Disc to the Future 2

home *** CD-ROM | disk | FTP | other *** search

/ Disc to the Future 2 / Disc to the Future Part II Programmer's Reference (Wayzata Technology)(6013)(1992).bin / MAC / EARLY_SY / JOHN_NOR / DISINFEC / SAMPLE / SOURCE_C / DOC

Wrap

Text File | 1990-12-03 | 140KB | 2,165 lines

\page noheader \only screen \tcon Disclaimer \size 300 ╩ \only screen \pict 204 \only print save \style bold \just center \size 200 Disinfectant 2.4 \size 200 \just center December 3, 1990 \size 200 \pict 200 \only print \only print \style bold \just center \size 140 Table of Contents \only print \itcon 37 \page \only print \tcon Disclaimer and Copyright Notice \only screen \pict 316 \only print save \style bold \just center \size 140 Disclaimer and Copyright Notice Disinfectant may help you detect and remove some Macintosh viruses. It may fail to locate and repair some infected files. Use it at your own risk. Neither the author, John Norstad, nor his employer, Northwestern University, make any warranty, either express or implied, with respect to this software. Copyright ⌐ 1988, 1989, 1990, Northwestern University. Permission is granted to make and distribute copies of this software, provided this disclaimer and copyright notice are preserved on all copies. The software may not, however, be sold or distributed for profit, or included with other software which is sold or distributed for profit, without the permission of the author. We also grant permission to extract and reproduce all or part of the Disinfectant document in other publications, provided it is not for profit and provided you give appropriate credit to both John Norstad and Northwestern University. Disinfectant is free. There is no shareware fee. There are no site license fees for the use of Disinfectant within an organization. We encourage you to make and distribute as many copies of the application as you wish, for whomever you wish, as long as it is not for profit. Disinfectant is distributed electronically. When a new virus is discovered, we usually release a new version of Disinfectant to recognize the virus within a few days. New versions are posted to CompuServe, GEnie, America Online, Calvacom, Delphi, BIX, MacNet, AppleLink, acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, and comp.binaries.mac. Disinfectant is not a commercial product. We cannot offer typical commercial services such as telephone support, mailing lists, or upgrade services. Nonetheless, there are several ways you can keep abreast of the latest news about Macintosh viruses and new Disinfectant releases: Ñ Join a user group such as BMUG (Berkeley Macintosh User Group), BCS (Boston Computer Society), or a local user group. Ñ Join a Macintosh electronic bulletin board. Many user groups operate excellent bulletin boards for their members. Ñ Subscribe to a commercial online service such as America Online, CompuServe, or GEnie. Join the Macintosh forums. Ñ Subscribe to the BITNET distribution lists VIRUS-L and INFO-MAC. Ñ Read the USENET news groups comp.sys.mac.misc and comp.virus. Ñ Read the postings in the AppleLink folder User Groups:User Group Resource Folder:Virus Information. Macintosh users who do not have access to electronic sources of free and shareware software may obtain a copy of Disinfectant by sending a self-addressed stamped envelope and an 800K floppy disk to the author at the address given at the end of this manual. People outside the US may send an international postal reply coupon instead of US stamps (available from any post office). Please use sturdy envelopes, preferably cardboard disk mailers. \keep People in Western Europe may obtain a copy of the latest version of Disinfectant by sending a self-addressed disk mailer and an 800K floppy disk to macclub benelux. Stamps are not required. The address is: macclub benelux Disinfectant Update Wirtzfeld Valley 140 B-4761 Bƒllingen Belgium \endkeep \str# \page \tcon Introduction \only screen \pict 300 \only print save \style bold \just center \size 140 Introduction Viruses and other kinds of destructive computer software have become an increasingly serious problem in the computing world. In the Macintosh community, viruses continue to spread rapidly and widely. Viruses will continue to cause problems for some time. A virus is a piece of software which attaches itself to other applications or files. Once you run an infected application, the virus quickly spreads to your system files and to other software. Viruses spread from one Macintosh to another via the sharing and distribution of infected software or infected disks. Viruses may be malicious or non-malicious. Non-malicious viruses replicate, but they do not attempt to do anything destructive. For example, they may beep, display messages on the screen, or do something else innocuous, but they do not intentionally try to do any damage. On the other hand, malicious viruses, in addition to replicating, do attempt to damage something. For example, there have been several viruses in the IBM PC world which intentionally delete files or destroy the contents of hard drives. We are very fortunate that to date all known Macintosh viruses are non-malicious. It is very important to realize, however, that even non-malicious viruses are almost always damaging, even if the damage is unintentional. Many people who have experienced infections have reported problems with the normal operation of their Macintosh. Viruses occupy memory and disk space and this is enough to cause problems all by itself. They also live at very low levels in the operating system and can interfere in unexpected ways with other parts of the system. We have also discovered errors in most viruses which can cause unexplained crashes and strange behavior. Disinfectant version 2.4 recognizes the Scores, nVIR, INIT 29, ANTI, MacMag, WDEF, ZUC, MDEF, Frankie, and CDEF viruses. It also recognizes all the known variations and clones of these viruses. Furthermore, Disinfectant also recognizes many possible unknown variations and clones. It will both detect the viruses and repair files which have been infected by the viruses. Disinfectant will not recognize all possible viruses: only the ones it has been configured and programmed to recognize. If a new virus or strain appears, we will have to modify the application to recognize it, and you will have to get a new copy of the application. Disinfectant does not recognize the ╥Dukakis╙ virus, which only propagates between HyperCard stacks and is very rare. Disinfectant also includes a virus protection startup document (INIT). When properly installed, the Disinfectant INIT will protect an uninfected system against infection by any of the known Mac viruses. Viruses should not be confused with other types of destructive software such as ╥worms╙ and ╥Trojan horses.╙ A ╥worm╙ is an application which replicates and spreads, but does not attach itself to other applications. Unlike a virus, it does not require a host to survive and replicate. Worms usually spread over a network of computers. They are not spread through the sharing of applications. The most well-known example is the Fall 1988 Internet worm, which infected and disabled several thousand government and university UNIX computers in a single day. A ╥Trojan horse╙ is an application which appears to do something useful, yet additionally does something destructive behind your back. An example is the ╥Sexy Ladies╙ HyperCard stack, which erased your hard drive while you ogled the cheesecake images. Trojan horses do not replicate. Disinfectant does not attempt to address the problems of worms and Trojan horses. There is no need to panic over the current virus situation. However, you should take the problem seriously. Using Disinfectant, it only takes a few minutes per week to effectively protect your Macintosh against the known viruses. See the section titled ╥Recommendations╙ for a short list of the simple things we suggest you do to protect your Mac. There is a misconception that you can protect your Macintosh against viruses by merely avoiding shareware and freeware software. This is far from the truth. There have been many reported cases of (inadvertently) infected commercial software, while most of the major national sources of freeware and shareware software are remarkably virus-free. The virus problem is serious, but even more serious is the tendency to overreact to the threat. Organizations which impose severe restrictions on the use of personal computers and personal computer software are doing more harm than good. For example, some companies keep computers in locked rooms and do not permit their employees to use unapproved software. Some companies have even gone so far as to prohibit their employees from joining bulletin boards or user groups! These restrictions are completely unnecessary and are in fact very dangerous. The heart of the personal computer revolution (especially the Macintosh revolution) is the empowerment of the individual. At their best, personal computers are extensions of each individual╒s imagination, unfettered by arbitrary rules and regulations imposed by the corporate MIS priesthood. We cannot let the virus problem and other security concerns endanger this revolution. The analogy between biological viruses and computer viruses is striking. Both of them replicate and they both require the assistance of a host to survive. In both cases, the infected system is sometimes severely damaged. With both kinds of viruses, it is sometimes possible to remove the infection without damaging the system and it is sometimes possible to inoculate or vaccinate the system to protect it against future infection. As with all analogies, however, it is possible to carry the analogy between biological and computer viruses too far. Computers are not living organisms. Biological viruses usually occur naturally and are almost never created by people. Computer viruses are always created by people; they never occur naturally. Most importantly, it is not possible to compare the enormous suffering caused by biological viruses such as AIDS to the comparatively meaningless damage caused by computer viruses. For more information on the problems of computer viruses and destructive computer software in general, we refer you to the report ╥Computer Viruses╤Dealing with Electronic Vandalism and Programmed Threats,╙ by Eugene H. Spafford, Kathleen A. Heaphy, and David J. Ferbrache, published by ADAPSO, the computer software and services industry association. Contact ADAPSO at 1300 N. 17th Street, Suite 300, Arlington, VA 22209, (703)522-5055, for information on how to obtain a copy of this report. \str# \page \tcon Quick Start \only screen \pict 315 \only print save \style bold \just center \size 140 Quick Start This section describes how to use Disinfectant for the first time to check your system for viruses, remove any viruses which you may have on your system, and protect your system against future infections. We also discuss a few very important rules and restrictions which you should follow when using Disinfectant. Ñ Step 1. Make a virus tools floppy containing a copy of the System file, a copy of the Finder file, and a copy of Disinfectant. \pict 201 Use original locked Apple release disks for your copies of the System and Finder files. Lock the virus tools disk and keep it locked at all times. Viruses cannot infect files on locked floppies. To lock the floppy, slide the plastic tab on the back of the floppy up so that you can see through the hole. Ñ Step 2. Restart your Macintosh using the virus tools floppy you made in step 1. Run Disinfectant from the virus tools floppy. Click on the Eject button to eject the virus tools floppy. Ñ Step 3. Disinfect all of your hard disks. (Skip this step if you do not have a hard disk.) Select the ╥All Disks╙ command from the ╥Disinfect╙ menu. Disinfectant will scan all of your hard disks and will remove any viruses which it discovers. Ñ Step 4. Disinfect all of your floppy disks. Select the ╥Floppies╙ command from the ╥Disinfect╙ menu. Disinfectant will prompt you to insert floppies one at a time to be scanned and repaired. Unlock each disk before inserting it. (Disinfectant cannot repair a disk if it is locked.) You can lock the disk again after Disinfectant has ejected it. Ñ Step 5. Install Disinfectant on your hard drive. (Skip this step if you do not have a hard drive.) Quit Disinfectant. Drag a copy of Disinfectant to your hard drive. \keep Ñ Step 6. Install the protection INIT on your hard drive. (Skip this step if you do not have a hard drive.) Restart your Macintosh using your hard drive. Run Disinfectant from your hard drive. Select the ╥Install Protection INIT╙ command from the ╥Protect╙ menu. Disinfectant will place a copy of the protection INIT inside the currently active System folder on your hard drive. An alert will appear asking if you want to restart your Macintosh to activate the INIT. Click on the Restart button. You should see the protection INIT icon appear at the bottom of your screen during startup. \pict 209 \endkeep Ñ Step 7. Install the protection INIT on each of your startup floppy disks. Run any copy of Disinfectant. Select the ╥Save Protection INIT╙ command from the ╥Protect╙ menu. A standard file dialog will appear. Use the standard file dialog to save a copy of the protection INIT. Quit Disinfectant. Drag copies of the protection INIT into the System folder on each of your startup floppy disks. There are only a few rules and restrictions when running Disinfectant, but they are important. When using Disinfectant in its ╥disinfecting╙ (file repair) mode, use Finder (instead of MultiFinder) to avoid possible problems with busy files. Disinfect all your disks at one time. Do not do some of them, then run some other applications, and finally disinfect the rest of your disks. If you run other applications before making certain that you have completely eradicated the virus, you run the risk of reinfecting your system. Try to make certain that your virus tools disk is not infected. Run Disinfectant and use the Scan button to check the virus tools disk to ensure that none of the three files are infected. Keep your virus tools disk locked to prevent future infection. You can and should run Disinfectant from your hard drive. It is not necessary to run it from your virus tools floppy for everyday use. If you encounter problems running it from your hard drive, however, we suggest that you try restarting your Mac using the virus tools disk and then run Disinfectant from the virus tools disk. This avoids INIT conflicts and other possible causes of problems. Disinfectant runs much faster if you set your monitor to black and white and use a RAM cache. (A 32K RAM cache seems to work well.) Some virus protection INITs can make Disinfectant run slower than normal. (The Disinfectant INIT, however, has no noticeable effect on the performance of Disinfectant.) If you run Disinfectant on a GateKeeper-protected system, check to make certain that Disinfectant has been granted all GateKeeper privileges (╥File╙ and ╥Res╙ privileges for ╥Other,╙ ╥System,╙ and ╥Self╙). \keep If you run Disinfectant on a Vaccine-protected system, Vaccine may present a dialog box asking for permission to ╥add a CODE resource.╙ Grant the request; this is Disinfectant trying to repair an infected file. \pict 208 \endkeep For even greater safety, if you have locked original copies of applications and system files, you can delete the files that Disinfectant says are infected and reinstall uninfected copies from the original floppies. If you do this, use Disinfectant to rescan the replaced files to make certain your originals were not infected. After Disinfectant starts from a fixed hard drive, you may notice considerable disk activity, even though it appears that Disinfectant is not doing anything. This is normal, and you should not be concerned. Disinfectant computes, in the background, a thorough checksum of itself to make certain that it has not been damaged, infected by a virus, or otherwise modified. This background check does not interfere with or seriously degrade the normal operation of the application. When Disinfectant starts from a floppy disk or other ejectable disk, it completes its initial checksum before presenting the main window. A dialog is presented asking you to ╥Please wait.╙ This can take some time. Please be patient. Disinfectant creates a file named ╥Disinfectant Prefs╙ in your System folder. This file is used to save preferences, window positions, and page setup information between Disinfectant sessions. You cannot use the Finder╒s Get Info command to change Disinfectant╒s memory size. If you try, you will get the following alert from the Finder: ╥The Application Memory Size for ╘Disinfectant╒ could not be saved (-199).╙ This topic is discussed in more detail in the ╥Special Features╙ section. Due to an error in the Rodime Cobra disk driver, Disinfectant does not work properly with Rodime Cobra drives. This problem can be fixed by reinstalling the disk driver. See the ╥Special Features╙ section for details. You should now be ready to use Disinfectant for the first time. The remainder of this manual gives more information about Macintosh viruses and Disinfectant. You may read it now if you wish, or return to read it later. \str# \page \tcon Windows \only screen \pict 314 \only print save \style bold \just center \size 140 Windows This section describes each of Disinfectant╒s windows. \tag 500 \tcon Main \style bold \size 120 The Main Window The main Disinfectant window is the one you will use most often. It contains the main controls for the application and it displays the report generated by the application. The main window is always open and cannot be closed. The operation of Disinfectant is controlled by six buttons in the main window: \tag 300 \tag 301 \just left \pict 210 Ñ Drive and Eject.╩Use these buttons to select the disk you want to scan or disinfect. These buttons work just like they do in Apple╒s standard file dialogs. The Drive button cycles through all of your hard disks and floppy disks. The Eject button is used to eject a floppy disk. \tag 302 \tag 303 \keep \just left \pict 211 Ñ Scan and Disinfect.╩Use the Scan button to scan the disk you selected. Disinfectant will check the disk for infections, but it will not try to repair infected files. Use the Disinfect button to scan and disinfect the disk you selected. Disinfectant checks each file for infection and attempts to repair any infected files which it finds. \endkeep For other kinds of scans, you can use the menus or command keys. The Scan and Disinfect menus are described in detail in the section titled ╥Menus.╙ You can also hold down the following key or keys while clicking on the Scan or Disinfect button: Option key: Scan a single folder or file. Command key: Quickly scan a sequence of floppies. Option and command keys: Scan all mounted volumes. \tag 304 \keep \just left \pict 214 Ñ Cancel.╩This button is active during disk scans. Use it if you want to cancel the scan. You can also type Command-Period or Escape to cancel a scan. \endkeep \tag 305 \keep \just left \pict 215 Ñ Quit.╩Quits the application. \endkeep \tag 321 \keep Both the Scan and Disinfect buttons produce a detailed report in the field on the left side of the screen. When the scan is complete, you can use the scroll bar to view the entire report. \pict 206 \endkeep In addition to using the scroll bar, you can also use the up and down arrow keys to scroll the report backwards or forwards one line at a time (if your keyboard has these keys). To scroll up or down one screen at a time, hold down the command key while pressing the up or down arrow key (or use the Page Up or Page Down key on the extended keyboard). To jump to the beginning or end of the report, hold down both the command and shift keys while pressing the up or down arrow key (or use the Home or End key on the extended keyboard). \keep \tag 320 Several other pieces of information are displayed in the top right corner of Disinfectant╒s main window: \pict 205 \endkeep The current disk name is a popup menu. You can click on the disk name and keep the mouse button held down to get a popup menu listing all of your disks. This is an alternative to using the Drive button. During a disk scan, the names of the folder and file currently being scanned are displayed next to the small folder and file icons. In addition, a progress bar fills with gray to indicate the progress of the scan. The progress bar is only available on full disk scans. It is not present on folder scans, file scans, or scans of server disks. The three counters show a running total of how many files have been scanned, how many infected files have been discovered, and how many errors have been encountered. You can click on the small Reset button next to the counters to reset all of them to zero. \keep \tag 501 \tag 602 \tcon Help \style bold \size 120 The Help Window This window displays the manual you are reading now. It is opened by the ╥Disinfectant Help╙ command in the Apple menu or by the Command-H keyboard equivalent. Use the scroll bar to scroll through the manual. \endkeep In addition to using the scroll bar, you can also use the up and down arrow keys to scroll the manual backwards or forwards one line at a time (if your keyboard has these keys). To scroll up or down one screen at a time, hold down the command key while pressing the up or down arrow key (or use the Page Up or Page Down key on the extended keyboard). To jump to the beginning or end of the manual, hold down both the command and shift keys while pressing the up or down arrow key (or use the Home or End key on the extended keyboard). \keep \tag 603 You can quickly jump to any section of the manual by clicking on the section title in the table of contents on the right side of the window. The table of contents is a scrolling menu. Click on the triangles at the top and bottom of the menu to scroll up or down. \pict 203 \endkeep The manual can be printed and you can save it as a text file. See the section about the File menu for more details. Disinfectant offers a method to help you quickly locate information in the manual. Press Command-? (or the Help key on the extended keyboard) and the cursor will turn into a question mark. Then click on any object in any of Disinfectant╒s windows or select any menu command. Disinfectant will bring up the Help window and scroll to the description of that object or command. If Disinfectant issues an error message in the report, press Command-? (or the Help key) and click on any error message line (any line that begins with ╥###╙) to get a detailed description of that error message. If Disinfectant reports that a file is infected by a virus, press Command-? (or the Help key) and click on the infection message in the report to get a detailed description of that virus. Help mode can be canceled at any time by pressing Command-Period or by pressing Escape or by pressing Command-? (or the Help key) again. \keep \tag 628 \tcon Preferences \style bold \size 120 The Preferences Window This window lets you set various options and parameters for Disinfectant. It is opened by the ╥Preferences╙ command in the File menu. \tag 330 Ñ Beeping option. \pict 240 This option specifies how many times Disinfectant should beep when an infection is discovered. The default is no beeping. \endkeep \keep \tag 331 Ñ Scanning station options. \pict 241 If you wish, you can establish a special Mac in your lab or office to be used for nothing but checking for viruses. People can simply insert their floppies to have them scanned or disinfected. You can even remove the mouse and keyboard to discourage use of the Mac for anything but checking for viruses. \endkeep \keep If you do remove the mouse and keyboard, you should first build a special scanning station startup disk: Step 1. Make a copy of your regular virus tools disk (System + Finder + Disinfectant). Step 2. Restart using the disk you just made, and run Disinfectant. Step 3. Select the ╥Preferences╙ command from the ╥File╙ menu to open the Preferences window. \endkeep Step 4. Check the ╥Scanning station with no mouse or keyboard╙ option. Step 5. Select either the ╥Scan╙ or the ╥Disinfect╙ option. Step 6. Close the Preferences window and quit Disinfectant. Step 7. You should see a fourth file on the disk named ╥Disinfectant Prefs.╙ Step 8. In the Finder, click on the Disinfectant application icon to select it. Then use the ╥Set Startup╙ command in the ╥Special╙ menu to set Disinfectant as the startup application for this disk. Step 9. Shutdown and lock the disk. This is your special scanning station startup disk. You should use this special startup disk whenever you restart your scanning station. Disinfectant will automatically start in its floppy scanning mode. You should need neither the keyboard nor the mouse at any time during the startup process. This scanning station option also tells Disinfectant to avoid any situations which might require use of the mouse or keyboard in the future. We do not recommend that you check this option in any other situation. Use it only for scanning stations. \keep \tag 332 Ñ Saved text file options. \pict 242 You can save the reports generated by Disinfectant and you can also save text-only versions of the manual. These files are always saved as plain text files without any formatting and they can be read by any Macintosh word processor or editor. By default, Disinfectant saves reports as TeachText files and it saves the manual as a Microsoft Word file. This means that if you open a saved report from the Finder, TeachText will be opened, whereas if you open a saved manual from the Finder, Microsoft Word will be opened. \endkeep You can change the applications which own these saved files. The boxes containing the names of the applications are popup menus which let you select any of the more popular word processors and editors. You can also type ╥creator types╙ directly in the fields to the right of the application names. You may notice that the popup menu for saved reports contains more application names than does the popup menu for the saved manual. This is because the saved manual is very large and not all of the applications can handle such large files. \keep \tag 333 Ñ Background notification options. \pict 243 Disinfectant can run in the background under MultiFinder. This option specifies how you wish to be notified if an infection is discovered or if Disinfectant requires attention for some other reason. The default is to display a diamond next to Disinfectant╒s name in the Apple menu and to flash the small Disinfectant icon in the menu bar. \endkeep \keep \tag 503 \tag 601 \tcon About \style bold \size 120 The About Window This window presents Disinfectant╒s About box. (Our apologies to Monty Python.) It is opened by the ╥About Disinfectant╙ command in the Apple menu. \endkeep \str# \page \tcon Menus \only screen \pict 313 \only print save \style bold \just center \size 140 Menus This section describes each of Disinfectant╒s menus. \keep \tcon Apple \style bold \size 120 The Apple Menu \pict 250 Ñ About Disinfectant This command opens Disinfectant╒s About window or brings it to the front if it is already open. \endkeep \keep Ñ Disinfectant Help (Command-H) This command opens Disinfectant╒s Help window or brings it to the front if it is already open. \endkeep \keep \tcon File \style bold \size 120 The File Menu \pict 251 \tag 621 Ñ Close (Command-W) This command closes the active (front) window. \endkeep \keep \tag 622 Ñ Save As╔(Command-S) This command saves reports and the manual as text files. If the main window is active, the report is saved as a TeachText file. If the Help window is active, the Disinfectant manual is saved as a Microsoft Word text file. A standard new file dialog appears, asking you to specify the file╒s name and location. These saved text files can be read by most any Mac word processor or editor. You can change the type of the file (TeachText and Microsoft Word by default) in the Preferences window. \endkeep You can save a separate report for each disk you scan or you can scan many disks and save the combined reports as a single file. The latter option is particularly appropriate when scanning a sequence of floppies. When the manual is saved, only the text from the manual is saved, without the pictures, and without any of the formatting. The primary purpose of this feature is to let you save the text so that you can copy and paste it into newsletter articles or other documents. We grant you permission to do this, if it is not for profit, and if you give appropriate credit to the author and to Northwestern University. \keep \tag 624 Ñ Page Setup╔ This command presents an expanded version of the standard page setup dialog. The extra items in the bottom half of the dialog are used to specify additional options for a printed report or manual. You can specify the font and font size, all four margins, and an option to print the pages in reverse order. \endkeep Disinfectant maintains separate sets of page setup options for printed reports and the printed manual. Disinfectant supplies reasonable default values for all of these options, with different default values supplied for LaserWriters and ImageWriters. Other kinds of printers may be treated as either LaserWriters or ImageWriters. If you are using some kind of printer other than an Apple LaserWriter or ImageWriter, you should use the Page Setup command to check the settings before printing and adjust them appropriately. The maximum permitted font size is 24 points. With large fonts sizes and/or large margins, there may not be enough printable area on the page for Disinfectant to print properly. In this case, an alert is presented which informs you of the problem and gives you advice on how to correct it. In particular, when printing reports using font sizes over 18 points, with most fonts you will have to use landscape orientation instead of portrait orientation. This problem should not occur with the printed manual, even at 24 points, provided you do not increase the default margins. The page setup options are saved in the Disinfectant Prefs file in the System folder. You only need to set them once; they will be remembered even when you quit Disinfectant and run it again later. Separate options are saved for printed reports and for the printed manual. \keep \tag 625 Ñ Print╔ (Command-P) This command is used to print reports and the manual. It presents the standard print job dialog. If the main window is active, the report is printed. If the Help window is active, a formatted copy of the Disinfectant manual is printed. The printed version of the manual has a title page, table of contents, page headers, smart page breaks, and other nice formatting features. Paragraphs are reformatted to fit the margins specified in the page setup dialog. \endkeep Printing on a Macintosh without a hard drive is possible, but it requires a special startup disk. This topic is discussed in detail in the ╥Special Features╙ section. \keep \tag 626 Ñ Print One This command prints one copy of all pages of a report or the manual. It does not present the standard print job dialog. \endkeep \keep Ñ Preferences This command opens the Preferences window or brings it to the front if it is already open. \endkeep \keep \tag 630 Ñ Quit (Command-Q) This command quits Disinfectant. \endkeep \keep \tcon Edit \style bold \size 120 The Edit Menu \pict 252 \tag 641 Ñ Undo (Command-Z) This command is not used by Disinfectant. It is present only for desk accessories. \endkeep \keep \tag 643 Ñ Cut (Command-X) This command cuts selected text to the clipboard. It is used only with desk accessories and the Preferences window. \endkeep \keep \tag 644 Ñ Copy (Command-C) This command copies selected text to the clipboard. It is used only with desk accessories and the Preferences window. \endkeep \keep \tag 645 Ñ Paste (Command-V) This command inserts the contents of the clipboard at the current cursor location or replaces the currently selected text by the contents of the clipboard. It is used only with desk accessories and the Preferences window. \endkeep \keep \tag 646 Ñ Clear This command clears the selected text in a desk accessory or in the Preferences window. When the main window is active, this command clears the report. If the report lists any infections, you will be presented with an alert asking whether you want to save the report before clearing. \endkeep \keep \tcon Scan \style bold \size 120 The Scan Menu \pict 253 \tag 661 Ñ File╔ This command scans a single file. It presents the standard open file dialog. \endkeep \keep \tag 662 Ñ Folder╔ This command scans a single folder. It presents a modified open dialog which lists only folders. \endkeep \keep \tag 663 Ñ Floppies This command is used to quickly scan a sequence of floppy disks. Disinfectant will prompt you to insert floppies and will eject them when they have been scanned. You can also use this command to scan CD-ROM disks or other kinds of removable media. \endkeep \keep \tag 664 Ñ All Disks This command scans all mounted volumes. This option is useful if you have more than one hard disk or multiple partitions and you want to scan all of them. \endkeep \keep \tag 665 Ñ Some Disks╔ This command presents a dialog in which you specify which mounted volumes you wish to scan. This option is useful if you wish to scan more than one disk, but not all of them. \endkeep \keep \tag 666 Ñ System File This command scans just the currently active System file. \endkeep \keep \tag 667 Ñ System Folder This command scans just the currently active System folder. \endkeep \keep \tag 668 Ñ Desktop Files This command scans just the invisible Finder Desktop files. It scans all Desktop files on all of the currently mounted volumes. This command can be used to perform a quick check for the WDEF and CDEF viruses. \endkeep \keep \tcon Disinfect \style bold \size 120 The Disinfect Menu \pict 254 \tag 681 Ñ File╔ This command disinfects a single file. It presents the standard open file dialog. \endkeep \keep \tag 682 Ñ Folder╔ This command disinfects a single folder. It presents a modified open dialog which lists only folders. \endkeep \keep \tag 683 Ñ Floppies This command is used to quickly disinfect a sequence of floppy disks. Disinfectant will prompt you to insert floppies and will eject them when they have been disinfected. You can also use this command to disinfect other kinds of removable media. \endkeep \keep \tag 684 Ñ All Disks This command disinfects all mounted volumes. This option is useful if you have more than one hard disk or multiple partitions and you want to disinfect all of them. \endkeep \keep \tag 685 Ñ Some Disks╔ This command presents a dialog in which you specify which mounted volumes you wish to disinfect. This option is useful if you wish to disinfect more than one disk, but not all of them. \endkeep \keep \tag 686 Ñ System File This command disinfects just the currently active System file. \endkeep \keep \tag 687 Ñ System Folder This command disinfects just the currently active System folder. \endkeep \keep \tag 688 Ñ Desktop Files This command disinfects just the invisible Finder Desktop files. It disinfects all Desktop files on all of the currently mounted volumes. This command can be used to quickly remove the WDEF and CDEF viruses. You must be using Finder, not MultiFinder, to remove the WDEF and CDEF viruses. See the sections on WDEF and CDEF for details. \endkeep \keep \tcon Protect \style bold \size 120 The Protect Menu \pict 255 \tag 701 Ñ Install Protection INIT This command installs the Disinfectant protection INIT in the currently active System folder. After the INIT has been copied into your System folder, Disinfectant presents an alert informing you that you must restart your Mac to activate the INIT. Click on the ╥Restart╙ button to restart your Mac. Click on the ╥OK╙ button to return to Disinfectant. See the section below titled ╥Protection╙ for more details. \endkeep \keep \tag 702 Ñ Save Protection INIT╔ This command saves the Disinfectant protection INIT to any file of your choosing. A standard file dialog appears which lets you specify the location of the saved file. See the section below titled ╥Protection╙ for more details. \endkeep \str# \page \tcon Protection \only screen \pict 302 \only print save \style bold \just center \size 140 Protection The Disinfectant application by itself will not protect your system against infection. It will only locate and repair previously infected files and disks. To protect your system against infection, you must install a protection startup document (protection INIT). Disinfectant includes such a protection INIT. When properly installed, it will protect your system against all of the known Macintosh viruses. WARNING: The Disinfectant protection INIT will not protect your system against unknown viruses! If a new virus appears, we will have to release a new version of Disinfectant to recognize it. Use the ╥Install Protection INIT╙ command in the ╥Protect╙ menu to install the Disinfectant INIT in your currently active System folder. You must restart your Macintosh to activate the INIT. Use the ╥Save Protection INIT╙ command in the ╥Protect╙ menu to save a copy of the Disinfectant INIT to any file of your choosing. The Disinfectant INIT is simple, small, efficient, and unobtrusive. It does not need to be configured. In fact, it has no control panel interface at all, so it cannot be configured. The INIT will never ask you to make a decision. It should have no noticeable effect on the performance of your Mac. It is very small and can easily be used on floppy startup disks (e.g., in University labs with floppy-only Macs). The INIT does not interfere with the normal operation of Disinfectant or other anti-viral applications, or with programming environments, installer applications, or other system software. An alternative to the Disinfectant INIT is Chris Johnson╒s excellent GateKeeper protection INIT. GateKeeper is a ╥general purpose suspicious activity monitor.╙ Unlike the Disinfectant INIT, GateKeeper checks not only for the known viruses, but also for suspicious activity characteristic of viruses in general. Thus it can often provide protection against even unknown viruses. GateKeeper requires some configuration and it will sometimes ask you to make complicated decisions. It is much more powerful than the Disinfectant INIT, but it is also larger, more complicated, more obtrusive, and harder to use than the Disinfectant INIT. It is important that you understand this difference between the Disinfectant INIT and GateKeeper. There is an unavoidable tradeoff between simplicity and power. Each individual must decide which kind of protection is best for his or her particular situation. \keep If you run an application which is infected by one of the known Mac viruses, the Disinfectant INIT beeps ten times, quits the application, and presents an alert. For example, if the application ╥MacWrite╙ is infected by the nVIR virus, the following alert appears when you try to run MacWrite: \pict 290 \endkeep The Disinfectant INIT only detects and blocks viruses; it does not remove them. To remove a virus, you must use the Disinfectant application. If you use a disk which is infected by the WDEF virus or by the CDEF virus, the Disinfectant INIT beeps ten times, presents an alert, and temporarily neutralizes the virus. You can safely use the disk; the virus will not spread. To remove the virus from the disk, you can either rebuild the Desktop file or use the Disinfectant application. Rebuilding the Desktop file is usually easier. See the section on the WDEF virus for more information. If you use a HyperCard stack which is infected by the MacMag virus, the Disinfectant INIT beeps ten times, presents an alert, and temporarily neutralizes the virus. You can safely use the stack; the virus will not spread. You should use the Disinfectant application to remove the virus from the stack. The Disinfectant INIT also checks your System file at startup time to see if it is infected by any of the known viruses. If it discovers one of the known viruses at startup time, it beeps ten times and presents an alert. The Disinfectant INIT uses the Notification Manager to present its alerts. The Notification Manager is not available on systems older than System 6.0. With these old systems, the INIT only beeps ten times and it does not present an alert. The name of the Disinfectant protection INIT begins with the special symbol ╥╫╙: ╫ Disinfectant INIT The special ╥╫╙ symbol is present to force the Disinfectant INIT to be the last INIT loaded when you start up your Macintosh. This is important: the Disinfectant INIT must be loaded last! If you rename the INIT, make certain that you rename it so that it comes last in alphabetical order in your System folder. Unfortunately, some other INITs also require loading last. If you wish to use one of these other INITs together with the Disinfectant INIT, try loading the other INIT second-to-last and the Disinfectant INIT last. This may work. For example, this appears to work well with the Adobe Type Manager INIT. If this combination does not work, you can only use one of the INITs. IMPORTANT: If the Disinfectant INIT does not load last, it may fail to properly detect some of the viruses! This conflict between INITs is very unfortunate, but the basic design of the Disinfectant INIT makes it unavoidable. The HeapTool INIT is one exception to this rule. It may be loaded last, with the Disinfectant INIT loaded second-to-last. \keep The Disinfectant INIT icon should appear at the bottom of your screen every time you restart your Macintosh. If an error occurs and the INIT cannot load properly, the INIT will beep ten times and it will draw a special error version of the icon (the normal icon with a large ╥X╙ superimposed.) \pict 291 The Disinfectant INIT requires the hierarchical file system (HFS). If you try to use the INIT on a very old system which does not support HFS, it will not load properly and it will display the error icon. \endkeep If you wish to remove the Disinfectant INIT for some reason, open your System folder and drag the INIT icon to the trash (or anywhere else outside of the System folder). Then restart your Macintosh. The Disinfectant INIT detects and blocks viruses at their initial point of attack. Unlike some other virus protection INITs, it does not scan floppies each time they are inserted into a disk drive and it does not scan files each time they are opened. This strategy is what makes the Disinfectant INIT so small and efficient. The Disinfectant INIT will not detect files which are partially infected but not contagious, since these kinds of infections never attack the system. These non-contagious infections are harmless, so this is not a major problem. The Disinfectant application does detect these kinds of infections. There are many different virus protection INITs available, including the Disinfectant INIT, GateKeeper, Vaccine, and several commercial products. In general, we do not recommend that you use more than one of them at a time. We are not aware of any serious conflicts between the Disinfectant INIT and these other INITs, but using more than one of them usually does not significantly increase your protection and often causes confusion. The Disinfectant INIT is incompatible with versions of Microseed╒s INITPicker earlier than version 2.0. The earlier versions of INITPicker did not properly deal with INITs whose names begin with a special character. If you use INITPicker, check to make certain that you have version 2.0 or later. \str# \page \tcon Recommendations \only screen \pict 303 \only print save \style bold \just center \size 140 Recommendations There is no need to panic over the current virus situation. However, you should take the problem seriously. Using Disinfectant, it only takes a few minutes per week to effectively protect your Macintosh against the known viruses. Ñ If you do nothing else, religiously use the Disinfectant INIT or GateKeeper. They only take a minute to install and they can save you much grief. Ñ Keep original software on locked floppies. Use copies. When you obtain a new piece of software, immediately lock the disk on which it came, make a copy, and use the copy. Never unlock the original disk. It is impossible for a virus to infect files on a locked floppy. Ñ Make periodic backups of your hard drive, at least once per week. Ñ Run Disinfectant just before each backup to make certain the backups do not become infected and to ensure your system has not become infected. Ñ Before using new software, check it for possible infections with Disinfectant. This rule applies to all new software: commercial software, shareware, and freeware. \keep The remaining recommendations are for people who manage Mac networks, Mac laboratories, Mac bulletin boards, or collections of public domain and shareware software. An environment where many people share Macs, or share a Mac network, is a perfect breeding ground for viruses. People who sell software also have a special responsibility to make certain that their software is free from infection. Ñ Install the Disinfectant protection INIT or GateKeeper on all your lab start-up disks. \endkeep Ñ Check all your lab disks frequently with Disinfectant to make certain that they are uninfected. Also check to make certain that the Disinfectant protection INIT or GateKeeper is still installed and active on all your start-up disks. We have discovered that students love to play with the start-up disks. At Northwestern University, we try to check our lab disks once per week. Ñ Educate the people in your organization about viruses and how to protect against them. Give them copies of Disinfectant and teach them how to use the application. Distribute printed copies of the Disinfectant manual. Ñ Create a special ╥virus scanning station╙ in your lab. See the section about the Preferences window for details. Ñ Try to put software in write-protected folders on AppleShare server disks. Viruses cannot infect applications if they are in folders which do not have the ╥Make Changes╙ privilege. On the other hand, if an application is in a writable server folder, any infected Mac on the network which accesses the disk and uses the application might spread the infection to the application on the server. If it is a popular application, it will in turn quickly infect any other Macs on the network which are not protected by a protection INIT. This is one way in which viruses can spread very rapidly. Since some applications insist on writing to their own file or folder, it is not always possible to put applications in write-protected folders, but you should make every attempt to do this when it is possible. Ñ Check server disks frequently with Disinfectant to make certain they are uninfected. For best results, you should take the server out of production, start up the server from your virus tools disk, and run Disinfectant from the virus tools disk. This is the only way to guarantee that Disinfectant will be able to scan all the files on the server disk. At Northwestern, we try to check all our servers once per week. For more details on scanning servers, see the discussion in the ╥Special Features╙ section. Ñ Check all new software with Disinfectant before installing it on a server. Ñ Back up your servers frequently. Run Disinfectant just before each backup. Ñ The WDEF virus can cause serious performance problems if it infects an AppleShare server. To avoid these problems, administrators should never grant the ╥make changes╙ privilege on server root directories. We also recommend deleting the Desktop file if it exists. See the section about the WDEF virus for details. Ñ Bulletin board operators and other people who maintain and distribute public domain and shareware software have a special responsibility to the Mac community. Please carefully test all new software before distributing it. You should also, of course, run Disinfectant on all new software you receive. Ñ If you sell software, please check your master disks for infections before sending them out to be duplicated and distributed. \str# \page \tcon Problem Clinic \only screen \pict 301 \only print save \style bold \just center \size 140 Problem Clinic This section discusses what you should do if you think that your system may be infected by a new virus, but Disinfectant reports that it cannot locate any known viruses. There are many, many things which can go wrong on a Macintosh and almost all of them have absolutely nothing to do with viruses. Thousands of people have reported strange behavior on their Macintoshes to anti-viral experts but, after careful investigation, only a handful of these cases were actually new viruses. If your Macintosh begins to malfunction or behave unusually, please do not yield to the temptation to immediately blame the malfunction on a new virus. There are several things you can do to try to isolate the problem. The most common cause of problems is simple errors in software. An error in an application, startup document (INIT), control panel (cdev), or other piece of software can cause crashes, hangs, damaged files, trashed disks, or any other kind of problem imaginable. Thus, the first question you should ask is, ╥Have I installed any new software lately?╙ If the answer is ╥Yes,╙ try removing the software and see if the problem disappears. One very common symptom on the Macintosh is problems with the proper display of icons in Finder windows. This symptom is almost never due to a virus, save for the Scores virus which does change the appearance of a few icons. This problem is almost always due to a damaged ╥Desktop╙ file. If your icons are not being displayed properly, you should rebuild the Desktop file. To rebuild a Desktop file on a hard drive, first use the ╥Set Startup╙ command in the Finder╒s Special menu to specify that you want to start up using Finder instead of MultiFinder. Then restart your Macintosh, keeping the Command and Option keys held down throughout the startup process. An alert will appear asking if you really want to rebuild the desktop. Click on the OK button when the alert appears. To rebuild a Desktop file on a floppy disk, hold down the Command and Option keys while inserting the floppy into a floppy drive. Click on the OK button when the alert appears. Another common problem is damaged applications. If an application begins behaving unusually, try replacing it with a known good copy from your locked original master floppy. Another common problem is damaged system files in the System folder. The best way to cure this problem is to rebuild your System folder from scratch. Restart your Macintosh from a startup floppy (a floppy containing clean copies of the System and Finder files). Drag the Finder file outside of the System folder on your hard drive. Rename your hard drive System folder ╥Old System Folder.╙ Then use your Apple installer disks to install a completely new System folder on the hard drive. Restart from this hard drive. If your problem disappears, then you have verified that the cause of the problem was something in your old System folder. Use the Font/DA Mover to copy all of your fonts and desk accessories from your old System file to your new System file. Next, copy files, a few at a time, from your old System folder into your new System folder. Restart your Mac after each copying operation and use it for a while to see if the problem has come back. If the problem has not come back, copy a few more files over and repeat the process. Eventually the problem will reappear and you will have narrowed down the cause of the problem to the last few files which you copied. You can now remove these last few files from your new System folder one at a time to locate the file which is causing the problem. Replace the problem file by a known good version. Finally, remove the old System folder. In some cases, software errors can damage the areas on your disk which contain file directories and other important system information. This can sometimes be so serious that all or some of the files and folders on the disk become inaccessible, or the system may not even be able to mount the disk at all, or the system may simply behave strangely. In this case, you may attempt to use a disk recovery utility, or you may be forced to reinitialize and reformat the disk and reload your files from backup floppies or tapes. There are several good disk recovery utilities available, including Apple╒s Disk First Aid, which is included with every Mac sold. If you have access to Apple╒s Macintosh Technical Notes, consult note number 134, ╥Hard Disk Medic & Booting Camp.╙ Some problems can be cured by resetting the parameter RAM. To reset the parameter RAM, hold down the Command, Option, and Shift keys while opening the Control Panel desk accessory. This can help cure some startup problems. If all else fails and you still suspect that your system may be infected by a new virus, there are a few additional things you can try. Monitor application file sizes and last modification dates with the Finder╒s Get Info command. If your applications are consistently growing in size, or if their last modification dates are consistently changing, this is one indication that there may indeed be a virus spreading on your system. Do not, however, be concerned about changes in size or changes in the last modification date of your System file; this is normal and does not indicate a virus. Also, some applications modify themselves, and in these cases you may see a legitimate increase in size and/or change in the last modification date. Look for consistent patterns of change which affect several files. If your problems continue, try to obtain the assistance of a knowledgeable friend or local expert. If you are a university student, staff member, or faculty member, ask for assistance at your campus computing center. If you work for a corporation with a computer department, ask the local gurus within the department for help. Go to a meeting of your local Mac user group and ask for help. If you have followed all of this advice and if you still think that you may have a new virus, then you should feel free to contact the author of Disinfectant for assistance. His addresses are at the end of this manual. Please mail him a detailed report and, if it is at all possible, include copies of files which you suspect may be infected. Please do not try to call him on the phone. \str# \page \tcon The Viruses \only screen \pict 304 \only print save \style bold \just center \size 140 The Viruses The following sections describe all of the known Mac viruses. \tag 400 \tcon Scores \style bold \size 120 The Scores Virus According to news reports, the Scores virus was written by a disgruntled programmer. It specifically attacks two applications which were under development at his former company. Fortunately, neither of the two applications was ever released to the general public. Scores was first discovered in the Spring of 1988. Scores is also sometimes known as the ╥Eric,╙ ╥Vult,╙ ╥NASA,╙ and ╥San Jose Flu╙ virus. There is an easy way to see if you have a Scores infection. Open your System folder and check the icons for the Note Pad and Scrapbook files. They should look like little Macintoshes. If they look instead like blank sheets of paper with turned-down corners, your software may have been infected by Scores. \pict 202 It is possible to be partially infected by Scores and still have normal Note Pad and Scrapbook icons. Consequently, we recommend running Disinfectant to make certain your system is not infected, even if you have normal icons. Scores infects your System, Note Pad, and Scrapbook system files. It also creates two invisible files in your System folder named ╥Scores╙ and ╥Desktop ╙. You cannot see invisible files without the aid of ResEdit or some other utility application. Do not confuse Scores╒s invisible Desktop file with the Finder╒s invisible Desktop file; they have nothing to do with each other. The Finder╒s Desktop file lives at the root level on your disk, outside the System folder, while Scores╒s Desktop file lives inside the System folder. Also, Scores╒s Desktop file has an extra space character at the end of its name. Scores does not infect or modify document files, only applications and system files. Scores gets its name from the invisible ╥Scores╙ file that it creates. Two days after your system becomes infected, Scores begins to spread to each application you run. The infection occurs between two and three minutes after you begin the application. The Finder and DA Handler usually also become infected. For technical reasons, some applications are immune to infection. Scores does not intentionally try to do any damage other than to spread itself and attack the two specific applications. It does occupy memory and disk space, however, and this can cause problems all by itself. People have reported problems printing and using MacDraw and Excel. There are also several errors in Scores which could cause system crashes or other unexplained behavior. There is a serious conflict between Scores and Apple╒s System Software release 6.0.4 and later releases. In System 6.0.4, Apple began using some resources with the same type and ID as those used by Scores. When Scores infects the System file, it replaces Apple╒s versions of these resources with the Scores viral versions of the resources. When Disinfectant repairs the file, it deletes the Scores viral resources, but it does not replace the Apple versions. In this situation, Disinfectant issues a special error message, telling you that the resulting file is damaged and should not be used. You should immediately delete the damaged System file and replace it with a copy from original locked Apple release disks. \str# \page \tag 401 \tcon nVIR \style bold \size 120 The nVIR Virus According to news reports, the nVIR virus first appeared in Europe in 1987 and in the United States in early 1988. At least one variation of the virus was written. We know of two basic strains, which we call ╥nVIR A╙ and ╥nVIR B.╙ We have reliable reports of an earlier third version of nVIR which was malicious. It destroyed files in the System folder. This earlier version appears to be extinct, and we have not been able to obtain a copy. nVIR is simpler than Scores. It infects the System file, but it does not infect the Note Pad or Scrapbook files, and it does not create any invisible files. nVIR begins spreading to other applications immediately, without the two day delay. Whenever a new application is run, it becomes infected immediately, without the two to three minute delay. As with Scores, some applications are immune to infection, the Finder and DA Handler usually also become infected, and document files are not infected or modified. At first nVIR A and B only replicate. When the System file is first infected, a counter is initialized to 1000. The counter is decremented by one each time the system is started up and it is decremented by two each time an infected application is run. When the counter reaches zero, nVIR A will sometimes either say ╥Don╒t panic╙ (if MacinTalk is installed in the System folder) or beep (if MacinTalk is not installed in the System folder). This will happen on system startup with a probability of 1/16. It will also happen, with a probability of 15/128, when an infected application is run. In addition, when an infected application is run, nVIR A may say ╥Don╒t panic╙ twice or beep twice with a probability of 1/256. When the counter reaches zero, nVIR B will sometimes beep. nVIR B does not call MacinTalk. The beep will happen on a system startup with a probability of 1/8. A single beep will happen when an infected application is run with a probability of 7/32. A double beep will happen when an infected application is run with a probability of 1/64. It is possible for nVIR A and nVIR B to mate and reproduce, resulting in new viruses combining parts of their parents. Disinfectant will report that such offspring are infected by both nVIR A and nVIR B and will properly repair them. Unlike Scores, there is no way to tell that you have an nVIR infection just by looking at your system. You must run Disinfectant or some other virus detection tool. One of the viral resources added to infected files by nVIR has the resource type ╥nVIR,╙ which is how it got its name. As with Scores, nVIR occupies both memory and disk space, and this alone is enough to cause problems. In addition to the two basic strains of nVIR, many ╥clones╙ of nVIR B have appeared. These clones are all identical to nVIR B with the exception of a few very minor technical differences. Disinfectant recognizes all of these clones and treats them exactly the same as nVIR B. \str# \page \tag 402 \tcon INIT 29 \style bold \size 120 The INIT 29 Virus The INIT 29 virus first appeared in late 1988. We do not know much about its origin. INIT 29 is extremely virulent. It spreads very rapidly. Unlike Scores and nVIR, you do not have to run an application for it to become infected. Also, unlike Scores and nVIR, INIT 29 can and will infect almost any file, including applications, system files, and document files. Document files are infected, but they are not contagious. The virus can only spread via system files and application files. INIT 29 has one side effect which reveals its presence. If you try to insert a locked floppy disk on a system infected by INIT 29, you will get the following alert: The disk ╥xxxxx╙ needs minor repairs. Do you want to repair it? If you see this alert whenever you insert a locked floppy, it is a good indication that your system is infected by INIT 29. As with Scores and nVIR, INIT 29 does not intentionally try to do any damage other than spread itself. Nevertheless, it can cause problems. In particular, some people have reported problems printing on systems infected with INIT 29. We have also experienced many system crashes, problems with MultiFinder, and incompatibilities with several startup documents on systems infected with INIT 29. One of the viral resources added to infected files by INIT 29 has the resource type ╥INIT╙ and the resource ID 29, after which the virus was named. \str# \page \tag 403 \tcon ANTI \style bold \size 120 The ANTI Virus There are two known strains of the ANTI virus. Both strains were first discovered in France. The ANTI A strain was discovered in February, 1989. The ANTI B strain was discovered in September, 1990. Unlike most of the other viruses, ANTI does not infect the System file. It only infects applications and other files which resemble applications (e.g., Finder). ANTI does not infect document files. It is less contagious than the INIT 29 virus, but more contagious than the Scores and nVIR viruses. It is possible for an application to become infected even if it is never run. Due to a technical quirk, ANTI does not spread at all when MultiFinder is used. It only spreads when Finder is used. There is an error in ANTI which causes it to slightly damage applications in such a way that Disinfectant cannot perfectly repair them. In other words, the application as repaired by Disinfectant is usually not identical to the uninfected original application. The damage is very minor, however, and in almost all cases it does not cause any problems. If you experience problems with an application which was infected by ANTI and repaired by Disinfectant, we recommend that you delete the repaired copy and replace it by an uninfected original copy. This is good advice in any case. (For the technically inclined, the error in ANTI is that it clears all the resource attributes of the CODE 1 resource. Disinfectant has no way to know the values of the original attributes, so it leaves them cleared on the repaired application. The only effect of this error is that the repaired application may use memory slightly less efficiently than the original version, especially on old Macintoshes with the 64K ROMs.) As with the other viruses, ANTI does not intentionally attempt to do any damage other than spread itself. As with all viruses, however, it can still cause problems. The string ╥ANTI╙ appears within the virus, hence its name. Even though the B strain of ANTI was not discovered until about 19 months after the A strain, it appears that the B strain was actually written before the A strain. The A strain of the virus contains special code which neutralizes any copies of the B strain which it encounters. It is possible for an application to be infected by both the neutralized version of the B strain and by the A strain. Disinfectant reports that such applications are infected by both strains and repairs them properly. Other than the special code in the A strain which looks for and neutralizes the B strain, there are only minor technical differences between the two versions of the virus. \str# \page \tag 404 \tcon MacMag \style bold \size 120 The MacMag Virus The MacMag virus appeared in December, 1987. This virus is also known as the ╥Drew,╙ ╥Brandow,╙ ╥Aldus,╙ and ╥Peace╙ virus. It was named after the Montreal offices of MacMag magazine, from where it originated. Unlike the other viruses, MacMag does not infect applications, only System files. It originated as a HyperCard stack named ╥New Apple Products.╙ The stack contained some exceptionally poorly digitized pictures of the then new Apple scanner. When the stack was run, the virus spread to the currently active System file. When other floppy disks containing System files were subsequently inserted in a floppy disk drive, the virus spread to the System files on the floppies. Since applications are not infected by MacMag, it spreads much more slowly than the other viruses (because people share System files much less frequently than they share applications.) Even though the virus originated on a HyperCard stack, it does not spread to other stacks, only to System files. MacMag was programmed to wait until March 2, 1988, the anniversary of the introduction of the Mac II. The first time the system was started up on March 2, 1988, the virus displayed a message of peace on the screen and then deleted itself from the System file. Since MacMag was programmed to self-destruct, it is unlikely that your software is infected with this virus. Disinfectant will nevertheless recognize it and repair infected files just in case you have some very old disks which might still be infected. Disinfectant repairs both infected System files and infected copies of the original HyperCard stack. If you try to run the repaired stack, HyperCard will issue an error message. There were two slightly different versions of MacMag. The differences were very minor and both versions were programmed to behave identically. Disinfectant properly detects and repairs both versions. \str# \page \tag 405 \tcon WDEF \style bold \size 120 The WDEF Virus The WDEF virus was first discovered in December, 1989 in Belgium and in one of our labs at Northwestern University. Since the initial discovery, it has also been reported at many other locations, and we now know that it is very widespread. We know of two strains, which we call ╥WDEF A╙ and ╥WDEF B.╙ WDEF only infects the invisible ╥Desktop╙ files used by the Finder. With a few exceptions, every Macintosh disk (hard drives and floppies) contains one of these files. WDEF does not infect applications, document files, or other system files. Unlike the other viruses, it is not spread through the sharing of applications, but rather through the sharing and distribution of disks (usually floppy disks.) WDEF spreads from disk to disk very rapidly. It is not necessary to run an application for the virus to spread. The WDEF A and WDEF B strains are very similar.╩The only significant difference is that WDEF B beeps every time it infects a new Desktop file, whereas WDEF A does not beep. Although the virus does not intentionally try to do any damage, WDEF contains errors which can cause very serious problems. In particular, the virus causes newer Mac models to crash almost immediately after insertion of an infected floppy (the IIci, IIfx, Portable, Classic, LC, and IIsi). The virus also causes other Macs to crash much more frequently than usual and it can damage disks. The virus also causes problems with the proper display of font styles. In particular, it often causes problems with the ╥outline╙ font style. Many other symptoms have also been reported and it appears that the errors in the virus can cause almost any kind of problem with the proper functioning of your Macintosh. You can remove a WDEF infection from a disk by rebuilding the Desktop file. To rebuild the Desktop file on a hard disk, start up using Finder (not MultiFinder), keeping both the Command and Option keys held down throughout the startup process. You should be presented with an alert asking if you really want to rebuild the Desktop file. Click on the OK button. To rebuild the Desktop file on a floppy disk, hold down the Command and Option keys while inserting the disk into a drive. Click on the OK button in the alert. It is often easier to get rid of a WDEF infection by simply rebuilding the Desktop file than it is to use Disinfectant. For example, if the Disinfectant INIT warns you that a floppy disk is infected by WDEF, just eject the disk, unlock it, insert it again with the Command and Option keys held down, and click OK. This will rebuild the Desktop file on the disk and eliminate the virus. Beware, however, that comments you have entered in any file╒s ╥Get Info╙ box will be erased by rebuilding the Desktop file. Using Disinfectant to remove a WDEF infection does not result in the loss of these comments. Even though AppleShare servers do not use the normal Finder Desktop file, many servers have an unused copy of this file. If the AppleShare administrator has granted the ╥make changes╙ privilege to the root directory on the server, then any infected user of the server can infect the Desktop file on the server. If a server Desktop file becomes infected, performance on the network will be very severely degraded. For this reason, administrators should never grant the ╥make changes╙ privilege on server root directories. We also recommend deleting the Desktop file if it exists. It does not appear that the virus can spread from an AppleShare server to other Macs on the network, however. The WDEF virus can spread from a TOPS server to a TOPS client if a published volume╒s Desktop file is infected and the client mounts the infected volume. It does not appear, however, that the virus can spread from a TOPS client to a TOPS server. If you use ResEdit, VirusDetective, or some other tool to search for WDEF resources, do not be alarmed if you find them in files other than the Finder Desktop files. WDEF resources are a normal part of the Macintosh operating system. Any WDEF resource in a Finder Desktop file, however, is cause for concern. When using Disinfectant to repair WDEF infections, you must use Finder instead of MultiFinder. Under MultiFinder, the Desktop files are always ╥busy,╙ and Disinfectant is not able to repair them. If you try to repair using MultiFinder, you will get an error message. \keep In addition to the two known strains of the WDEF virus, Disinfectant will also detect and repair other strains which may exist but have not yet been reported. If an unknown strain is detected, Disinfectant places the following message in the report: ### File infected by an unknown strain of WDEF \endkeep \str# \page \tag 406 \tcon ZUC \style bold \size 120 The ZUC Virus The ZUC A virus was first discovered in Italy in March, 1990. It is named after the reported discoverer, Don Ernesto Zucchini. A second strain of the virus, ZUC B, was discovered in Italy in November, 1990. There are no significant differences in the behavior of the two strains. ZUC only infects applications. It does not infect system files or document files. Applications do not have to be run to become infected. ZUC was timed to activate on March 2, 1990 or two weeks after an application becomes infected, whichever is later. Before that date, it only spreads from application to application. After that date, approximately 90 seconds after an infected application is run, the cursor begins to behave unusually whenever the mouse button is held down. The cursor moves diagonally across the screen, changing direction and bouncing like a billiard ball whenever it reaches any of the four sides of the screen. The cursor stops moving when the mouse button is released. The behavior of the ZUC virus is similar to that of a desk accessory named ╥Bouncy.╙ The virus and the desk accessory are different and they should not be confused. The desk accessory does not spread and it is not a virus. ZUC does spread and it is a virus. ZUC has two noticeable side effects. On some Macintoshes, it causes the desktop pattern to change. It also often causes long delays and an unusually large amount of disk activity when infected applications are opened. ZUC can spread over a network from individual Macintoshes to servers and from servers to individual Macintoshes. Except for the unusual cursor behavior, ZUC does not attempt to do any damage. ZUC does not change the last modification date when it infects a file, so you cannot use the last modification dates in the Disinfectant report to trace the source of a ZUC infection. \str# \page \tag 407 \tcon MDEF \style bold \size 120 The MDEF Virus There are three known strains of the MDEF virus. The first two strains were discovered at Cornell University in Ithaca, New York. The MDEF A strain was discovered in May, 1990 and is also sometimes called the ╥Garfield╙ virus. The MDEF B strain was discovered in August, 1990 and is also sometimes called the ╥Top Cat╙ virus. The third strain, MDEF C, was discovered at Ithaca High School in October, 1990. Prompt action by computer security personnel and investigators of the New York State Police resulted in identification of the author. The author, a juvenile, was released into the custody of his parents after consultation with the district attorney. The author could have been prosecuted under state law for writing and releasing the virus. The same person was responsible for writing the CDEF virus. MDEF infects both applications and the System file. It can also infect document files, other system files, and Finder Desktop files. The Finder and DA Handler also usually become infected. The System file is infected as soon as an infected application is run. Other applications become infected as soon as they are run on an infected system. MDEF does not intentionally attempt to do any damage, yet it can be harmful. It does not beep, display messages or pictures, or do anything other than spread from file to file. The major difference between the three strains of MDEF is that the B and C strains attempt to bypass some of the popular protection INITs. The MDEF A strain has an unfortunate interaction with Vaccine. On Vaccine-protected systems, if an infected application is run, Vaccine properly notifies you of the attack, but it blocks only part of the attempt by the virus to infect the System file. The virus cannot spread from the System file to applications in this situation, but the System file is damaged and menus no longer work. When you try to pull down a menu, no menu comes down. Menus continue to work only in infected applications. They do not work in the Finder or in uninfected applications. Disinfectant will correctly detect and repair these kinds of damaged System files. The MDEF C strain contains a serious error which can cause crashes and other problems. The MDEF virus is named after the type of resource it uses to infect files. MDEF resources are a normal part of the Macintosh system, so you should not become alarmed if you see them with ResEdit or some other tool. The MDEF and WDEF viruses have similar names, but they are completely different and should not be confused with each other. \str# \page \tag 408 \tcon Frankie \style bold \size 120 The Frankie Virus The Frankie virus is quite rare. It appeared in Europe several years ago, but we only recently obtained a copy for analysis. Frankie only affects some kinds of Macintosh emulators running on Atari computers. We have reports that it was targeted against pirated versions of the Aladin emulator. It does not affect the Spectre emulator. Frankie does not spread or cause any damage on any of the regular Apple Macintosh computers. After a time delay, Frankie draws a bomb icon and the message ╥Frankie says: No more piracy!╙ at the top of the Atari screen, and then causes the Atari to crash. Frankie only infects applications, not system files or document files. The Finder also usually becomes infected. Applications do not have to be run to become infected. For technical reasons, the virus only spreads under Finder, not MultiFinder. \str# \page \tag 409 \tcon CDEF \style bold \size 120 The CDEF Virus The CDEF virus was first discovered in Ithaca, New York, in August, 1990. The same person who wrote the MDEF virus also wrote the CDEF virus. See the description of the MDEF virus for details. CDEF is very similar to the WDEF virus. It only infects the invisible ╥Desktop╙ files used by the Finder. It does not infect applications, document files, or other system files. It spreads from disk to disk very rapidly. Although the behavior of the CDEF virus is similar to that of the WDEF virus, it is not a simple clone of WDEF. It is a completely different virus. The virus does not intentionally try to do any damage. It does not appear to cause as many problems as does the WDEF virus. As with all viruses, however, the CDEF virus is still dangerous. As with the WDEF virus, you can remove a CDEF infection from a disk by rebuilding the Desktop file. See the section on WDEF for details. The CDEF virus is named after the type of resource it uses to infect files. CDEF resources are a normal part of the Macintosh operating system, so you should not become alarmed if you see them with ResEdit or some other tool. Any CDEF resource in a Finder Desktop file, however, is cause for concern. When using Disinfectant to repair CDEF infections, you must use Finder instead of MultiFinder. Under MultiFinder, the Desktop files are always ╥busy,╙ and Disinfectant is not able to repair them. If you try to repair using MultiFinder, you will get an error message. In addition to the known strain of CDEF, Disinfectant will also detect and repair other strains which may exist but have not yet been reported. If an unknown strain is detected, Disinfectant places the following message in the report: ### File infected by an unknown strain of CDEF \str# \page \tcon Sample Report \only screen \pict 305 \only print save \style bold \just center \size 140 Sample Report The following example shows a report generated by a disinfection run on a Scores-infected hard disk drive. My Hard Drive Disk disinfection run started. 12/16/88, 10:04:12 AM. ------------------------------------------------ My Hard Drive My Programs Games SuperGame ### File infected by Scores. Last modification 11/2/88, 11:15:03 PM. File repaired. ------------------------------------------------ My Hard Drive My Programs Word Processors MacWrite ### File infected by Scores. Last modification 12/15/88, 5:02:49 PM. File repaired. ------------------------------------------------ My Hard Drive System Folder Desktop ### File infected by Scores. Last modification 12/13/88, 2:48:40 PM. File deleted. ------------------------------------------------ My Hard Drive System Folder Finder ### File infected by Scores. Last modification 12/14/88, 3:02:24 PM. File repaired. ------------------------------------------------ My Hard Drive System Folder Note Pad File ### File infected by Scores. Last modification 12/13/88, 2:48:34 PM. File repaired. ------------------------------------------------ My Hard Drive System Folder Scores ### File infected by Scores. Last modification 12/13/88, 2:48:33 PM. File deleted. ------------------------------------------------ My Hard Drive System Folder Scrapbook File ### File infected by Scores. Last modification 12/13/88, 2:48:35 PM. File repaired. ------------------------------------------------ My Hard Drive System Folder System ### File infected by Scores. Last modification 12/13/88, 2:48:40 PM. File repaired. ------------------------------------------------ My Hard Drive Disk disinfection run completed. 12/16/88, 10:08:30 AM. Summary: 984 total files. 0 errors. 8 files infected by Scores. 8 infected files total. Earliest infected file: SuperGame Last modification 11/2/88, 11:15:03 PM. The last modification dates in the report are useful for tracking down the history and source of an infection. The infected application with the earliest last modification date is usually the source of the infection. E.g., in the sample report above, SuperGame is the earliest infected application, with a last modification date of 11/2. The System file was last modified on 12/13. If you obtained your copy of SuperGame sometime after 11/2, and if you first ran it on or before 12/13, then SuperGame was probably the source of the infection. You should contact the source of the application and tell them that their software is probably infected too. You should likewise contact anybody else to whom you have given copies of SuperGame or any of your other infected files, because their software may also be infected. If Disinfectant╒s report notes that a System file is the earliest infected file, this means that the application that caused the original infection of your system is no longer on, or never was on, the disk being scanned. Check all your other disks (hard drives and floppies) to attempt to locate the file that introduced the virus to your system. This kind of analysis is not infallible, but it can sometimes be useful in tracing back a chain of infections. The ZUC and Frankie viruses do not change the modification date when they infect a file, so this kind of analysis will not help locate the source of a ZUC or Frankie infection. This kind of analysis is also useless when trying to locate the source of a WDEF or CDEF infection, since those viruses only infect Finder Desktop files, which are constantly being modified legitimately by the Finder. \str# \page \tcon Special Features \only screen \pict 306 \only print save \style bold \just center \size 140 Special Features In this section we discuss various advanced features of Disinfectant, technical topics, and other miscellaneous items. Ñ It is very important to realize that detecting and repairing infected files is quite complicated and it is highly likely that there are some rare cases we do not handle properly. Read the disclaimer at the beginning of this manual and take it seriously. Ñ One of our major design goals was to make Disinfectant as simple as possible to use so that even novices will be able to utilize it. We have tried to follow Apple╒s human interface guidelines as closely as possible. For example, we religiously adhere to the guidelines presented in Apple╒s recent series of Human Interface Notes. Ñ Disinfectant is ╥modeless.╙ This means several things. You can have multiple windows open at the same time, you can use desk accessories, and you can use MultiFinder application switching. You can start a scan and switch to some other application under MultiFinder and the scan will continue in the background. You can do just about anything except start another scan while a scan is in progress. You can read the manual in the Help window, adjust options in the Preferences window, use the online help facility, admire the About window, etc. Ñ Disinfectant can be run on any model of Macintosh with at least 512K of memory, System 3.2 or later, and the hierarchical file system (╥HFS╙). Ñ Disinfectant is 32-bit clean and may be run under AUX. Ñ Disinfectant can scan in the background under MultiFinder. With System 6.0 and later, the Notification Manager is used to notify you if an infection is discovered or if Disinfectant requires attention for some other reason. Systems prior to 6.0 do not support the Notification Manager and Disinfectant does not attempt to use it. In this case, the ╥Notification options╙ section of the Preferences window is inactive (grayed out). Ñ Disinfectant uses popup menus in the main window (as an alternate method for selecting a disk) and in the Preferences window (to select which applications should own saved text files). Systems earlier than 4.1 do not support popup menus and, in this case, Disinfectant disables them. You must use the Drive and Eject buttons to select a disk in the main window and you must type four character creator types in the Preferences window to specify which applications own saved text files. Ñ Disinfectant can scan and repair both MFS and HFS disks. Single-sided 400K floppies are usually in MFS format, whereas other disks are usually in HFS format. Ñ Disinfectant tries to perform careful error checking. E.g., it properly reports disk full errors on attempts to save files, out of memory errors, and errors on attempts to disinfect ╥busy╙ and ╥damaged╙ files. The summary at the end of the report tells you if there were any errors. All error messages and messages reporting infected files begin with ╥###,╙ to make them easy to find in the report. Ñ Some other anti-viral tools add special ╥inhibitor resources╙ to files in an attempt to prevent future infections. Disinfectant does not do this. It does, however, recognize these ╥inhibitors.╙ It does not consider them to be infections and will not try to delete them on disinfection runs. Ñ Under MultiFinder, Disinfectant has a ╥preferred╙ memory partition of 700K and a ╥minimum╙ memory partition of 400K. On 1 megabyte Macintoshes running MultiFinder, there is not enough memory to allocate the preferred partition and you will have to run with the smaller minimum partition. The large memory partition is desirable because some applications use surprisingly large resources and Disinfectant must have enough memory to load them and check them for viruses. Ñ Unfortunately, it is not possible to use the Finder╒s Get Info command to change Disinfectant╒s memory partition. Because Disinfectant is an anti-viral program, we went to great lengths to make it difficult for other programs to modify the Disinfectant file. The memory partition size is stored as a resource on the file and the Finder is not allowed to change it. This should not be a problem. The 700K partition should be more than enough memory to scan and disinfect even very unusual files with very large resources. If you do happen to get an error message or alert telling you that Disinfectant does not have enough memory, you can try running Disinfectant again under Finder instead of MultiFinder. Under Finder, Disinfectant is allocated the maximum possible amount of available memory. The MultiFinder partition size is ignored in this case. Ñ Disinfectant may be used to scan AppleShare server disks and remote disks on a TOPS network. For the best results, however, we recommend that you remove servers and shared disks from production and scan them using the Mac to which they are directly connected. This is the only way to avoid file busy errors, insufficient privileges errors, and other problems. Scanning a local disk is also much faster than scanning a disk over a network. This is also the only way to scan the Server folder on an AppleShare server disk. One problem with AppleShare server disks is that they use a different kind of ╥Desktop╙ file than is used on regular disks. If the server disk contains a large number of applications, it may not be possible to start up the server using your regular virus tools disk. (The Finder will bomb or hang during the process of building its version of the Desktop file.) You can avoid this problem by creating a special virus tools floppy that contains a copy of Apple╒s ╥Desktop Manager╙ startup document file. Use this special version of the virus tools floppy only for scanning AppleShare servers. When scanning over TOPS, we have noticed that TOPS sometimes beeps and flashes an alert intermittently while scanning with Disinfectant. The problem is not serious. It is annoying, but it does not interfere with the scan. Ñ Viruses sometimes damage applications in such a way that they cannot be run at all. Sometimes viruses only partially infect files. It is also possible for a file to be infected by more than one virus. In most of these special cases, Disinfectant is able to repair the files. If it is impossible for Disinfectant to properly repair such a file, an appropriate error message is issued. Consult the section in this manual titled ╥Error Messages╙ for detailed information on what each message means and for advice on what to do if you get an error message. Ñ Disinfectant may be installed on a server and used by more than one person simultaneously. Ñ Disinfectant may be used on Macs with no hard drive and only a single floppy drive. Start up and run Disinfectant from your virus tools disk. Click on the Eject button to eject your startup disk. Use the floppy drive to insert the disks you wish to scan or disinfect. When you eject the virus tools disk, we preload the information Disinfectant needs to do scanning from the disk. This minimizes ╥floppy shuffling╙ on these systems. Disinfectant displays a dialog telling you to ╥Please wait╙ while it does this preloading, which can take quite some time. Please be patient. Ñ Printing is possible on a Mac with no hard drive, but it requires a special startup disk. The problem is that printing requires extra disk space for the printer driver files and ImageWriter spool files. There isn╒t enough free disk space for these files on a normal 800K virus tools disk. To solve this problem, you should prepare a special printing startup disk containing a copy of the System file, a copy of Disinfectant, and the appropriate printer driver files. For ImageWriter printing, you need the file named ╥ImageWriter.╙ For LaserWriter printing, you need the two files named ╥Laser Prep╙ and ╥LaserWriter.╙ Use original locked Apple System Software release disks for your copies of the System file and the printer driver files. Do not include a copy of the Finder file on this special printing startup disk! Eliminating the Finder file is the trick which creates enough extra disk space to make printing possible. After you have copied all of the files mentioned above to your printing startup disk, use the Font/DA Mover to install the fonts you wish to use for printing. For ImageWriter printing, we suggest that you include at least the Geneva 10 font. For LaserWriter printing, we suggest that you include at least the Palatino 10 and Helvetica 10 fonts. In any case, you also need Geneva 9 and Chicago 12 for the proper display of text on the screen. After you have installed your fonts, click on the Disinfectant icon to select it and then use the Finder╒s Set Startup command to set Disinfectant as the startup application for this disk. Do not lock your printing startup disk. The Chooser does not work with locked startup disks. Printing to ImageWriters also requires an unlocked startup disk. Start up your Macintosh using the printing startup disk you just created. The Disinfectant application should open automatically. Use the Chooser desk accessory to select the printer you wish to use. With this printing startup disk, you should be able to use all the features of Disinfectant, including printing. It is not possible to print all of the Disinfectant manual at one time on an ImageWriter using this printing startup disk. We suggest that you print the manual in 15 or 20 page sections. For example, use the Print command to print pages 1 through 20. After the first 20 pages have been printed, use the Print command again to print pages 21 through 40. Finally, use the Print command a third time to print pages 41 through 60. When you quit Disinfectant, you will get an alert saying that the Finder is ╥busy or damaged.╙ This is normal with the printing startup disk. Click on the Restart button to restart using some other floppy startup disk. Ñ Disinfectant will not detect infected files if they are part of a StuffIt or Compactor archive, if they have been converted to a text file with BinHex, if they have been compressed with PackIt, or if they have been compressed, converted or archived by some similar utility. If you have such files and want to make certain they do not contain infections, you must unpack them and check the unpacked files. Ñ Disinfectant cannot be used to check the backup floppy disks or tapes produced by most of the various hard disk backup utility applications. These applications usually write their backups in a special format which is not recognized by Disinfectant. If you suspect that your backups are infected, we recommend that you first disinfect all of your other disks (hard drives and floppies), then do a new full backup, and finally erase (reformat) all of your remaining suspect backup floppies. Ñ Due to an error in the Rodime Cobra disk driver, Disinfectant does not work properly on Rodime Cobra drives. According to Rodime technical support, this problem can be fixed by reinstalling the Cobra disk driver with the disk caching code disabled. Restart your Mac using version 1.0.3 or later of the Rodime utilities disk. Run the installer application and select the Update option. You should get a dialog asking if you wish to overwrite the existing driver. Type Shift/N at this point (hold down the shift key while typing ╥N╙). You should then get a dialog telling you that you must restart. We have verified that reinstalling the Cobra driver with the disk caching code disabled does indeed fix the problem. \str# \page \tcon Error Messages \only screen \pict 307 \only print save \style bold \just center \size 140 Error Messages This section presents all of Disinfectant╒s error messages, in alphabetical order, with a brief explanation of each one. \keep \tag 77 ### An error or inconsistency was detected while ### trying to repair this file. ### WARNING: This file may still be infected! Your file was infected, but while attempting to repair it, Disinfectant discovered something wrong with the file. The file may still be infected. Scan the file again with Disinfectant to find out if it is still infected. If it is still infected, you should delete it. If Disinfectant reports that it is no longer infected, you can try running it to see if it works. It may be usable or it may be damaged in such a way that it cannot be used. This error is not common, but it can occur in unusual situations. \endkeep One situation in which this error can occur is if an application is infected by more than one virus and you attempt to use some other virus tool to repair the file before running Disinfectant. Some other virus tools cannot handle multiple infections properly and they sometimes leave the application damaged in such a way that Disinfectant cannot repair it properly. \keep \tag 9 \tag 80 ### An I/O error occurred while trying to check ### this file. ### An I/O error occurred while trying to repair ### this file. ### WARNING: This file may still be infected! These error messages are listed in the report if a hardware error occurs while trying to read or write a file. They usually mean that the disk itself or the disk drive is not operating properly. You can try running Disinfectant again on the same file. If the hardware problem is intermittent, it might work the second time. \endkeep \keep \tag 6 ### File infected by xxxxx. Your file is infected by a virus. ╥xxxxx╙ is the name of the virus (Scores, nVIR A, etc.). \endkeep \keep ### File infected by an unknown strain of xxxx Your file is infected by a strain of the WDEF or CDEF virus which has not yet been reported. If you have not already repaired the file, we would appreciate it if you would send us a copy of the infected file. See the sections on the WDEF and CDEF viruses for more information. \endkeep \keep \tag 7 ### File partially infected by xxxxx, ### but not contagious. Your file is partially infected by the virus named ╥xxxxx,╙ but the infection is not contagious. These kinds of infections are not dangerous and they cannot spread to other files. You may choose to leave the infection in the file or you may use Disinfectant to remove the infection. Partially infected files sometimes are the result of other virus tools which have errors. The other virus tool may remove part of an infection, but not all of the infection. Partial infections can also arise on GateKeeper-protected systems. In particular, if the Scores virus attacks a GateKeeper-protected system, a harmless part of the Scores infection will manage to evade GateKeeper╒s protection mechanisms. \endkeep \keep \tag 87 ### File partially infected by nVIR A or nVIR B, ### but not contagious. nVIR A and nVIR B are different viruses, but some of their parts are identical. It is possible for only these common parts to be present in an infected file. In this case, Disinfectant has no way of knowing which virus originally attacked the file, so it issues this special message. \endkeep \keep \tag 74 ### NOTE: Some errors were reported. For a detailed ### explanation of an error message, press Command-? ### and click on the error message text. This message appears in the summary section of the report if any other error messages occurred during a scan. \endkeep \keep \tag 32 ### Scan canceled. You canceled a scan or disinfection run. \endkeep \keep \tag 31 ### System files cannot be scanned over TOPS. This error should only occur if you try to scan a disk over a TOPS network. TOPS does not permit access to currently active System files over the network. We recommend that you scan the disk using the Mac to which the disk is directly connected. If this error occurs in some other situation, it means that there is probably an error in Disinfectant. We would appreciate it if you would send a report to the author. \endkeep \keep \tag 73 ### The disk is too full to repair this file. ### WARNING: This file may still be infected! This error may occur if a disk is very full and you attempt to repair an infected file on the disk. Disinfectant requires at least a small amount of free space on the disk before it can repair the file. Try moving some of the files on the disk to some other disk to make more room and run Disinfectant again. \endkeep \keep \tag 107 ### The inserted disk is uninitialized, damaged, ### or not a Mac disk. It cannot be scanned. This error occurs if you insert an uninitialized, damaged, or non-Macintosh disk on a scanning station with no mouse or keyboard. The disk is ejected and not scanned. \endkeep \keep \tag 82 ### The resource fork of this file is damaged or ### in an unknown format. It cannot be checked. Macintosh files have two parts or ╥forks╙: the resource fork and the data fork. When Disinfectant checks a file, it tries to open the resource fork. This message means that the information stored in the resource fork is not valid resource information. The data fork may still be intact and usable. For document files, this is usually not a problem. For applications and system files, this usually indicates that something is seriously wrong with the file and you should replace it with a known good copy of the file. \endkeep WARNING: It is possible for an application to be damaged and yet still be infected and contagious. For this reason, you should not attempt to use applications which have damaged resource forks. For some reason, we have seen invalid resource information in a number of StuffIt archive files. These ╥damaged╙ files are usually still usable since StuffIt stores the archived files in the data fork, not the resource fork. Disinfectant also reports that all Reflex database files are ╥damaged.╙ Reflex makes non-standard use of the resource fork in its database files. These files are not really damaged. They are still usable, but only by Reflex. The same problem has been reported with some files created by MacTran, which also makes non-standard use of the resource fork. \keep \tag 53 \tag 54 ### There is not enough memory to check this file. ### There is not enough memory to repair this file. ### WARNING: This file is probably still infected! Disinfectant was unable to get enough memory to check or repair the file. This message is quite rare. You might try running Disinfectant again without MultiFinder. This error can be caused by applications which contain very large resources. Disinfectant must load these resources into memory to check them for viruses and, if there is not enough memory available, you will get this error message. Another possible cause of this error is that the file is damaged. \endkeep \keep \tag 29 ### This file is busy and cannot be checked. Your file could not be opened for reading because the file was already open with exclusive access by some other application. This message should only occur on server disks. For server disks, we recommend that you remove the server from production, start up the server Mac using your virus tools floppy disk, and run Disinfectant from the virus tools floppy. This should avoid file busy errors. For more details on scanning servers, see the ╥Special Features╙ section. \endkeep \keep \tag 30 ### This file is busy and cannot be repaired. ### Try using Finder instead of MultiFinder. ### WARNING: This file is still infected! Your file could not be opened for writing because the file was already open by some other application. The most common cause of this error is running Disinfectant under MultiFinder. Try again without MultiFinder. This error is also possible when scanning server disks (under either Finder or MultiFinder). For server disks, we recommend that you remove the server from production, start up the server Mac using your virus tools floppy disk, and run Disinfectant from the virus tools floppy. This should avoid file busy errors. For more details on scanning servers, see the ╥Special Features╙ section. \endkeep \keep \tag 84 ### This file was damaged by the virus, and it cannot ### be repaired properly. You should delete the file ### and replace it with a known good copy. Viruses sometimes damage files in such a way that they cannot be repaired properly. In this case, Disinfectant removes the virus from the file, but leaves the file damaged. You should not attempt to use such a file. You should delete it and replace it with a known good copy of the file. \endkeep This error message is currently issued in only one situation: when the Scores virus has infected a System file from Apple╒s System Software release 6.0.4 or later. There is a serious conflict between Scores and Apple╒s System Software release 6.0.4 and later releases. In System 6.0.4, Apple began using some resources with the same type and ID as those used by Scores. When Scores infects the System file, it replaces Apple╒s versions of these resources with the Scores viral versions of the resources. When Disinfectant repairs the file, it deletes the Scores viral resources, but it does not replace the Apple versions. You should immediately delete the damaged System file and replace it with a copy from original locked Apple release disks. \keep \tag 33 \tag 50 ### Unexpected error (nnn). ### Unexpected error (nnn) occurred while trying ### to open this file for repair. ### WARNING: This file is still infected! Unexpected errors should not occur. It means that there may be an error in Disinfectant. We would appreciate it if you would send a note to the author describing what you were doing when the error occurred. Please specify the error number reported in the message. If possible, also send us a copy of the file that was being scanned when the error occurred. \endkeep \keep \tag 70 ### Unexpected error (nnn). If you are using ### GateKeeper, check to make certain you have ### granted privileges to Disinfectant. ### WARNING: This file is probably still infected! One possible cause of unexpected errors is attempting to repair infected files on a GateKeeper-protected system when you have forgotten to grant Disinfectant privileges. You should grant Disinfectant all privileges (╥File╙ and ╥Res╙ privileges for ╥Other,╙ ╥System╙ and ╥Self╙). \endkeep \keep \tag 67 \tag 64 \tag 58 \tag 55 \tag 61 ### WARNING: You do not have the proper privileges ### to access files in some of the folders. Some ### files in those folders may be infected! ### You do not have Make Changes privilege ### to the folder containing this file. ### It cannot be repaired. ### WARNING: This file is still infected! ### You do not have See Files privilege ### to this folder. Files within this folder ### cannot be checked. \endkeep ### You do not have See Folders privilege ### to this folder. Folders within this folder ### cannot be checked. ### You have neither See Files nor See Folders ### privileges to this folder. This folder ### cannot be checked. These error messages are issued if a server folder is encountered for which you do not have the necessary access privileges. To avoid these errors, we recommend that you remove the server from production, start up the server Mac using your virus tools floppy disk, and run Disinfectant from the virus tools floppy. For more details on scanning servers, see the ╥Special Features╙ section. \str# \page \only screen \tcon Alerts & Dialogs \only print \tcon Alerts and Dialogs \only screen \pict 308 \only print save \style bold \just center \size 140 Alerts and Dialogs This section presents all of Disinfectant╒s alerts and dialogs, in alphabetical order, with a brief explanation of each one. \keep Ñ A virus may still be active in memory. Some of your files may have or could become reinfected. You should immediately restart your Macintosh using a locked virus tools floppy and run Disinfectant again. When you quit after a disinfection run, Disinfectant checks to see if any infected files were found in the currently active System folder. If any were found, this alert is presented. Click on the Restart button to restart your Macintosh. Click on the Cancel button to return to Disinfectant. Click on the Quit button to quit Disinfectant. \endkeep \keep Ñ An old version of the Disinfectant INIT is installed on this system. Do you want to install the new version? When Disinfectant starts up, it checks to see if an old version of the Disinfectant INIT is installed in the currently active System folder. If an old version is installed, this alert is presented. Click on the Install button to install the new version. Click on the Cancel button to leave the old version installed. \endkeep \keep Ñ An unexpected error (nnn) occurred while trying to save a file. This alert is presented if Disinfectant encounters an unexpected error while trying to save a copy of the manual, a report, or the protection INIT. This alert should not happen. If it does, it might be an error in Disinfectant and we would appreciate it if you would notify the author. \endkeep \keep Ñ Disinfectant has found an infected file. This alert is presented if, while running in the background under MultiFinder, Disinfectant finds an infected file and you have selected the ╥Also display alert╙ option in the ╥Notification options╙ section of the Preferences window. \endkeep \keep Ñ Disinfectant is unable to repair files on this system. One possible reason is that you are using GateKeeper and you forgot to grant Disinfectant privileges. Another possible reason is that you are using the special University of Michigan version of Vaccine (Vaccine.UofM). You must remove this version of Vaccine from your System folder before using Disinfectant to repair files. You may use Disinfectant on this system to check for viruses, but you will not be able to use the Disinfect button to repair infected files. Some virus prevention tools can interfere with Disinfectant in such a way that it is impossible for Disinfectant to properly repair infected applications. If Disinfectant detects such a virus prevention tool, it presents this alert. When you click on the OK button, the current scan is canceled and the Disinfect button is disabled. \endkeep The version of Vaccine mentioned in the alert is not the normal Vaccine. It is a special version that was prepared just for the University of Michigan. You may also get this alert if you are using the regular version of Vaccine and you click on the Denied button instead of the Granted button by mistake. \keep Ñ Disinfectant requires attention. This alert is presented if, while running in the background under MultiFinder, Disinfectant requires your attention (for some reason other than the discovery of an infected file) and you have selected the ╥Also display alert╙ option in the ╥Notification options╙ section of the Preferences window. \endkeep \keep Ñ Disinfectant requires System 3.2 or later. Disinfectant requires System 3.2 or later. If you try running Disinfectant on an earlier system, it will present this alert. When you click on the OK button, Disinfectant quits to the Finder. \endkeep \keep Ñ Disinfectant requires the hierarchical file system (HFS). On Macs with the 64K ROMs, this means that you need to include the file ╥Hard Disk 20╙ on your startup disk. On unenhanced Mac 512K models, Disinfectant requires the hierarchical file system. If you try running it without HFS, it will present this alert. When you click on the OK button, Disinfectant quits to the Finder. \endkeep \keep Ñ Out of memory. This alert is presented if Disinfectant runs out of memory. It should not occur. When you click on the OK button, Disinfectant quits. \endkeep \keep Ñ Please wait╔ This message is displayed if you eject the disk containing Disinfectant and/or the System file. Before ejecting the disk, Disinfectant loads all the information from the disk that it might need later. This can take quite some time, so you should be patient. This message is also displayed when you start up Disinfectant from a floppy disk or other ejectable disk while Disinfectant completes its initial integrity checksum. \endkeep \keep Ñ Printing error╤could not locate printer driver in System folder. This alert occurs if you try to print a report or the manual and the printer driver has not been properly installed. For example, to print on an ImageWriter, you must have the system file named ╥ImageWriter╙ in the same folder as your System file. \endkeep \keep Ñ Printing error╤the startup disk is full. This alert occurs if there is not enough room on your startup disk to complete a printing operation. Try to make more room on your startup disk, then try printing again. \endkeep \keep Ñ Printing error╤the startup disk is locked. This alert occurs if printing fails because the startup disk is locked. Unlock the startup disk, or create an unlocked copy of your startup disk, and try printing again. \endkeep \keep Ñ Printing error╤you must use the Chooser to select a printer. This alert occurs if you try to print when there is no currently selected printer. Use the Chooser desk accessory to select a printer. \endkeep \keep Ñ Printing error (error code = nnnn). An unexpected error occurred during printing. ╥nnnn╙ is the error number. This alert should not occur. If it does, we would appreciate it if you would send a note to the author. Please specify the error number reported in the message. Click on the OK button to return to Disinfectant. \endkeep \keep Ñ Printing ╥xxxxx.╙ To cancel, hold down the Command key and type a period (.). This informative message is displayed during printing. \endkeep \keep Ñ Replace existing ╥╫ Disinfectant INIT╙? This alert is presented when you install the protection INIT if a file with the same name already exists. Click on the Cancel button to abort the file save operation. Click on the Replace button to delete the old file and replace it by the new one. \endkeep \keep Ñ Save report before clearing? When you clear the report, Disinfectant checks to see if the report contains any messages for infected files. If it does, this alert is presented. There are three buttons: Save, Cancel, and Clear. The Save button presents a dialog which lets you choose the location of the saved report, saves the report, and then clears the report. The Cancel button returns to Disinfectant. The Clear button clears without saving the report. \endkeep \keep Ñ Save report before quitting? When you quit Disinfectant, it checks to see if the report contains any messages for infected files. If it does, this alert is presented. There are three buttons: Save, Cancel, and Quit. The Save button presents a dialog which lets you choose the location of the saved report, saves the report, and then quits. The Cancel button returns to Disinfectant. The Quit button quits without saving the report. \endkeep \keep Ñ The application ╥xxxxxxxxxx╙ is infected by the yyyyy virus. Use Disinfectant to remove the virus. This alert is presented by the Disinfectant protection INIT when it detects an infected application. \endkeep \keep Ñ The Disinfectant Prefs file was damaged. The default preferences will be used and a new Prefs file will be created. Disinfectant checks the Prefs file to see if it is damaged before trying to open it. This alert is presented if Disinfectant discovers any damage. \endkeep \keep Ñ The Disinfectant protection INIT has been installed. You must restart your Macintosh to activate the INIT. WARNING: If you restart now, you will lose all changes to any documents which may be open in other applications! To restart now, select the Restart button. To return to Disinfectant without restarting, select the OK button. This alert is presented when you select the ╥Install Protection INIT╙ command. \endkeep \keep Ñ The disk cannot be repaired because it is locked. Please unlock and reinsert the disk. If you try to disinfect a locked floppy disk, Disinfectant ejects the disk and puts up this alert. Unlock and reinsert the disk. Disinfectant will automatically begin scanning and repairing the disk as soon as you reinsert it. You can use the Cancel button in the alert to cancel the operation and return to Disinfectant. \endkeep \keep Ñ The disk cannot be repaired because it is locked. Please unlock and reinsert the disk or insert the next disk to be repaired. This second form of the unlock alert is used only when the special ╥scanning station╙ option is checked in the Preferences window. In this case, you can either unlock and reinsert the original disk or you can insert some other disk. There is no Cancel button in this situation. \endkeep \keep Ñ The disk ╥xxxxxxxxxx╙ is infected by the yyyy virus. Rebuild the Desktop file on the disk or use Disinfectant to remove the virus. This alert is presented by the Disinfectant protection INIT when it detects a WDEF-infected disk or a CDEF-infected disk. \endkeep \keep Ñ The document cannot be printed because some pages would be truncated on the bottom. To correct this problem, use the Page Setup command. Make the margins smaller or make the font size smaller. This alert may appear if you try to print with a large font size and/or large margins. \endkeep \keep Ñ The document cannot be printed because some pages would be truncated on the right. To correct this problem, use the Page Setup command. Make the left and right margins smaller or make the font size smaller. You might also try printing with landscape orientation instead of portrait orientation. This alert may appear if you try to print with a large font size and/or large margins. If you are trying to print a report in a very large font size (over 18 points) and you get this alert, try using the Page Setup command to select landscape orientation instead of portrait orientation. \endkeep \keep Ñ The file could not be saved because the disk is full. This alert appears if you try to save a report or the manual and there is not enough room on the disk to save the file. Click on the OK button. You may then try to save to a different disk. \endkeep \keep Ñ The file could not be saved because the old version of the file is locked. This alert appears if you try to save a report or the manual or if you try to install or save the protection INIT and there is already a locked version of the file. Unlock the old version of the file and try again. \endkeep \keep Ñ The font size must be in the range 1 through 24. Please correct it or click on the Cancel button. This alert appears in the ╥Page Setup╙ dialog if you enter a ridiculous font size. \endkeep \keep Ñ The margins you specified are too large. Please make them smaller or click on the Cancel button. This alert appears in the ╥Page Setup╙ dialog if you specified margins that are too big. Disinfectant requires that there be at least a five inch square available for printing after taking into account the margins and page size. \endkeep \keep Ñ The protection INIT could not be installed because the startup disk is locked. This alert is presented if you try to install the Disinfectant protection INIT on a locked startup disk. \endkeep \keep Ñ The report is too big. It must be saved or cleared before the scan can continue. Save the report? Disinfectant has an upper limit for the size of the report. Most people will never be affected by this limit. If you produce a very long report which approaches the size limit, you will get this alert, with three buttons: Save, Cancel, and Clear. Save is the default button. It saves the partial report as a text file, clears the report field, and continues the scan. The Cancel button cancels the scan without clearing or saving the report. The Clear button clears the report field without saving and continues the scan. If you have a single floppy system, you may eject the disk being scanned, insert a different disk, and save the report on that disk. Disinfectant will then ask you to reinsert the disk being scanned. \endkeep \keep Ñ The stack ╥xxxxxxxxxx╙ is infected by the MacMag virus. Use Disinfectant to remove the virus. This alert is presented by the Disinfectant protection INIT when it detects a MacMag-infected HyperCard stack. \endkeep \keep Ñ The System folder is infected by the yyyyy virus. Use Disinfectant to remove the virus. This alert is presented by the Disinfectant protection INIT when it detects an infected system file at startup. \endkeep \keep Ñ This copy of Disinfectant has been damaged, infected by a virus, or otherwise modified. Please delete this copy and use an original unmodified copy. Disinfectant checks itself when it starts up and notifies you if it has been modified. This may mean that it has been infected by a virus. If this notification occurs, you must remove this particular copy of Disinfectant from your disk and replace it with a known ╥good╙ copy of Disinfectant. \endkeep \keep Ñ You selected the page range xxx through yyy. There are no pages in this range. This alert appears when printing if there are no pages in the range you requested. Nothing is printed in this case. \endkeep \str# \page \tcon Other Virus Tools \only screen \pict 309 \only print save \style bold \just center \size 140 Other Virus Tools There are many other free and shareware virus-fighting tools. Here is a list of the ones with which we are familiar, with brief comments about each one. You can get them from most good user groups, bulletin boards, commercial online services, and Internet archives. Many of the tools in this list are obsolete or have limited utility. We have included them only for the sake of completeness and historical interest. Four distinctive exceptions are GateKeeper, GateKeeper Aid, VirusDetective, and Eradicat╒Em. These tools are actively supported by their authors, have general utility, and we highly recommend them. Ñ AntiPan 1.5. Michael Hamel. nVIR repair. Free. Scans disks and removes nVIR infections. Recognizes nVIR clones. Also ╥inoculates╙ the system to prevent future infections. Did a good job in our tests. Ñ AntiVirus 1.0E. Softhansa GmbH. nVIR repair. Free. Scans disks and removes nVIR infections. Also ╥inoculates╙ the system to prevent future infections. Ñ Assassin. Pete Gontier. nVIR repair. Free. Scans disks and removes nVIR infections. Did a good job in our tests. The author has reported a few problems with his application and recommends that you use Disinfectant instead. Ñ Eradicat╒Em 1.0. Dave Platt. WDEF and CDEF protection and repair. Free. A system start-up document which protects your system against infection by the WDEF and CDEF viruses and automatically removes any infections it encounters. Ñ Ferret 1.1. Larry Nedry. Scores detection and repair. Free. Scans disks and removes Scores infections. Sometimes fails to properly detect and repair infected files. Ñ GateKeeper 1.1.1. Chris Johnson. Virus protection. Free. A control panel document (INIT/cdev) which monitors and blocks suspicious activity characteristic of viruses. GateKeeper is widely used and very popular. Chris provides excellent support and he continues to improve it. Highly recommended, though it does not offer WDEF or CDEF virus protection. (See GateKeeper Aid below.) Ñ GateKeeper Aid 1.1. Chris Johnson. WDEF and CDEF protection and repair. Free. A system start-up document which protects your system against infection by the WDEF and CDEF viruses and automatically removes any infections it encounters. Ñ Interferon 3.1. Robert Woodhead. Virus detection. Detects both Scores and nVIR. Cannot repair infected applications. Avoid using the ╥Eradicate Infection╙ or ╥Scan all Volumes╙ menu items (they do not work properly.) Can also be told to report ╥anomalies,╙ but it may raise a false alarm in doing so. Unmounts all disks after scanning them, even hard drives. Interferon was one of the first virus-fighting tools. The author no longer supports Interferon and he recommends that you no longer use it. (Robert is the author of the commercial product Virex). Ñ KillScores 1.0. MacPack and the Apple Corps of Dallas, headed by Howard Upchurch. Scores detection and repair. Free. Scans disks and removes Scores infections. Did a good job in our tests. Ñ KillVirus. Matthias Urlichs. nVIR repair. Free. Also sometimes named ╥KillnVIR.╙ A system start-up document which repairs your System file and automatically repairs any infected applications when they are run. Adds an ╥nVIR 10 inhibitor╙ to your System file, which some of the other tools improperly report as an nVIR infection. Does not notify you when it finds and repairs an infected file. Ñ N.O.M.A.D. 1.0a1. Bill Pierce, CMS Enhancements. nVIR Repair. Free. Scans disks and removes nVIR infections from applications, but not from system files. Ñ QuickScores. Anthony Tuorto. Scores detection. Free. This desk accessory does a quick check to see if the currently active System file is infected by Scores. Ñ Repair 1.5. Steve Brecher, Software Supply. nVIR repair. Free. Does not do disk scanning. You must repair each infected application one at a time. Can repair an infected System file. Recognizes clones. Ñ RezSearch 1.0b. Wade Blomgren. Virus detection. Free. Searches a disk for files containing a specific resource or resource type. Configurable. Can also be useful for purposes other than virus detection. Ñ RWatcher 1.0. John Norstad. Virus protection. Free. A system start-up document which protects against Scores and nVIR. Configurable. For non-MPW programmers who will not use Vaccine because of its constant complaints about the creation of CODE resources. Has weaker checks than Vaccine╒s. The author no longer supports RWatcher (he recommends that programmers use the Disinfectant INIT or GateKeeper instead.) Ñ Vaccination 1.1. Mike Scanlin. nVIR repair. Free. Does not do disk scanning. You must repair each infected application one at a time. Cannot repair an infected System file. Ñ Vaccine 1.0.1. Don Brown, CE Software. Virus protection. Free. A control panel document (INIT/cdev) which monitors suspicious activity characteristic of viruses. Vaccine was the original Macintosh virus protection tool and is still widely used. It is not supported, and it is not effective against some of the newer viruses. We recommend that you use the Disinfectant INIT or GateKeeper instead. Ñ Vaxene. Anonymous. Scores detection. Free. Does not do disk scanning. You must check each file one at a time. Cannot repair files. The only interesting thing about this tool is that the about box claims that the author is also the author of the Scores virus itself. Ñ VCheck 1.3. Albert Lunde. Virus detection. Free. Takes a ╥snapshot╙ of your system and compares it to previous snapshots. Tells you which files have changed. Ñ VirusBlockade II 1.0. Jeffrey S. Shulman. Virus detection. Shareware, $30. A control panel device. Among many other features, it can be used together with the author╒s VirusDetective to automatically scan floppies for viruses when they are inserted in a disk drive. Ñ VirusDetective 4.0.3. Jeffrey S. Shulman. Virus detection. Shareware, $40. A desk accessory which can be configured. Cannot repair infected applications, except for WDEF and CDEF. Configurability is one of VirusDetective╒s strongest features. When a new virus appears, you can often configure VirusDetective to recognize it without having to wait for a new version to be released. For example, when the WDEF virus first appeared, VirusDetective was the only virus-fighting tool which could detect it (with proper configuration). It also does a good job of detecting clones. Jeff has established an excellent reputation for support and update service for registered users. Highly recommended. If you use VirusDetective, please remember to send Jeff the shareware fee. Ñ Virus Encyclopedia. Henry Schmidt. Virus information. Free. This detailed HyperCard stack presents information about Macintosh viruses. Ñ Virus Rx 1.6. Apple Computer. Virus detection. Free. Detects Scores, nVIR, INIT 29, ANTI, WDEF, and CDEF. Cannot repair infected applications. Has not been updated to detect more recent viruses. Ñ VirusWarning. Mike Scanlin. nVIR detection. Free. A system start-up document which beeps when and if an nVIR attack occurs, but does not prevent the infection. Ñ Warning 1.1. William Lipa. Virus detection. Free. A system start-up document which checks your System file to see if it is infected by a virus and warns you with a dialog box if it discovers an infection. \str# \page \tcon Version History \only screen \pict 310 \only print save \style bold \just center \size 140 Version History Ñ Disinfectant Version 2.4. December 3, 1990. Version 2.4 detects the new B strain of the ZUC virus. See the section on the ZUC virus for details. Version 2.4 checks the Disinfectant Prefs file for damage before trying to open it. If any damage is discovered, an alert is presented, the default preferences are used, and a new preferences file is created. On scanning stations with no mouse or keyboard, if an uninitialized, damaged, or non-Macintosh disk is inserted, the disk is ejected and a special message is issued to the report rather than presenting the usual disk initialization alert. When you quit Disinfectant, if any infection messages are present in the report, Disinfectant asks if you want to save the report before quitting. In version 2.3, if an error occurred while trying to save the report (e.g., if the disk was full), Disinfectant quit instead of giving you another chance to save the report. This error is fixed in version 2.4. You can now double-click on a disk name in the ╥Some Disks╙ dialog to dismiss the dialog and begin the scan of the selected disks. Some people have reported unexpected -194 errors when trying to install or save the protection INIT. We have not been able to reproduce this error or find its cause. Usually, quitting and restarting Disinfectant and/or restarting your Mac solves the problem. In version 2.4, the alert for this error occurs contains a letter following the error number (e.g., ╥-194a╙). The letter gives us a bit more information which may help us determine the cause of the error. If you encounter this error, please notify the author and let him know which letter appeared in the alert message. Ñ Disinfectant Version 2.3. October 23, 1990. Version 2.3 detects the C strain of the MDEF virus. See the section on the MDEF virus for details. Version 2.3 detects a variant of the ANTI A virus which version 2.2 failed to detect properly. There are no significant differences in behavior between the original ANTI A virus and this variant, and version 2.3 identifies both of them as ANTI A. Ñ Disinfectant Version 2.2. October 2, 1990. Version 2.2 recognizes the new ANTI B virus. See the ANTI section in the manual for details. Version 2.2 includes new ╥Desktop Files╙ commands in the Scan and Disinfect menus. These commands can be used to quickly check for and remove the WDEF and CDEF viruses. Version 2.2 corrects an error in the alert displayed by the INIT if an infection is discovered in the System folder during startup. Version 2.2 also corrects an error in the positioning of new windows on classic 9 inch Mac screens. Due to an error in the Rodime Cobra disk driver, Disinfectant does not work properly on Cobra drives. According to Rodime tech support, this problem can be fixed by reinstalling the driver with the disk cache code disabled. See the ╥Special Features╙ section for details. Ñ Disinfectant Version 2.1. August 18, 1990. Version 2.1 recognizes the new MDEF B and CDEF viruses. See the MDEF and CDEF sections in the manual for details. Version 2.1 corrects an error in the version 2.0 INIT which caused it to crash when used with Apple╒s A/UX 2.0 or with Tactic Software╒s Icon-It! Version 2.1 corrects an error in the Disinfectant application which caused it to be incompatible with Edward Kandrot╒s Spy! control panel document. With version 2.0, the SuperClock menu clock would sometimes freeze, and some screen savers did not work properly. This is a problem with SuperClock and the screen savers. Version 2.1 contains special code to avoid this problem. Due to a peculiarity in Microseed╒s ╥Rival╙ anti-viral tool, Disinfectant 2.0 reported an unexpected error -61 when an attempt was made to scan a file which had been repaired by Rival. This problem has been fixed in version 2.1. The Escape key can now be used in addition to Command-Period when canceling scanning, help mode, and printing. The cursor is now changed to an I-beam when it is over editable text boxes in the Preferences window. The ╥Protection╙ manual section has been expanded to discuss some additional issues. There are also a few other minor changes to the manual. \keep Ñ Disinfectant Version 2.0. July 8, 1990. Version 2.0 is a major new release of Disinfectant. The main goal of version 2.0 is to provide a complete and free solution to the Macintosh virus problem in a single package (in fact, in a single file). Version 2.0 addresses all four aspects of the virus problem: detection, repair, protection, and education. Version 2.0 includes a new virus protection startup document (INIT). The INIT is designed for use by novices and others who find existing protection INITs to be too complicated and obtrusive. \endkeep Version 2.0 has a much-improved online manual, with pictures, printing, a context-sensitive help system, and many new sections of information. Version 2.0 is a non-modal application with standard windows and menus. It supports desk accessories, printing, MultiFinder application switching, and scanning in the background. There is a new Preferences window which can be used to specify miscellaneous options and parameters. Other new features include more scan and disinfect options, new counters in the main window, and a much-improved scanning station feature. Version 2.0 also recognizes the Frankie virus. Frankie only affects some kinds of Macintosh emulators running on Atari computers. See the rest of the manual for details on these new features. Ñ Disinfectant Version 1.8. May 20, 1990. Recognize MDEF virus, plus other miscellaneous changes. Ñ Disinfectant Version 1.7. April 2, 1990. Recognize ZUC virus, plus other miscellaneous changes. Ñ Disinfectant Version 1.6. January 30, 1990. Recognize generic nVIR clones, plus other miscellaneous changes. The nVIR clone detection and repair algorithm is based on the one used by Steve Brecher in his ╥Repair╙ application. Thanks to Steve for sharing his code with us. Ñ Disinfectant Version 1.5. December 14, 1989. Recognize WDEF B virus, plus other miscellaneous changes. Ñ Disinfectant Version 1.4. December 8, 1989. Recognize WDEF A virus, plus other miscellaneous changes. Ñ Disinfectant Version 1.3. November 29, 1989. Recognize another new nVIR B clone, plus other miscellaneous changes. Ñ Disinfectant Version 1.2. August 4, 1989. Recognize another new nVIR B clone, plus other miscellaneous changes. Ñ Disinfectant Version 1.1. April 16, 1989. Recognize a new nVIR B clone, plus other miscellaneous changes. Ñ Disinfectant Version 1.0. March 19, 1989. First public release. \str# \page \tcon Programmer Notes \only screen \pict 311 \only print save \style bold \just center \size 140 Programmer Notes I wrote several reusable modules to implement Disinfectant╒s human interface. You are welcome to write for copies of the source code and you have my permission to use it in your own projects. All I ask is that you give me and Northwestern University appropriate credit in your about box or manual. The source code is in MPW C 3.1. Ñ vol.c╤Volume selection via Drive and Eject buttons, as in standard file, with popup menu as an alternative. Ñ scn.c╤Volume and folder scanning. HFS and MFS. Optional folder name, file name, and progress bar displays. Ñ rep.c╤Report generation and display in scrolling fields. Ñ rpp.c╤Report printing. Ñ hlp.c╤Help window presentation, saving, and printing. Uses the report module. Ñ gff.c╤A modified standard open file dialog which lets you choose either a folder or a file. Ñ utl.c╤Miscellaneous utilities used by the above. Ñ cvrt.c╤An MPW tool to convert a text file to a sequence of STR# resources. Used with reports and Help windows. Ñ wrap.c╤An MPW tool to word-wrap paragraphs of text. Used with Help windows. To request a copy, write to me at one of my electronic addresses below or mail me a floppy and a stamped self-addressed envelope. I will send you a complete sample application which uses all of the above modules, with all the C source code, the rez files, the tools, and a make file. The sample application is very similar to Disinfectant, but produces a disk directory listing instead of a virus scan or disinfection report. You can also get a copy of the source code via anonymous FTP from site ╥acns.nwu.edu╙ [129.105.49.1]. The virus detection and disinfection code is not available. \str# \page \only screen \tcon Author & Credits \only print \tcon Author and Credits \only screen \pict 312 \only print save \style bold \just center \size 140 Author and Credits John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, Illinois 60208 USA Internet: jln@casbah.acns.nwu.edu Bitnet: jln@nuacc AppleLink: a0173 America Online: JNorstad CompuServe: 76666,573 I enjoy getting mail, especially electronic mail, and I invite your correspondence. If you send me a letter through the regular mail, please include a self-addressed stamped envelope if you expect a reply. Please do not try to call me. I do not have the time to do free consulting over the phone and I cannot return long distance phone calls from people I do not know. If you think that you might have a new virus which Disinfectant does not detect, please read the section in this manual titled ╥Problem Clinic.╙ Follow the advice contained in that section before asking me for assistance. With thanks to: Mark Anbinder, BAKA Computers, Inc. Wade Blomgren, University of California, San Diego Chris Borton, UC Berkeley School of Education Scott Boyd Shawn Cokus, Westhill High School, Syracuse, New York Zbigniew Fiedorowicz, Ohio State University Bob Hablutzel Tim Krauskopf, National Center for Supercomputing Applications Joel Levin, BBN Communications Corporation Robert Lentz, Northwestern University Bill Lipa, Stanford University Albert Lunde, Northwestern University James Macak, The Double Click Macintosh Users Group, Milwaukee Lance Nakata, Stanford University Dave Platt, Coherent Thought Inc. Leonard Rosenthol, Software Ventures Corporation Art Schumer, Microsoft Corporation Dan Schwendener, EidgenÜssische Technische Hochschule, Zƒrich Stephan Somogyi David Spector, New York University Werner Uhrig, University of Texas Ephraim Vishniac, Thinking Machines Corporation (TMC) Please note that although we have included company and university names above, this in no way implies that those companies or universities endorse or support Disinfectant. This international group of Macintosh virus experts, programmers and enthusiasts helped design and test Disinfectant, edit the manual, locate copies of the viruses for testing, and analyze the viruses. I wrote all the code, but I could not have written the application without their help. Disinfectant is an example of cooperative software development over the Internet. I send development and beta releases and technical design notes to the working group and they reply with error reports, suggestions, etc. This involves the exchange of many thousands of electronic mail messages. The result is an application which is much better than any one of us could have produced individually. Since the initial release of Disinfectant, many hundreds of people have supplied error reports, comments, and suggestions for features. The application has in many ways become a community project. The author thanks everybody who has contributed. Thanks also to Paul Mercer, Darin Adler, Paul Snively, FrÄdÄric Miserey and Steve Capps for ShowINIT. Last but not least, the author thanks his many good friends at Apple Computer for their advice, encouragement, and assistance, and for continuing to produce the very finest personal computers and system software.