most of which cause system crashes and other anomalies. At least one strain replaces the Home stack script and deletes stacks run subsequently. Variants include Merry2Xmas, Lopez, and the rather destructive Crudshot. [Ken Dunham discovered the merryXmas virus. His program merryxmasWatcher 2.0 was very popular and still can eradicate the most common two strains, merryXmas and merry2Xmas. merryxmasWatcher 2.0 is outdated for the rest this family.] Antibody is a recent virus-hunting virus which propagates between stacks checking for and removing MerryXmas, and inserting an innoculation script. Independance (sic) Day was reported in July, 1997. It attempts to to be destructive, but fortunately is not well enough written to be more than a nuisance. More information at: http://www.hyperactivesw.com/Virus1.html#IDay 7.3 Trojans (Trojan Horses) These are often unsubtle and immediate in their effects: while these effects may be devastating, Trojans are usually very traceable to their point of entry. The few Mac-specific Trojans are rarely seen, but of course the commercial scanners generally detect them. ChinaTalk - system extension - supposed to be sound driver, but actually deletes folders. CPro - supposed to be an update to Compact Pro, but attempts to format currently mounted disks. FontFinder - supposed to lists fonts used in a document, but actually deletes folders. MacMag - HyperCard stack (New Apple Products) that was the origin of the MacMag virus. When run, infected the System file, which then infected System files on floppies. Set to trigger and self-destruct on March 2nd, 1988, so rarely found. Mosaic - supposed to display graphics, but actually mangles directory structures. NVP - modifies the System file so that no vowels can be typed. Originally found masquerading as 'New Look', which redesigns the display. Steroid - Control Panel - claims to improve QuickDraw speed, but actually mangles the directory structure. Tetracycle - implicated in the original spread of MBDF Virus Info - purported to contain virus information but actually trashed disks. Not to be confused with Virus Reference. Virus Reference 2.1.6 mentions an 'Unnamed PostScript hack' which disables PostScript printers and requires replacement of a chip on the printer logic board to repair. I'm indebted to Gene Spafford for the following summary. "The PostScript 'Trojan' was basically a PostScript job that toggled the printer password to some random string a number of times. Some Apple laser printers have a firmware counter that allows the password to only be changed a set number of times (because of PRAM behavior or licensing -- I don't remember which), so eventually the password would get "stuck" at some random string that the user would not know. I have not heard any reports of anyone suffering from this in many years." AppleScript Trojans - A demonstration destructive compiled AppleScript was posted to the newsgroups alt.comp.virus, comp.sys.mac.misc, comp.sys.mac.system, it.comp.macintosh, microsoft.public.word.mac, nl.comp.sys.mac, no.mac, and symantec.support.mac.sam.general on 16-Aug-97, apparently in response to a call for help originally posted to alt.comp.virus on 14-Aug-97 and followup on 15-Aug-97. On 03-Sep-97, MacInTouch published Xavier Bury's finding of a second AppleScript trojan horse, which, like the call for help followup, mentioned Hotline servers. It reportedly sends out private information while running in the background. A note to users from Hotline Communications CEO Adam Hinkley is now posted at . AppleScripts should be downloaded only from known trusted sources. It is nigh impossible for an average person to know what any given compiled script will do. 7.4 Macro viruses/Trojans At the time of the longstanding second-to-last upgrade of Disinfectant (version 3.6 in early 1995), there were no known macro viruses in the wild, apart from HyperCard infectors. In any case, Disinfectant was always intended to deal with system viruses, not trojans or macro/script viruses. However, many users are unaware of these distinctions and assume that Disinfectant is a complete solution. Unfortunately, the number of known macro viruses is at the time of writing [11-Aug-97] well in excess of 1000, though the number in the wild is far fewer. Most macro viruses (if they have a warhead at all) target Intel platforms and assume FAT-based directory structures, so they usually have no discernible effect on Macs when they trigger. Viruses that manipulate text strings within a document may work just as well on a Macintosh as on a PC. In any case, the main costs of virus control are not recovery from virus payloads, but the costs of establishing detection and protection (or of not establishing them). The costs of not establishing these measures can be considerable, irrespective of damage caused on infected machines, especially in corporate environments. Secondary distribution of infected documents may result in: * civil action - for instance, inadvertent distribution of an infected document to external organisations may be in breach of contractual obligations * legal action in terms of breach of data-protection legislation such as the UK Data Protection Act or the European Data Protection directive. The eighth principle of the Data Protection Act, for instance, requires that security measures are taken to protect against unauthorised access to, and alteration, disclosure and destruction of personal data, or its accidental loss. * damage to reputation - no legitimate organisation wants to be seen as being riddled with viruses. Since Word 6.x for Macintosh supports WordBasic macros, it is as vulnerable as Word 6.x and 7.x on Intel platforms to being infected by macro viruses, and therefore to generating other infected documents (or, strictly speaking, templates). Working Excel viruses are now beginning to appear also, and any future Macintosh application that supports Visual Basic for Applications will also be vulnerable. Note also that the possibility of virus-infected files embedded as objects in files associated with other applications: this possibility exists on any platform that supports OLE. Macro viruses are therefore highly transmissible via Macintoshes, even if they don't have a destructive effect on Motorola platforms, if there is an equivalent application available on the Macintosh. For instance, although Word for Windows versions before vs. 6 support WordBasic, Word versions for the Mac up to and including version 5.1 do not. [Thus Word 5.1 users can not be directly infected, but may, like anyone, pass on infected documents to vulnerable systems.] Unless running DOS/Windows emulation, the Green Stripe macro virus is not normally a danger on Macs, since there is no AmiPro/WordPro for Macintosh. McAfee, Symantec, and Dr. Solomon's all make known-virus scanners that detect a range of macro viruses. Microsoft make available a free 'protection tool' whose effectiveness is often overestimated. (See below.) For further information on specific macro viruses, try one of the information resources given earlier. 7.5 Other Operating Systems (DOS/Windows in Emulation) Any Mac running any sort of DOS or Windows emulation such as Virtual PC, SoftPC, SoftWindows, RealPC, or a DOS compatibility card is a potential target for any PC virus, including Boot Sector Infectors/Multipartites; (effects will vary). It is highly recommended that anyone with such a system should run a reputable, up-to-date PC antivirus program under emulation, as well as a good Mac antivirus program. [Dr. Solomon's for the Mac detects PC boot sector infectors as well as Mac viruses, but doesn't detect PC file viruses (apart from macro viruses), and so is not sufficient protection for a Mac with DOS emulation.] F-PROT, by Frisk Software International, is free for private use, and highly regarded; commercial licenses and professional versions are available. "fp-..." (for example, fp-228.zip) in this directory should be current: ftp://mirrors.aol.com/pub/simtelnet/msdos/virus/ To find a commercial or shareware package, check through the independent comparative reviews sites: University of Hamburg Virus Test Center http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm University of Tampere Virus Research Unit http://www.uta.fi/laitokset/virus/ Secure Computing http://www.westcoast.com/ Virus Bulletin http://www.virusbtn.com/ Robert Michael Slade's lists may also be helpful. http://www.freenet.victoria.bc.ca/techrev/quickref.html http://www.freenet.victoria.bc.ca/techrev/rms.html 8.0 What's the best anti-virus package for the Macintosh? ----------------------------------------------------- As ever, I can't give a definitive answer to this. Here are some thoughts on the main contenders. 8.1 Microsoft's Protection Tool Microsoft's Macro Virus Protection Tool detects Concept (Nuclear and DMV are also mentioned in the documentation, but there is no indication that it actually recognises them), but its principal purpose is merely to warn users that the document they are about to open contains macros and offer the choice of opening the file without macros, opening it with macros, or cancelling the File Open. It can be obtained from: http://www.microsoft.com/office/antivirus/ (look for mvtool1222.hqx) MSN: GO MACROVIRUSTOOL AOL: the Word forum CompuServe: the Word forum Microsoft Product Support Services 206-462-9673 (WinWord) 206-635-7200 (Word Mac) email: wordinfo@microsoft.com NB The Protection Tool traps some File Open operations, but not all. There are a number of ways of opening a document which bypass it, some of which are rather commonly used (e.g. double-clicking or using the Recent Documents list). The Protection Tool can be used to scan for Concept-infected files, but there are a number of possible problems with it. * Earlier versions could only handle a limited size of directory tree, and ran very slowly if a large number of files required scanning. Speed is certainly still a problem: I can't say about the overflow problem. * Files created in Word for Windows won't be scanned until they've been opened in Word 6 for Mac (this is a system issue, not a bug in the code). However, Microsoft suggest that you open the file in Word for the Macintosh and save it before scanning. This will do the job, but will also infect your system, if the file is infected. If it's infected with a virus -other- than Concept, this could create problems if the Protection Tool is bypassed on a subsequent file open. * Infected files embedded in OLE2 files or e-mail files will not be detected. Windows 95 users should be aware that this tool is not recommended for use with MS Word 7.0a for Windows with internal detection enabled, as these two tools will cancel each other out. Microsoft's home page now recommends using an NCSA-certified antivirus utility and sidesteps any hint of responsibility for any macro virus or SCANPROT related problems. (1) not everyone is happy with the current implementation of NCSA certification (2) NCSA certification is not at present Mac-aware. 8.2 Disinfectant Disinfectant is an excellent anti-virus package with exemplary documentation, and doesn't cost a penny: however, it doesn't detect all the forms of malware that a commercial package usually does, including HyperCard infectors, most Trojans, jokes or macro viruses. Unlike some commercial packages, it doesn't scan compressed files, either: compressed files should be expanded before scanning. Self-extracting archives should probably be scanned before unpacking, then again when unpacked. Anyone using recent versions of Microsoft Office applications should be aware that macro viruses -do- infect on these software platforms and may trigger on them too. Disinfectant is, therefore, no longer sufficient protection by itself for systems that have these applications installed. There -is- clearly still a commitment to updating Disinfectant to address those types of virus which it -does- deal with. Arguably, systems that don't have these applications should also be protected: * With a view to protection in the future from infected files acquired now, if the user should change to Office in the future. * To guard against the spreading of infected files by way of uninfectable systems. Disinfectant is available from: ftp://ftp.acns.nwu.edu/pub/disinfectant/ CompuServe GEnie America Online Calvacom Delphi BIX Info-Mac mirrors in the ../vir/ directory The Disinfectant README has been updated with 3.7.x and includes the following note. : Important Note : ============== : : Disinfectant only attempts to deal with Mac system viruses, not Trojan : horses, practical jokes, DOS or Windows viruses, worms, : application-specific scripting or macro viruses like the Hypercard and MS : Word 6 viruses, or any other kind of computer "malware". : : Microsoft Word 6 cross-platform "macro viruses" like the widespread : "Concept" virus are currently a major problem for MS Word 6 users. You : don't have to worry about them if you don't use Word 6. If you need : protection against the MS Word 6 macro viruses, I recommend a commercial : anti-virus product. This addresses fully my previous complaint that the README could be taken as an endorsement of Microsoft's inadequate protection tool. I'd still quibble at the assertion that people who don't use Word 6 don't have to worry about macro viruses. (1) Not all macro viruses are Word-specific (2) Even if your own system can't be infected, you can still pass on an infected file inadvertantly, if you aren't running a known-virus scanner which detects that particular class of virus. 8.3 Fully-functioning Demo Software A 30-day evaluation version of VirusScan is available from Network Associates, McAfee: http://www.mcafee.com/leads/evallead.asp A 30-day evaluation copy of SAM is available from Symantec: http://www.symantec.com/trialware/dlnavmac451.html 8.4 Other freeware/shareware packages For other freeware\shareware mac packages, try Info-Mac mirrors like: ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/ The University of Texas holds some older documentation on Mac viruses. http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html Gatekeeper was not a scanner, but a generic tool. It is no longer supported by its author, but is still available on some sites. It is probably not safe to use or rely on modern systems, and I believe the author recommends that people don't attempt to use it, though I've been unable to contact him to get confirmation. In January 1997 Padgett Peterson, author of the PC utility DiskSecure, released the first version of his MacroList macro detection tool, which has been tested by the author on Macs (System 7.5 on SE/30, IIci and PowerMac) as well as Windows PCs, using considerably more macro viruses than Microsoft seem to have heard of..... The MacroList template is accessed by a button in the standard toolbar. This is not a virus scanner, but allows disabling of automacros, listing of any macros found in the current document etc. Version 1.10 was due for release by the time of writing (February 1997), and an adaptation for Office97 is in progress. Watch the Web page for further details. [v1.1 and the Office 97 "late beta" were available as at 18th March 1997.] http://www.freivald.org/~padgett/ (under Anti-Virus Hobby) - NB change of URL. MacroList is freeware, but please be sure to read the TRIALS link. 8.5 Commercial packages Commercial packages include SAM (Symantec Antivirus for Macintosh), Virex for Macintosh, McAfee (Network Associates) VirusScan and Dr. Solomon's AntiVirus ToolKit for Macintosh. ++ VirusScan version 3.0 features a new user interface, enhanced macro virus scanning, text-to-speech, improved performance, and system administrator support for email notification, customized distribution, and Novell NetWare. VirusScan 3.0 is Mac OS 8 and System 7 compatible. A fully-functional 30-day evaluation copy can be downloaded from the Network Associates-McAfee Web site. At the time of writing, current virus definitions were available for the 2.1.8 and 3.0 scanning engines. VirusScan direct purchase and download: ++ http://www.mcafeemall.com/mall/mcafee/vsmacxfact.html SAM and Virex offer checksumming/integrity checking (detecting possible infection by unknown viruses, by monitoring changes in infectable files - the correct checksums or fingerprints for individual files are kept in a database file. Both applications check files compressed with StuffIt. SAM is particularly oriented towards behaviour blocking: the Intercept tool can be configured to raise an alert at the slightest whiff of a 'suspicious' operation. Unfortunately, this can be counterproductive in real life, since an over-stringent alert policy is apt to result in the facility being turned off altogether. However, configuration is very flexible. Version 4.5 includes the SAM Administrator package for distribution and customization of installations, including password locking. Virex offers very fast scanning is easy to update, and includes checksumming for the detection of unknown viruses. It's also possible to buy an administration package. The basic package includes a control panel for scanning on file or diskette access which can be locked independently of the administration package. Installation and interface are easy and efficient. Virex 5.8 scans ZIP archives, has a Contextual Menu Plug-In Module, and interface enhancements. Dr Solomon's Software acquired Virex and netOctopus from Datawatch Corporation on 10-Oct-97. http://www.drsolomon.com/ Updates and other services are now provided by Dr Solomon's. ++ Virex and Virex Administrator have these new home pages: http://www.drsolomon.com/products/virex/index.cfm http://www.drsolomon.com/products/vadmin/index.cfm SAM application Minimum and Preferred memory allocations must ++ be increased from their shipping defaults to 5000K or greater. The [January 1998] SAM definitions files included a Read Me with instructions. More information may be available from Symantec SAM support on the Web. Dr. Solomon's for Macintosh has the unusual capacity for detecting (not cleaning) PC boot-sector viruses on DOS floppies, which could be very useful in a mixed environment. It doesn't detect compressed files (oddly, since this is one of the strengths of the DOS/Windows version). Nor does it include checksumming. The manual is a bit sloppy, especially the virus descriptions: for instance, there's no indication that Frankie doesn't affect real Macs, only emulators. Terminology is a bit idiosyncratic, too: the frequent references to 'link' viruses are rather non-standard. The MacGuard control panel scans on file access, launch of INITs etc. Dr. Solomon's, VirusScan, Virex and SAM all address Trojans, and macro viruses, and can do scheduled scanning. Sophos, who supply the Sweep scanner for PCs etc., do not have a stand-alone Macintosh scanner, but do have a Macintosh client version of their InterCheck technology. This runs as an extension and communicates with the InterCheck server when an application is run on the client machine. 8.6 Contact Details Datawatch Corporation 234 Ballardvale Street Wilmington MA 01887 +1 508 988 9700 fax: +1 508 988 0105 http://www.datawatch.com/ ftp://ftp.datawatch.com/pub/virex/ Network Associates, McAfee (for VirusScan). McAfee Associates 2710 Walsh Ave Santa Clara, CA 95051 95054-3107 USA Voice (408) 988-3832 FAX (408) 970-9727 BBS (408) 988-4004 CompuServe ID: 76702,1714 or GO MCAFEE mcafee@netcom.com ftp://ftp.mcafee.com/pub/antivirus/ http://www.mcafee.com/ Dr. Solomon's Software Ltd. (for Dr. Solomon's AntiVirus ToolKit and Virex) Alton House Gatehouse Way Aylesbury Buckinghamshire HP19 3XU United Kingdom UK Support: support@uk.drsolomon.com US Support: support@us.drsolomon.com UK Tel: +44 (0)1296 318700 USA Tel: +1 781-273-7400, 1-888-DRSOLOMON CompuServe: GO DRSOLOMON Web: http://www.drsolomon.com FTP: ftp://ftp.drsolomon.com Symantec Corporation (for SAM) 10201 Torre Avenue Cupertino CA 95014 +1 408 725 2762 Fax: +1 408 253 4992 US Support: 541-465-8420 AOL: SYMANTEC European Support: 31-71-353-111 Australian Support: 61-2-879-6577 http://www.symantec.com/ ftp://ftp.symantec.com/ Sophos plc The Pentagon Abingdon Oxon England OX14 3YP http://www.sophos.com/ 9.0 Welcome Datacomp ---------------- From time to time there are reports from Mac users that the message 'Welcome Datacomp' appears in their documents without having been typed. This is the result of using a Trojanised 3rd-party Mac-compatible keyboard with this 'joke' hard-coded into the keyboard ROM. It's not a virus - it cannot infect anything. The only cure is to replace the keyboard. 10.0 Hoaxes and myths ---------------- Some of these are PC-specific, rather than Mac-specific, while some have no basis in reality on any system. [I look forward to hearing about the first Turing machine infector....] They are included here (a) because Mac support staff are accustomed to being asked about them (b) because anything that -might- work on a real PC -might- also work with DOS emulation, in principle. 10.1 Good Times virus There is *no* Good Times virus that trashes your hard disk and launches your CPU into an nth-complexity binary loop when you read mail with "Good Times" in the Subject: field. You can get a copy of the latest version of Les Jones' FAQ on the Good Times Hoax on the World Wide Web: http://www.usit.net/public/lesjones/goodtimes.html There's a Mini-FAQ available as: http://www.public.usit.net/lesjones/gtminifaq.html 10.2 Modems and Hardware viruses There is no modem virus that spreads via an undocumented subcarrier - whatever that means.... There is no virus that causes damage to hardware. 10.3 Email viruses Any file virus can be transmitted as an E-mail attachment. However, the virus code has to be executed before it actually infects. Sensibly configured mailers and browsers don't allow this: check yours. In particular, check that your Web browser doesn't automatically pass Word documents to Word 6 to open, since this may result in embedded macros being launched. 10.4 JPEG/GIF viruses There is no known way in which a virus could sensibly be spread by a graphics file such as a JPEG or .GIF file, which does not contain executable code. Macro viruses work because the files to which they are attached are not 'pure' data files. 10.5 Hoaxes Help If you should receive a virus warning, look at these sites before forwarding it along. A statement like, "Please forward to everyone!" is one mark of a hoax. Computer Virus Myths home page http://www.kumite.com/myths/ CIAC http://ciac.llnl.gov/ciac/CIACHoaxes.html Data Fellows http://www.datafellows.com/news/hoax.htm 11.0 Glossary -------- * Change Detectors/Checksummers/Integrity Checkers - programs that keep a database of the characteristics of all executable files on a system and check for changes which might signify an attack by an unknown virus. * Cryptographic Checksummers use an encryption algorithm to lessen the risk of being fooled by a virus that targets that particular checksummer. * Dropper - a program that installs a virus or Trojan, often covertly. * Generic - catch-all name for antivirus software that doesn't know about individual viruses, but attempts to detect viruses by detecting virus-like code, behaviour, or changes in files containing executable code. * Heuristic scanners - scanners that inspect executable files for code using operations that might denote an unknown virus. * Monitor/Behaviour Blocker - a TSR that monitors programs while they are running for behaviour which might denote a virus. * Scanner (conventional scanner, command-line scanner, on-demand scanner) - a program that looks for known viruses by checking for recognisable patterns ('scan strings', 'search strings', 'signatures') or using a more flexible algorithmic approach for detection of polymorphic viruses, which can't be found by a search for a simple scan string. These are not usually associated with the Macintosh platform, but there is a bimorphic Word Macro virus. * Trojan (Trojan Horse) - a program intended to perform some covert and usually malicious act that the victim did not expect or want. It differs from a destructive virus in that it doesn't reproduce, (though this distinction is by no means universally accepted). * Virus - a program (a block of executable code) that attaches itself to, overwrites or otherwise replaces another program in order to reproduce itself without the knowledge of the computer user. Most viruses are comparatively harmless, and may be present for years with no noticeable effect: some, however, may cause random damage to data files (sometimes insidiously, over a long period) or attempt to destroy files and disks. Others cause unintended damage. Even benign viruses (apparently non-destructive viruses) cause significant damage by occupying disk space and/or main memory, by using up CPU processing time, and by the time and expense wasted in detecting and removing them. 12.0 General Reference Section ------------------------- 12.1 Mac newsgroups and FAQs comp.sys.mac.apps comp.sys.mac.comm comp.sys.mac.misc comp.sys.mac.system comp.virus alt.comp.virus The focus on these two groups tends to be IBM-compatible, but Mac issues are certainly aired. Alt.comp.virus is unmoderated, and the quality of the advice and opinions aired there is very variable - there are many reputable and expert posters, and many mischievous and misleading contributions. Caveat lector.... 12.2 References Sensei Consulting Macintosh WAIS Archives http://wais.sensei.com.au/searchform.html "Inside the Apple Macintosh" - Peter Norton & Jim Heid (Brady) (The 2nd Edition is pre-PowerMac, and I haven't seen a later one, but there's some surprisingly useful stuff in there). "Inside Macintosh" (Addison Wesley). Essential reading for Mac programmers. (Umpteen volumes of fairly low-level info. Expensive (in the UK, at any rate), and whenever you get near some useful info, it refers you to one of the volumes you haven't got. However, the series has been re-vamped since I acquired my copies, and this may be less than just. It's possible to download them in Acrobat and in some cases other formats from: http://devworld.apple.com/ where you can also order hardcopy and CD versions. Lots of other useful files etc. MacFixIt "Troubleshooting for the Macintosh" http://www.macfixit.com/ "Sad Macs, Bombs and other Disasters" Ted Landau (Addison Wesley) http://www.macfixit.com/sadmacs3promo.html MacInTouch home page (info and services) http://www.macintouch.com/ MacWEEK magazine http://www.macweek.com/ Macworld magazine http://www.macworld.com/ TidBITS http://www.tidbits.com/ @@ Have done many good articles on Mac/macro virus issues. 13.0 Mac troubleshooting ------------------- Since the initial release of this document, a number of people have E-mailed me asking for help with a possibly virus-related problem. While I'll always help if I can, I should point out (1) I'm an experienced Mac user and an IT support professional, but I don't claim to be a Mac expert (2) pressure of work and other commitments and a huge E-mail turnover means that I can't promise a quick response. Whether you mail direct or post to a relevant newsgroup, it's helpful if you can supply a few details, such as: * Which model of Macintosh you're using. It may be useful to know how much RAM it has, the size of the hard disk, and any peripherals you're using. * Which version of MacOS you're using. * Which applications you're using, and which version. If you're using Word, it may be critical to know whether you're using version 6 or later, or an earlier version. * Which, if any, antivirus packages you use, and what version number. If you're using Disinfectant, for instance, are you using version 3.7.1? * List any error messages or alerts that have appeared. * List any recent changes in configuration, additional hardware etc. * List any diagnostic/repair packages you've tried, and the results. * List any other steps you've taken towards determining the cause of the problem and/or trying to fix it, e.g. rebuilding the desktop, booting without extensions, zapping PRAM etc. Here are a few steps that it might be appropriate to try if virus scanning with an up-to-date scanner finds nothing. This section will be improved when and if I have time. Rebuilding the desktop is by no means a cure-all, but rarely does any harm. It may be worth disabling extensions when you do this, especially if the operation doesn't seem to be completed successfully. To disable extensions, restart the machine with the shift key held down until you see an Extensions Off message. If you're rebuilding the desktop, release the shift key and hold down Command (the key with the Apple outline icon) & Options (alt) until requested to confirm that you want to rebuild. Disabling extensions is also a good starting point for tracking down an extensions conflict. If booting without extensions appears to bypass the problem, try removing extensions with Extensions Manager (System 7.5) - remove one at a time, and replace it before removing the next one and booting with that one removed. Remember that if removing one stops the problem, it's still worth putting it back and trying all the others to see if you can find one it's conflicting with. Extensions Manager also lets you disable control panels. If you don't have Extensions Manager, try Now Utilities or Conflict Catcher. Parameter RAM (PRAM) contains system information, notably the settings for a number of system control panels. 'Zapping' PRAM returns possibly corrupt PRAM data to default values. A likely symptom of corrupted PRAM is a problem with date and time (but could be a symptom of a corrupted system file). With system 7, hold down Command-Option-P-R at bootup until the Mac beeps and restarts. You may have restore changes to some control panels before your system works properly. If the reset values aren't retained, the battery may need replacing. -- End "Viruses and the Macintosh" version 1.4h by David Harley