Privacy and Legal Notice
________________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
CIAC
INFORMATION BULLETIN
________________________________________________________________________
Information about the WDEF virus
December 18, 1989, 1400 PST Number A-9
Summary
A new Macintosh virus called WDEF is spreading rapidly. It is not
necessary to run a program for the virus to spread. The WDEF virus is
not programmed to damage a system, but due to software errors in this
virus, it can cause serious problems such as system crashes, poor
performance, and damage to disks. Disinfectant 1.5, VirusDetective and
GateKeeper Aid V1.0 can be used to detect and eradicate this virus.
Critical WDEF Facts
Name: WDEF
Types: WDEF A, WDEF B
Platform: Apple Macintosh
Damage: No intentional damage, see symptoms.
Symptoms: The virus can cause:
- both the Macintosh IIci and the portable to crash.
- severe performance problems on AppleTalk networks
with AppleShare servers.
- frequent crashes when users try to save files in
applications under MultiFinder.
- problems with the proper display of font styles (the
outline style in particular).
- damage to disks.
- Macintoshes with 8 megabytes of memory to crash.
- Erratic system behavior due to incompatibility with
the "Virtual" INIT from Connectix.
Detection/Eradication: GateKeeper Aid, Disinfectant 1.5;
others should be available in the next few weeks.
Introduction
A new form of computer virus called WDEF has been released into the
Macintosh world. WDEF only infects the invisible "Desktop" files used
by the Macintosh operating system's "Finder." WDEF does not infect
applications, document files, or other system files. Unlike the other
viruses, it does not at this time appear to spread through the sharing
of applications, but rather through the sharing of diskettes. WDEF
spreads from disk to disk very rapidly. It is not necessary to run a
program for the virus to spread. WDEF has been in existence since mid-
October of this year and has been found at many locations throughout the
United States.
At this time their appears to be two strains of WDEF, WDEF A and WDEF B.
These strains are similar except WDEF B beeps every time it infects a
new Desktop file.
Symptoms
The WDEF virus is not programmed to damage a system. However, due to
errors in the virus code itself, it can cause serious problems. Below
is a list of known symptoms:
The virus causes both the Mac IIci and the portable to crash.
Under some circumstances the virus can cause severe performance
problems on AppleTalk networks with AppleShare servers.
Many people have reported frequent crashes when trying to save
files in applications under MultiFinder.
The virus causes problems with the proper display of font styles
(the outline style in particular).
The virus can damage disks.
The virus causes Macintoshes with 8 megabytes of memory to crash.
The virus may be incompatible with the "Virtual" INIT from
Connectix.
Prevention
With AppleShare servers you do not need a Desktop. If you are
comfortable using a software developers' package called ResEdit, you
should remove the Desktop. You should also not allow the "make changes"
privilege to the root directory on the server. This should eliminate
any possibility that this virus from spreading to an AppleShare server.
Detection
Packages which claim to detect WDEF are Disinfectant 1.5 and GateKeeper
Aid V1.0 (to be used in conjunction with GateKeeper 1.11). Virus
Detective 3.1 can also be used to find the WDEF virus. You will,
however, have to add the search string:
Creator=ERIK & Resource WDEF & Any
Disinfectant 1.3 , Vaccine 1.0.1, GateKeeper 1.1.1, Symantec's SAM
Intercept 1.10, and HJC's Virex INIT 1.12 do not detect WDEF, although
new versions of many of these products which claim to be able to detect
WDEF are rapidly being developed. Please also note that Disinfectant
1.4 detects only one strain of the WDEF virus.
Eradication
Disinfectant 1.5 should be used to eradicate WDEF. When using
Disinfectant to repair WDEF infections, you must use Finder instead of
MultiFinder. Otherwise Disinfectant cannot write to the normally 'Busy'
Desktop file. If you do not prefer use Disinfectant 1.5, CIAC can
advise you of alternate eradication procedures using ResEdit.
For further information, or for a copy of Disinfectant 1.5, please
contact CIAC:
David S. Brown
(415) 423-9878 or (FTS) 543-9878
FAX: (415) 294-5054
or send e-mail to: ciac@tiger.llnl.gov
CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193 (7 x 24)
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@ciac.org
World Wide Web: http://www.ciac.org/
Anonymous FTP: ftp.ciac.org
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]