++ Sections tagged with [DH] or [SL] usually denote personal opinions or other data which the originator didn't feel the other maintainer should be held responsible for. Untagged sections using the first person are usually hangovers from when DH was sole maintainer of the FAQ.
++ Sadly for the rest of us, Susan Lesch has decided to take a break from co-maintaining this FAQ and from maintaining her "Mac Virus" website, and this version of the FAQ is mainly intended to reflect those changes. Susan has done the lion's share of the maintenance of this document for the last couple of years, and done a fantastic job. I shall miss her input, and the Mac community will be the poorer for the absence of her website. Thank you, from all of us.
++ I can't promise to give the FAQ the time I'd need to keep it as topical as it has been, so the next revision will be focused on updating core material and checking URLs rather than news. What happens after that depends on a number of plans that are still taking shape.
David Harley
It may not be reproduced for profit or distributed in part or as a whole with any product for which a charge is made, except with the prior permission of the copyright holder(s). To obtain such permission, please contact the maintainer of the FAQ.
Primary author and maintainer of this document is David Harley, Comments and additional material have been received with gratitude from Ronnie Sutherland, Henri Delger, Mike Groh and Eugene Spafford. Thanks to Bruce Burrell, Michael Wright, Peter Gersmann, David Miller, Ladd Van Tol, Eric Hildum, Jeremy Goldman, Kevin White, Bill Jackson, Robert Slade, Robin Dover, and John Norstad for their comments and suggestions. Special thanks to Susan Lesch for her contributions, editing, and maintenance chores as co-maintainer.
Corrections and additional material are welcome, especially if kept polite.... Contributions will, if incorporated, remain the copyright of the contributor, and credited accordingly within the FAQ.
David Harley <D.Harley@icrf.icnet.uk>
++ There are HTML versions at:
Precise URLs tend to come and go, but you might like to try the following:
Network Associates, formerly McAfee Associates:
Virus Information Library
<http://www.nai.com/vinfo/>
Macintosh Viruses
<http://www.nai.com/vinfo/f_13707.asp>
Sophos Plc
<http://www.sophos.com/>
About.com "Macintosh Virus Desriptions"
Part of work in progress by Ken Dunham
+ <http://antivirus.about.com/library/blenmac.htm> (new domain name)
Mac Virus
++ Updated and detailed but somewhat unstructured
[Site closed 5th September 1999]
<http://www.macvirus.com/reference/viruses.html>
Dr Solomon's "Mac Viral Zoo"
Starting to go out of date
<http://www.drsolomon.com/products/virex/zoo/maczoopg.html>
+44 1235 555139
<http://www.virusbtn.com/>
Central Command
<http://www.avpve.com/viruses/macro/>
Network Associates
<http://www.nai.com/vinfo/f_3057.asp>
Data Fellows
<http://www.datafellows.com/macro/word.htm>
Mac users with Word 6 or versions of Excel supporting Visual Basic for Applications, however, are vulnerable to infection by macro viruses which are specific to these applications. Indeed, these viruses can, potentially, infect other files on any hardware platform supporting these versions of these applications. I don't know of a macro virus with a Mac-specific payload that actually works at present, but such a payload is entirely possible.
++ Office 98 applications are in principle vulnerable to most of the threats to which Office 97 applications are vulnerable. I'll return to this subject when and if time allows. [DH]
Word Mac version 5.1 and below do not support WordBasic, and are not, therefore, vulnerable to direct infection. Not only do these versions not only understand embedded macros, but they can't read the Word 6 file format unaided. There is, however, at least one freeware utility which allows Word 5.x users to read Word 6 files. This will not support execution of Word 6 (or WinWord 2) macros in Word 5.x, so I would not expect either an infection routine or a payload routine to be able to execute within this application.
However, Word 5.x users may contribute indirectly to the spread of infected files across platforms and systems, since it is perfectly possible for a user whose own system is uninfectable to act as a conduit for the transmission of infected documents, whether or not s/he reads it personally.
Files infected with a PC-specific file virus (this excludes macro viruses) can only execute on a Macintosh running DOS or DOS/Windows emulation, if then. They can, of course, spread across platforms simply by copying infected files from one system to another.
DOS diskettes infected with a boot sector virus can be read on a Mac with Apple File Exchange, PC Exchange, DOS Mounter etc. without (normally) risk to the Mac. However, leaving such an infected disk in the drive while booting an emulator such as SoftPC can mean that the virus attempts to infect the logical PC drive with unpredictable results.
I am aware of at least one instance of a Mac diskette which, when read on a PC running a utility for reading Mac-formatted disks after being infected with a boot-sector infector, became unreadable as a consequence of the boot track infection.
Some Mac viruses may damage files on Sun systems running MAE or AUFS.
The following varieties are listed below:
Aladin - close relative of Frankie
Anti (Anti-A/Anti-Ange, Anti-B, Anti Variant) - can't spread under system 7.x, or System 6 under MultiFinder. Can damage applications so that they can't be 100% repaired.
CDEF - infects desktop files. No intentional damage, and doesn't spread under system 7.x.
CLAP: nVIR variant that spoofs Disinfectant to avoid detection (Disinfectant 3.6 recognizes it).
Code 1: file infector. Renames the hard drive to "Trent Saburo". Accidental system crashes possible.
Code 252: infects application and system files. Triggers when run between June 6th and December 31st. Runs a gotcha message ("You have a virus. Ha Ha Ha Ha Ha Ha Ha Now erasing all disks... [etc.]"), then self-deletes. Despite the message, no intentional damage is done, though shutting down the Mac instead of clicking to continue could cause damage. Can crash System 7 or damage files, but doesn't spread beyond the System file. Doesn't spread under System 6 with MultiFinder beyond System and MultiFinder. Can cause various forms of accidental damage.
Code 9811: hides applications, replacing them with garbage files named "something like 'FIDVCXWGJKJWLOI'." According to Ken Dunham who reported this virus in November, "The most obvious symptom of the virus is a desktop that looks like electronic worms and a message that reads 'You have been hacked by the Pretorians.'"
Code 32767: once a month tries to delete documents. This virus is not known to be in circulation.
Flag: unrelated to WDEF A and B, but was given the name WDEF-C in some anti-virus software. Not intentionally damaging but when spreading it overwrites any existing 'WDEF' resource of ID '0', an action which might damage some files. This virus is not known to be in circulation.
Frankie: only affects the Aladdin emulator on the Atari or Amiga. Doesn't infect or trigger on real Macs or the Spectre emulator. Infects application files and the Finder. Draws a bomb icon and displays 'Frankie says: No more piracy!"
Fuck: infects application and System files. No intentional damage. (nVIR B strain)
Init 17: infects System file and applications. Displays message "From the depths of Cyberspace" the first time it triggers. Accidental damage, especially on 68K machines.
Init 29 (Init 29 A, B): Spreads rapidly. Infects system files, applications, and document files (document files can't infect other files, though). May display a message if a locked floppy is accessed on an infected system 'The disk "xxxxx" needs minor repairs. Do you want to repair it?'. No intentional damage, but can cause several problems - Multiple infections, memory errors, system crashes, printing problems, MultiFinder problems, startup document incompatibilities.
Init 1984: Infects system extensions (INITs). Works under Systems 6 and 7. Triggers on Friday 13th. Damages files by renaming them, changing file TYPE and file CREATOR, creation and modification dates, and sometimes by deleting them.
Init-9403 (SysX): Infects applications and Finder under systems 6 and 7. Attempts to overwrite whole startup volume and disk information on all connected hard drives. Only found on Macs running the Italian version of MacOS.
Init-M: Replicates under System 7 only. Infects INITs and application files. Triggers on Friday 13th. Similar damage mechanisms to INIT-1984. May rename a file or folder to "Virus MindCrime". Rarely, may delete files.
MacMag (Aldus, Brandow, Drew, Peace): first distributed as a HyperCard stack Trojan, but only infected System files. Triggered (displayed a peace message and self-deleted on March 2nd 1988, so very rarely found.
MBDF (A,B): originated from the Tetracycle, Tetricycle or "tetris-rotating" Trojan. The A strain was also distributed in Obnoxious Tetris and Ten Tile Puzzle. Infect applications and system files including System and Finder. Can cause accidental damage to the System file and menu problems. A minor variant of MBDF B appeared in summer 1997: Disinfectant and Virex have been updated accordingly.
MDEF (MDEF A/Garfield, MDEF B/Top Cat, C, D): infect System file and application files (D doesn't infect System). No intentional damage, but can cause crashes and damaged files.
MDEF-E and MDEF-F: described as simple and benign. They infect applications and system files with an 'MDEF' resource ID '0', not otherwise causing file damage. These viruses are not known to be in circulation.
nCAM: nVIR variant
nVIR (nVIR A, B, C - AIDS, Fuck, Hpat, Jude, MEV#, nFlu): infect System and any opened applications. Extant versions don't cause intentional damage. Payload is either beeping or (nVIR A) saying "Don't panic" if MacInTalk is installed.
nVIR-f: nVIR variant.
prod: nVIR variant
Scores (Eric, Vult, NASA, San Jose Flu): aimed to attack two applications that were never generally released. Can cause accidental damage, though - system crashes, problems printing or with MacDraw and Excel. Infects applications, Finder, DA Handler.
SevenDust-A through G (MDEF 9806-A through D, also known as 666, E was at first called "Graphics Accelerator"): a family of five viruses which spread both through 'MDEF' resources and a System extension created by that resource. The first four variants are not known to be in circulation. Two of these viruses cause no other damage. On the sixth day of the month, MDEF 9806-B may erase all non-application files on the current volume. The SARC encyclopedia calls MDEF 9806-C, "polymorphic and encrypted, no payload," and MDEF 9806-D, "encrypting, polymorphic, symbiotic," and says the symbiotic part, "alters a 'WIND' resource from the host application." SevenDust E, not to be confused with the legitimate ATI driver "Graphics Accelerator", began as a trojan horse released to Info-Mac and deleted there on or about September 26, 1998. Takes two forms, 'INIT' resource ID '33' in an extension named "\001Graphics Accelerator" and an 'MDEF' resource ID '1' to '255'. Between 6:00 a.m. and 7:00 a.m. on the sixth and twelfth day of any month, the virus will try to delete all non-application files on the startup disk. John Dalgliesh describes "Graphics Accelerator" on his Web page for AntiGax, a free anti-SevenDust E utility; any errors here in translation are not his. SevenDust F uses a trojan "ExtensionConflict", common extensions names, and creator 'ACCE'.[SL]
T4 (A, B, C, D): infects applications, Finder, and tries to modify System so that startup code is altered. Under System 6 and 7.0, INITs and system extensions don't load. Under 7.0.1, the Mac may be unbootable. Damage to infected files and altered System is not repairable by Disinfectant. The virus masquerades as Disinfectant, so as to spoof behaviour blockers such as Gatekeeper. Originally included in versions 2.0/2.1 of the public domain game GoMoku.
T4-D spreads from application to application on launch by appending itself to the 'CODE' resource. Deletes files other than the System file from the System Folder, and documents, and is termed dangerous. The D strain is not known to be in circulation [SL].
WDEF (A,B): infects desktop file only. Doesn't spread under System 7. No intentional damage, but causes beeping, crashes, font corruption and other problems.
zero: nVIR variant.
Zuc (A, B, C): infects applications. The cursor moves diagonally and uncontrollably across the screen when the mouse button is held down when an infected application is run. No other intentional damage is done.
Dukakis - infects the Home stack, then other stacks used subsequently. Displays the message "Dukakis for President", then deletes itself, so not often seen.
HC 9507 - infects the Home stack, then other running stacks and randomly chosen stacks on the startup disk. On triggering, displays visual effects or hangs the system. Overwrites stack resources, so a repaired stack may not run properly.
HC 9603 - infects the Home stack, then other running stacks. No intended effects, but may damage the Home stack.
HC "Two Tunes" (referred to by some sources as "Three Tunes") - infects stack scripts. Visual/Audio effects: 'Hey, what are you doing?' message; plays the tune "Muss I denn"; plays the tune "Behind the Blue Mountains"; displays HyperCard toolbox and pattern menus; displays 'Don't panic!' fifteen minutes after activation. Even sources which describe this virus as "Three Tunes" seem to describe the symptoms consistently with the description here, but we will, for completeness, attempt to resolve any possible confusion when time allows. This virus has no known with the PC file infector sometimes known as Three Tunes.
MerryXmas - appends to stack script. On execution, attempts to infect the Home stack, which then infects other stacks on access. There are several strains, most of which cause system crashes and other anomalies. At least one strain replaces the Home stack script and deletes stacks run subsequently. Variants include Merry2Xmas, Lopez, and the rather destructive Crudshot. [Ken Dunham discovered the merryXmas virus. His program merryxmasWatcher 2.0 was very popular and still can eradicate the most common two strains, merryXmas and merry2Xmas. merryxmasWatcher 2.0 is outdated for the rest this family.]
Antibody is a recent virus-hunting virus which propagates between stacks checking for and removing MerryXmas, and inserting an inoculation script.
Independance (sic) Day - reported in July, 1997. It attempts to to be destructive, but fortunately is not well enough written to be more than a nuisance. More information at:
ChinaTalk - system extension - supposed to be sound driver, but actually deletes folders.
CPro - supposed to be an update to Compact Pro, but attempts to format currently mounted disks.
+ ExtensionConflict - supposed to identify Extensions conflicts, but installs one of the six SevenDust a.k.a. 666 viruses.
FontFinder - supposed to lists fonts used in a document, but actually deletes folders.
MacMag - HyperCard stack (New Apple Products) that was the origin of the MacMag virus. When run, infected the System file, which then infected System files on floppies. Set to trigger and self-destruct on March 2nd, 1988, so rarely found.
Mosaic - supposed to display graphics, but actually mangles directory structures.
NVP - modifies the System file so that no vowels can be typed. Originally found masquerading as 'New Look', which redesigns the display.
Steroid - Control Panel - claims to improve QuickDraw speed, but actually mangles the directory structure.
Tetracycle - implicated in the original spread of MBDF
Virus Info - purported to contain virus information but actually trashed disks. Not to be confused with Virus Reference.
Virus Reference 2.1.6 mentions an 'Unnamed PostScript hack' which disables PostScript printers and requires replacement of a chip on the printer logic board to repair. A Mac virus guru says:
"The PostScript 'Trojan' was basically a PostScript job that toggled the printer password to some random string a number of times. Some Apple laser printers have a firmware counter that allows the password to only be changed a set number of times (because of PRAM behavior or licensing -- I don't remember which), so eventually the password would get "stuck" at some random string that the user would not know. I have not heard any reports of anyone suffering from this in many years."
AppleScript Trojans - A demonstration destructive compiled AppleScript was posted to the newsgroups alt.comp.virus, comp.sys.mac.misc, comp.sys.mac.system, it.comp.macintosh, microsoft.public.word.mac, nl.comp.sys.mac, no.mac, and symantec.support.mac.sam.general on 16-Aug-97, apparently in response to a call for help originally posted to alt.comp.virus on 14-Aug-97 and followup on 15-Aug-97. On 03-Sep-97, MacInTouch published Xavier Bury's finding of a second AppleScript trojan horse, which, like the call for help followup, mentioned Hotline servers. It reportedly sends out private information while running in the background. A note to users from Hotline Communications CEO Adam Hinkley is posted at
++ Unfortunately, the number of known macro viruses runs into several thousand, though the number in the wild is far fewer.
Most macro viruses (if they have a warhead at all) target Intel platforms and assume FAT-based directory structures, so they usually have no discernible effect on Macs when they trigger. Viruses that manipulate text strings within a document may work just as well on a Macintosh as on a PC.
In any case, the main costs of virus control are not recovery from virus payloads, but the costs of establishing detection and protection (or of not establishing them). The costs of not establishing these measures can be considerable, irrespective of damage caused on infected machines, especially in corporate environments. Secondary distribution of infected documents may result in:
++ Office 98 is in general vulnerable to infection by most viruses which affect corresponding applications in Office 97.
Macro viruses are therefore highly transmissible via Macintoshes, even if they don't have a destructive effect on Motorola platforms, if there is an equivalent application available on the Macintosh. For instance, although Word for Windows versions before vs. 6 support WordBasic, Word versions for the Mac up to and including version 5.1 do not. [Thus Word 5.1 users can not be directly infected, but may, like anyone, pass on infected documents to vulnerable systems.]
++ [reference to Green Stripe removed]
Network Associates, Symantec, and Intego all make known-virus scanners that detect a range of macro viruses. Microsoft make available a free 'protection tool' whose effectiveness is often overestimated. (See below.)
For further information on specific macro viruses, try one of the information resources given earlier.
Recommendations for defending PC systems or PC emulation on Macs are slightly out-of-scope for this FAQ. In fact, I don't know of any formal testing for PC antivirus software in the context of PC emulation on Macs. I've done some informal testing (referred to in another paper), but am not prepared to make vendor-specific recommendations on the basis of such testing. F-Prot, AVP, and Dr Solomon's are particularly well-regarded PC antivirus packages, of which some components on some platforms are available as freeware or for evaluation, but their efficacy in the context of PC emulation is not well tested or documented.
To find a commercial or shareware package relevant to PCs, check through the independent comparative reviews sites:
University of Tampere Virus Research Unit
<http://www.uta.fi/laitokset/virus/>
Secure Computing
<http://www.westcoast.com/>
Virus Bulletin
<http://www.virusbtn.com/>
+ About.com has an aggregation of PC anti-virus reviews links.
<http://antivirus.about.com/msub12.htm>
Robert Michael Slade's lists may also be helpful.
<http://www.freenet.victoria.bc.ca/techrev/quickref.html>
<http://www.freenet.victoria.bc.ca/techrev/rms.html>
CIAC Bulletin I-067 is based on Eugene Spafford's information release on the original AutoStart worm. Unfortunately,this is now a little out-of-date, particularly as regards the update status of the antivirus software it mentions. Nor does it mention any of the subsequently discovered variants.
Affected platforms: any PowerMac. Macintoshes and clones driven by Motorola 680x0 series CPUs can't run the replicative code. It works under any version of Mac OS, if QuickTime 2.0 or later is installed and CD-ROM AutoPlay is enabled in the "QuickTime Settings" Control Panel.
Transmission media: HFS or HFS+ volumes (hard disks, diskettes, most types of removable media, even disk images). Audio CDs can't transmit the virus, and it isn't necessary to disable "Audio CD AutoPlay".
Transmission method: infected media contain an invisible application file named "DB" or "BD" or "DELDB" in the root directory (type APPL, creator ????). This is an AutoStart file: i.e. it will run automatically if CD-ROM autoplay is enabled. If the host Mac isn't already infected, it copies itself to the Extensions folder. The new copy is renamed "Desktop Print Spooler" or "Desktop Printr Spooler", or "DELDesktop Print Spooler" respectively (type appe, creator ????). Unlike the legitimate Desktop Printer Spooler extension, the worm file has the invisible attribute set, and isn't listed as a running process by the system software, though it can be seen with Process Watcher or Macsbug. After copying itself, it reboots the system and is now launched every time the system restarts. At approximately 6, 10, or 30 minute intervals, it examines mounted volumes to see if they're infected: if not, it writes itself to the root directory and sets up AutoStart (however, AutoStart won't work on a server volume).
Damage: files with names ending "data", "cod" or "csa" are targeted if the data fork is larger than 100 bytes. Files with names ending "dat" are targeted if the whole file is c. 2Mb or larger. Targeted files are attacked by overwriting the data fork (up to the 1st Mb) with garbage.
Besides the original, there are five variants: AutoStart 9805-B, which is less noticeable but can cause irreparable damage to files of type 'JPEG', 'TIFF', and 'EPSF'; AutoStart 9805-C and AutoStart 9805-D which do not intentionally damage data; AutoStart 9805-E which spreads like B and is most similar to the original; and AutoStart 9805-F which is most similar to A and E. Dr Solomon's, Sophos, and Symantec had descriptions on the Web:
Detection: updates to deal with the worms are available for Virex (http://www.drsolomon.com/products/virex/), for NAV and SAM (http://www.symantec.com/avcenter/download.html), and for Rival (http://www.intego.com/).
++ The last versions of VirusScan for Mac and Disinfectant did not detect AutoStart. [Reference to Dr Solomon's for Mac removed, as the product is no longer supported.]
Prevention: uninfected systems can be protected by disabling the AutoStart option in QuickTime settings (QuickTime 2.5 or later only - earlier versions don't have a disable option). This should also prevent infection by future malware exploiting the same loophole, but will fail if a setup is booted from a volume with an infected Extensions Folder [SL].
Removal: the easiest and safest method for most people will be to use the updated version of their favoured anti-virus software, as it becomes available.
The worms can be also be removed manually.
The Protection Tool can be used to scan for Concept-infected files, but there are a number of possible problems with it.
The Excel add-in for Macs removes only Laroux A and B.
Microsoft's home page has recommended using an ICSA-certified
antivirus utility and sidesteps any hint of responsibility for any
macro virus or SCANPROT related problems.
(1) not everyone is happy with the current implementation of ICSA (NCSA)
certification
(2) ICSA certification is not at present Mac-aware.
This is probably a wise decision, given the number of people who still overestimate the effectiveness of the package in the face of the macro virus threat. However, the entire Macintosh community owes John Norstad a debt of gratitude for making it freely available for so long, an act of altruism which has probably contributed very significantly to the comparative rarity of native Macintosh viruses.]
Disinfectant was an excellent anti-virus package with exemplary documentation, and didn't cost a penny: however, it didn't detect all the forms of malware that a commercial package usually does, including HyperCard infectors, most Trojans, jokes or macro viruses. Unlike some commercial packages, it didn't scan compressed files, either: compressed files had to be expanded before scanning. Self-extracting archives were probably best scanned before unpacking, then again when unpacked.
Disinfectant has been available up to now from the following sources, but this may not continue to be the case.:
There have also been a number of proposals since John Norstad announced the retirement of Disinfectant, suggesting that if the code was made public, it would be possible to maintain and further develop Disinfectant, possibly still as a freeware product. This is misguided, for a number of reasons.
In January 1997 Padgett Peterson, author of the PC utility DiskSecure, released the first version of his MacroList macro detection tool, which has been tested by the author on Macs (System 7.5 on SE/30, IIci and PowerMac) as well as Windows PCs, using considerably more macro viruses than Microsoft seem to have heard of..... The MacroList template is accessed by a button in the standard toolbar. This is not a virus scanner, but allows disabling of automacros, listing of any macros found in the current document etc. Version 1.10 was due for release by the time of writing (February 1997), and an adaptation for Office97 is in progress. Watch the Web page for further details. [v1.1 and the Office 97 "late beta" were available as at 18th March 1997.] MacroList is freeware, but please be sure to read the TRIALS link.
Autostart Hunter by Akira Nagata
<http://www.nettaxi.com/citizens/yukoswrd/> (English)
<http://www.parkcity.ne.jp/~eyukoswrd/index_mac.html> (Japanese)
BugScan by Mountain Ridge Dataworks (also detects SevenDust E)
<http://www.mrdataworks.com/bscan.htm>
Worm Gobbler by Jim Kreinbrink
<http://www.lineaux.com/>
Innoculator by MacOffice
<http://www.macoffice.com/innoculator.htm>
WormFood by Doug Baer
<http://hyperarchive.lcs.mit.edu/cgi-bin/NewSearch?key=WormFood>
Eradicator with update, by Uptown Solutions Ltd.
<http://www.uptown.com/>
Virex, NAV, and SAM all address a full range of threats, including Trojans and macro viruses, and can do scheduled scanning as well as on-access (memory-resident) scanning.
++ Sophos Anti-Virus for Macintosh (SAV) was upgraded in January 1999 to include the SWEEP on-demand scanner. The shipping version can be downloaded for free evaluation. English and Japanese are supported.
The program offers customizable reporting and notification from an attractive interface. So far, compressed archives must be decompressed before scanning; I am assured that archive scanning will be in future versions. Complete documentation is in PDF format.
Norton AntiVirus for Macintosh (NAV) launched May 18, 1998. New features included LiveUpdate virus definition updates over the Internet, enhanced macro virus protection, automatic file repair, a bootable CD-ROM for emergencies, faster scanning for PPC, and a universal SafeZone.
NAV, SAM, and Virex offer checksumming/integrity checking (detecting possible infection by unknown viruses, by monitoring changes in infectable files) - the correct checksums or fingerprints for individual files are kept in a database file. All three applications check files compressed with StuffIt.
NAV, formerly SAM, is particularly oriented towards behaviour blocking: the Intercept tool can be configured to raise an alert at the slightest whiff of a 'suspicious' operation. Unfortunately, this can be counterproductive in real life, since an over-stringent alert policy is apt to result in the facility being turned off altogether. However, configuration is very flexible.
SAM (Symantec AntiVirus for Macintosh) support was discontinued May 1; the last update is for July '99. From Symantec's advice:
"In order to maintain the safety and security of your data from viruses without interruption, we recommend that you upgrade to NAVM 5.0.3 before May 1st. For presales and upgrade questions, please contact customer service. They can be reached at 800-441-7234 or online at:"
Symantec issued a Norton AntiVirus 5.x->5.0.3 patch for Mac OS 8.5, fixing the problem with copying files on AppleShare networks.
Virex 5.9.1 was released on 18-Jan-99, for compatibility with Mac OS 8.5 and Virex Administrator 1.4, and can be downloaded.
Dr Solomon's Software acquired Virex and netOctopus from Datawatch Corp. on 10-Oct-97. Network Associates (NAI) acquired Dr Solomon's on 13-Aug-98. Netopia, Inc., acquired what is now named Timbuktu netOctopus in late '98 or early '99.
++ VirusScan 3.0.1 is the final version for Macintosh, and may be updated for macro viruses into 1999, but will never have AutoStart worm definitions or definitions for the new System viruses like SevenDust E. VirusScan customers need to take advantage of a free upgrade to Virex as soon as possible.
++ Dr. Solomon's for Macintosh went through various stages of neglect through late 1998 and support appears to have vanished altogether in 1999, when customers started to receive Virex disks instead of Dr. Solly's updates.
Rival 3.0.4 is available from Intego.
++ This section may vanish in the near future, or at least contract. The hoax business has changed a lot since this FAQ began.
You can get a copy of the latest version of Les Jones' FAQ on the Good Times Hoax on the World Wide Web:
CIAC
<http://www.ciac.org/ciac/CIACHoaxes.html>
Data Fellows
<http://www.datafellows.com/news/hoax.htm>
Scams and Hoaxes FAQ: Messages you DON'T want to post
<http://www.faqs.org/faqs/net-abuse-faq/scams/>
"Inside the Apple Macintosh" - Peter Norton & Jim Heid (Brady) (The 2nd Edition is pre-PowerMac, and I haven't seen a later one, but there's some surprisingly useful stuff in there).
"Inside Macintosh" (Addison Wesley). Essential reading for Mac
programmers. (Umpteen volumes of fairly low-level info. Expensive
(in the UK, at any rate), and whenever you get near some useful
info, it refers you to one of the volumes you haven't got. However,
the series has been re-vamped since I acquired my copies, and this
may be less than just. It's possible to download them in Acrobat
and in some cases other formats from:
<http://devworld.apple.com/>
where you can also order hardcopy and CD versions. Lots of other
useful files.
"Power Macintosh Emergency Handbook" (Apple Computer)
<ftp://ftp.info.apple.com/Apple.Support.Area/Manuals/PMac_Emergency_Handbook.pdf>
MacFixIt "Troubleshooting for the Macintosh"
<http://www.macfixit.com/>
"Sad Macs, Bombs and other Disasters"
Ted Landau (Addison Wesley)
<http://www.macfixit.com/sadmacs3promo.html>
MacInTouch home page (info and services)
<http://www.macintouch.com/>
MacWEEK.com (Have run MacInTouch columns about the AutoStart worms.)
<http://macweek.zdnet.com/>
Macworld magazine
<http://www.macworld.com/>
TidBITS (Have done many good articles on Mac/macro virus issues.)
<http://www.tidbits.com/>
Rebuilding the desktop is by no means a cure-all, but rarely does any harm. It may be worth disabling extensions when you do this, especially if the operation doesn't seem to be completed successfully.
To disable extensions, restart the machine with the shift key held down until you see an Extensions Off message. If you're rebuilding the desktop, release the shift key and hold down Command (the key with the Apple outline icon) & Options (alt) until requested to confirm that you want to rebuild.
Disabling extensions is also a good starting point for tracking down an extensions conflict. If booting without extensions appears to bypass the problem, try removing extensions with Extensions Manager (System 7.5) - remove one at a time, and replace it before removing the next one and booting with that one removed. Remember that if removing one stops the problem, it's still worth putting it back and trying all the others to see if you can find one it's conflicting with. Extensions Manager also lets you disable control panels. If you don't have Extensions Manager, try Now Utilities or Conflict Catcher.
Parameter RAM (PRAM) contains system information, notably the settings for a number of system control panels. 'Zapping' PRAM returns possibly corrupt PRAM data to default values. A likely symptom of corrupted PRAM is a problem with date and time (but could be a symptom of a corrupted system file). With system 7, hold down Command-Option-P-R at bootup until the Mac beeps and restarts. You may have restore changes to some control panels before your system works properly. If the reset values aren't retained, the battery may need replacing.
End "Viruses and the Macintosh" version 1.6 by David Harley