TUCoPS :: Macintosh :: ciac-a17.txt

Eradicating WDEF using Disinfectant 1.5 or 1.6 (Macintosh)

________________________________________________________________________

                THE COMPUTER INCIDENT ADVISORY CAPABILITY



                                  CIAC



                        INFORMATION    BULLETIN

________________________________________________________________________



                Eradicating WDEF using Disinfectant 1.5 or 1.6 



February 2, 1989, 1400 PST                                   Number A-17



 

CIAC Information Bulletin A-9 reported the existence of the WDEF virus

on Macintosh computers.  The purpose of this bulletin is to provide

additional information about eradicating this virus.



Disinfectant 1.5 and the most recent version, Disinfectant 1.6, are

capable of detecting and eradicating WDEF, but are not designed to

prevent the spread of WDEF during its execution.  If an infected disk

is inserted into the Macintosh while Disinfectant is running (for the

purposes of eradicating WDEF), WDEF will infect ANY OTHER UNLOCKED

MOUNTED VOLUMES.  If Disinfectant is to be used to eradicate a WDEF

infection, CIAC recommends the following procedure:



        1.      Prepare a system disk using locked originals.  Use the

instructions provided with the Macintosh documentation if you require

assistance in preparing this system disk.  If possible, you should not

use your hard disk to prepare this system disk.  Copy Disinfectant

version 1.5 or version 1.6 to this disk.  Lock the disk and shut down

the system.



        2.      Reboot the Macintosh using the prepared system disk.

Launch disinfectant off the floppy and use the SCAN function to check

your hard disk for the WDEF virus.  If found, use the DISINFECT

function to remove WDEF from your hard disk.  Quit disinfectant.



        3.      Reboot the Macintosh using this prepared system disk.

You should drag any hard disks that automatically appear on the

desktop to the trash to unmount them.  Launch the copy of Disinfectant

on the system disk.  Use the SCAN facility of Disinfectant to verify

that WDEF has not infected this system disk.  If it has, you will have

to eject the system disk, unlock it, and insert it again.  Use the

DISINFECT function of Disinfectant to eradicate WDEF.  Next, you

should eject the system disk and lock it again.  Reinsert the system

disk.



        4.      Use Disinfectant to scan all of your floppy disks.

WDEF will infect both system and non-system disks; to completely

eradicate WDEF you will have to disinfect all of your disks (including

backup disks).  DO NOT USE YOUR HARD DRIVE DURING THIS PROCEDURE.

  

        5.      Once all of your floppy disks are disinfected, reboot

your system using the locked system disk.  Now run Disinfectant and

disinfect your hard disk.  Once WDEF has been eradicated from all

floppies and your hard disk, the eradication procedure is complete.





The most recent versions of other tools such as SAM, VIREX,

GATEKEEPER, and GATEKEEPER AID may also be used to eradicate or

prevent the spread of the WDEF virus.  If you have questions

concerning these tools, contact CIAC for assistance.



For further information, or for a copy of Disinfectant 1.6, please

contact CIAC:



        Tom Longstaff

        (415) 423-4416 or (FTS) 543-4416

        FAX: (415) 294-5054



CIAC's business hours phone number is (415) 422-8193 or (FTS)

532-8193.  CIAC's 24-hour emergency hot-line number is (415)

971-9384.  If you call the emergency number and there is no answer,

please let the number ring until voice mail comes on.  Please leave a

voice mail message; someone will return your call promptly.  You may

also send e-mail to:



        ciac@tiger.llnl.gov



Neither the United States Government nor the University of California

nor any of their employees, makes any warranty, expressed or implied,

or assumes any legal liability or responsibility for the accuracy,

completeness, or usefulness of any information, product, or process

disclosed, or represents that its use would not infringe privately

owned rights.  Reference herein to any specific commercial products,

process, or service by trade name, trademark manufacturer, or

otherwise, does not necessarily constitute or imply its endorsement,

recommendation, or favoring by the United States Government or the

University of California.  The views and opinions of authors expressed

herein do not necessarily state or reflect those of the United States

Government nor the University of California, and shall not be used for

advertising or product endorsement purposes.



CIAC BULLETINS ISSUED



SUN 386i authentication bypass vulnerability

nVIR virus alert                

/dev/mem vulnerability

tftp/rwalld vulnerability

"Little Black Box" (Jerusalem) virus alert

restore/dump vulnerability

rcp/rdist vulnerability

Internet trojan horse alert

NCSA Telnet vulnerability

Internet hacker alert

Columbus Day (DataCrime) virus alert

Columbus Day (DataCrime) virus alert (follow-up, notice A-1)

HEPnet/SPAN network worm alert (notice A-2)

HEPnet/SPAN network worm alert (follow-up, notice A-3)

HEPnet/SPAN network worm alert (follow-up, notice A-4)

rcp vulnerability (second vulnerability, notice A-5)

Trojan horse in Norton Utilities (notice A-6)

UNICOS vulnerability (classified, limited distribution, notice A-7)

UNICOS problem (limited distribution, notice A-8)

WDEF virus alert (notice A-9)

PC CYBORG (AIDS) trojan horse alert (notice A-10)

Problem in the Texas Instruments D3 Process Control System  (notice A-11)

DECnet hacker attack alert (notice A-12)

Vulnerability in DECODE alias (notice A-13)

Additional information on the vulnerability in the UNIX DECODE alias  

        (notice A-14)

Virus information update (notice A-15)

Vulnerability in SUN sendmail program (notice A-16)

Eradicating WDEF using Disinfectant 1.5 or 1.6 (notice A-17)











TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH