New Macintosh Virus Discovered
30 June 1992

Virus: T4-A, T4-B
Damage: altered boot code; altered/damaged applications
Spread: possibly significant
Systems affected: Apple Macintosh computers. All types, but see text.

A new virus has been discovered, in two slightly different strains. These were included with the game application GoMoku, versions 2.0 and 2.1. These files were posted to the Usenet comp.binaries.mac newsgroup, and uploaded to various ftp archives, including the one at sumex-aim.stanford.edu.

[Note: the game was distributed under a falsified name. The name used in the posting, and embedded in the game, is that of a completely uninvolved person. Please do not use this person's name in reference to the virus. The actual virus author is unknown, and probably used this person's name as a form of harassment.]

When invoked, the virus attempts to alter the System file. This alteration attempt will be noticed by the SAM antivirus program (and possibly by Gatekeeper, depending on settings). The alert message that is displayed indicates that "Disinfectant" is trying to make the alteration - whether Disinfectant is installed on the system or not. This is evidently an attempt to fool users into approving the modification attempt, thus allowing the virus to infect.

The change to the System file results in alterations to the boot code under both Systems 6 and 7. The damage may render some systems unbootable, but will usually result in INIT files and System extensions (respectively) not loading.

The virus also attempts to modify application files on the system disk. These alterations may damage some applications by overwriting portions of the programs with the virus code. These damaged applications *cannot* be repaired but must be reinstalled from distribution or backup media.

Once installed and active, the virus does not appear to perform any other overt damage. At least one version of the virus may print a message when run after a certain number of files are infected by it. This message identifies the infection as the T4 virus.

[Note: Although this note is unrelated to the T4 virus, we feel it appropriate and important to remind Mac users that neither Apple System 7 nor 7.0.1 should be used UNMODIFIED because they have the "disappearing folders" bug. Users should be sure they have installed the (free) System Tuner 1.1.1 from Apple on these systems; versions 1.0 and 1.1 of the Tuner are outdated or buggy and should not be used. Tuner 1.1.1 is available from authorized Apple dealers, from many user groups, from commercial networks, and on several places on the Internet. Also, System 7.0.1 is *not* the same as System 7 with the Tuner installed; 7.0.1 is a later release of System 7. System 7.0.1 also needs the update installed.]

Authors of all major Macintosh anti-virus tools are planning updates to their tools to locate and/or eliminate this virus. Some of these are listed below. We recommend that you obtain and run a CURRENT version of AT LEAST ONE of these programs.

Some specific information on updated Mac anti-virus products follows:

Tool:	Disinfectant
Status:	Free software (courtesy of Northwestern University and John Norstad)
Revision:	2.9
Where:	Usual archive sites and bulletin boards -- ftp.acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, AppleLink, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac
When:	Soon (probably by July 6)
Tool:	Gatekeeper
Status:	Free software (courtesy of Chris Johnson)
Revision:	1.2.6
Where:	Usual archive sites and bulletin boards -- microlib.cc.utexas.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac
When:	Soon
Tool:	Rival
Status:	Commercial software
Revision:	T4 Vaccine, Rival Refresh 1.1.9w
Where:	AppleLink, America Online, Internet, Compuserve
When:	Immediately
Tool:	SAM (Virus Clinic and Intercept)
Status:	Commercial software
Revision:	???
Where:	CompuServe, America Online, Applelink, Symantec's Bulletin Board
When:	Immediately
Notes:	User definition information: Virus Name: T4 Resource type: CODE Resource ID: Any 0 Resource size: >= 5600 Search String: Hex 2F2E FFD0 2F2E FFC4 3F3CA 97B48 6E String offset: >= 714 from end Check value should be 'E7FA' if all fields entered correctly
Tool:	Virex
Status:	Commercial software
Revision:	3.82
Where:	Microcom, Inc.
When:	6 July 1992
Comments:	Virex 3.82 will detect the virus in any file, and repair any file that has not been permanently damaged by the virus. All Virex subscribers will automatically be sent an update on diskette. All other registered users will receive a notice with information to update prior versions to detect T4. The information necessary to update immediately is also available on Microcom's BBS and on America OnLine. The update stringfollows: Guide Number = 7381312 1: 0230 FEAC 7500 00A9 / 36 2: 7B48 6EFF D62F 0E4E / BE 3: BA81 0230 FEA0 7500 / 3A 4: 00A9 7B48 6EFF D62F / 5D 5: 0E4E BA81 8280 9090 / 25
Tool:	VirusDetective
Status:	Shareware
Revision:	5.0.5
Where:	Usual bulletin boards will announce a new search string. Registered users will also get a mailing with the new search string.
When:	Immediately
Comments:	Search strings are: Resource CODE & Size > 3900 & Pos -1200 & WData 3F3CA9CC * 31BC4E71 ; For finding T4

If you discover what you believe to be a virus on your Macintosh system, please report it to the vendor/author of your anti-virus software package for analysis. Such reports make early, informed warnings like this one possible for the rest of the Mac community.

Also, be aware that writing and releasing computer viruses is more than a rude and damaging act of vandalism - it is also a violation of many state and Federal laws in the US, and illegal in several other countries. If you have information concerning the author of this or any other computer virus, please contact any of the anti-virus providers listed above. Several Mac virus authors have been apprehended thanks to the efforts of the Mac user community, and some are awaiting trial for their actions. This is yet one more way to help protect you computers.

=================