________________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC INFORMATION BULLETIN ________________________________________________________________________ Information about the WDEF virus December 18, 1989, 1400 PST Number A-9 Summary A new Macintosh virus called WDEF is spreading rapidly. It is not necessary to run a program for the virus to spread. The WDEF virus is not programmed to damage a system, but due to software errors in this virus, it can cause serious problems such as system crashes, poor performance, and damage to disks. Disinfectant 1.5, VirusDetective and GateKeeper Aid V1.0 can be used to detect and eradicate this virus. Critical WDEF Facts Name: WDEF Types: WDEF A, WDEF B Platform: Apple Macintosh Damage: No intentional damage, see symptoms. Symptoms: The virus can cause: - both the Macintosh IIci and the portable to crash. - severe performance problems on AppleTalk networks with AppleShare servers. - frequent crashes when users try to save files in applications under MultiFinder. - problems with the proper display of font styles (the outline style in particular). - damage to disks. - Macintoshes with 8 megabytes of memory to crash. - Erratic system behavior due to incompatibility with the "Virtual" INIT from Connectix. Detection/Eradication: GateKeeper Aid, Disinfectant 1.5; others should be available in the next few weeks. Introduction A new form of computer virus called WDEF has been released into the Macintosh world. WDEF only infects the invisible "Desktop" files used by the Macintosh operating system's "Finder." WDEF does not infect applications, document files, or other system files. Unlike the other viruses, it does not at this time appear to spread through the sharing of applications, but rather through the sharing of diskettes. WDEF spreads from disk to disk very rapidly. It is not necessary to run a program for the virus to spread. WDEF has been in existence since mid- October of this year and has been found at many locations throughout the United States. At this time their appears to be two strains of WDEF, WDEF A and WDEF B. These strains are similar except WDEF B beeps every time it infects a new Desktop file. Symptoms The WDEF virus is not programmed to damage a system. However, due to errors in the virus code itself, it can cause serious problems. Below is a list of known symptoms: The virus causes both the Mac IIci and the portable to crash. Under some circumstances the virus can cause severe performance problems on AppleTalk networks with AppleShare servers. Many people have reported frequent crashes when trying to save files in applications under MultiFinder. The virus causes problems with the proper display of font styles (the outline style in particular). The virus can damage disks. The virus causes Macintoshes with 8 megabytes of memory to crash. The virus may be incompatible with the "Virtual" INIT from Connectix. Prevention With AppleShare servers you do not need a Desktop. If you are comfortable using a software developers' package called ResEdit, you should remove the Desktop. You should also not allow the "make changes" privilege to the root directory on the server. This should eliminate any possibility that this virus from spreading to an AppleShare server. Detection Packages which claim to detect WDEF are Disinfectant 1.5 and GateKeeper Aid V1.0 (to be used in conjunction with GateKeeper 1.11). Virus Detective 3.1 can also be used to find the WDEF virus. You will, however, have to add the search string: Creator=ERIK & Resource WDEF & Any Disinfectant 1.3 , Vaccine 1.0.1, GateKeeper 1.1.1, Symantec's SAM Intercept 1.10, and HJC's Virex INIT 1.12 do not detect WDEF, although new versions of many of these products which claim to be able to detect WDEF are rapidly being developed. Please also note that Disinfectant 1.4 detects only one strain of the WDEF virus. Eradication Disinfectant 1.5 should be used to eradicate WDEF. When using Disinfectant to repair WDEF infections, you must use Finder instead of MultiFinder. Otherwise Disinfectant cannot write to the normally 'Busy' Desktop file. If you do not prefer use Disinfectant 1.5, CIAC can advise you of alternate eradication procedures using ResEdit. For further information, or for a copy of Disinfectant 1.5, please contact CIAC: David S. Brown (415) 423-9878 or (FTS) 543-9878 FAX: (415) 294-5054 or send e-mail to: ciac@tiger.llnl.gov