FOR OFFICIAL DOE USE ONLY--DO NOT DISTRIBUTE OUTSIDE OF DOE ________________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC INFORMATION BULLETIN ________________________________________________________________________ The MDEF or Garfield Virus on Macintosh Computers May 23, 1990, 1000 PST Number A-25 Summary A new Macintosh virus called MDEF or the Garfield virus is spreading rapidly. This virus is not a variant of the WDEF virus, and should not be confused with WDEF. The MDEF virus spreads through system and application files, and may cause serious damage to the menu system. Disinfectant 1.8, GateKeeper, Virus Detective DA are effective against this virus, but Vaccine can cause undesirable side effects. _______________________________________________________________________________ Name: MDEF Types: Only one known variant Platform: Apple Macintosh models 128K and 512K, 512KE, Mac Plus, SE, SE/30, II, IIx, IIcx, IIci and IIfx. Damage: Possible removal of system menus. Symptoms: The virus can cause: % both the Macintosh 128K and 512K to crash. % system menus to be removed Detection/Eradication: Disinfectant 1.8, GateKeeper, Virus Detective DA; others should be available shortly. Critical MDEF Facts _______________________________________________________________________________ Introduction CIAC has learned of a new Macintosh virus called the MDEF or Garfield virus. Although its name is similar to WDEF, MDEF is an entirely different virus. Currently, the MDEF virus is known to infect the Macintosh 128K and 512K, 512KE, Mac Plus, SE, SE/30, II, IIx, IIcx, IIci and IIfx. This virus will not spread from 128K or 512K Macintoshes, but will cause these models to crash. MDEF actually refers to one of the resources on Macintosh computers. The MDEF virus is so named because this virus infects the MDEF resources. If you attempt to detect the MDEF virus using ResEdit or a similar tool and discover the MDEF resources, this does not indicate that your computer is infected by the MDEF virus. Symptoms Preliminary indications are that after performing a currently unspecified set of actions, the virus will remove itself from the system along with the code to control the menu system. This will result in the loss of all menus generated by the system. Regardless of the particular model of Macintosh computer subject to infections by the MDEF virus, this virus infects the system file and applications. Typically, the finder and DA handler also become infected. However, neither the desktop nor the document files become infected. The MDEF virus infects the system file when an infected application is run, and infects other applications when they are executed on an infected system. On the Macintosh IIci and IIfx, the MDEF virus spreads from infected applications to uninfected system files, but does not propagate from infected systems to uninfected applications. Detection and Eradication Disinfectant 1.8 has recently been released to detect and eradicate the MDEF virus. GateKeeper also prevents the MDEF virus from infecting the system file. To use the Virus Detective DA, add the following search strings: Resource MDEF & Name "Garfield" Resource MDEF & ID = 5378 CAUTION: CIAC has been advised that the use of Vaccine may have an undesirable side effect. Vaccine will inform the user that the system file has been infected, but is only partially effective in preventing this virus from infecting the system file! The system file will be damaged as a result of running Vaccine when an application containing the MDEF virus is executed. For additional information or assistance, or to obtain a copy of Disinfectant 1.8, please contact CIAC: Eugene Schultz (415) 422-8193 or (FTS) 532-8193 FAX: (415) 294-5054, (415) 423-0913 or (415) 422-4294 You may also send e-mail to: ciac@tiger.llnl.gov Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.