Disinfectant 2.9

July 4, 1992

Disinfectant 2.9 is a new release of our free Macintosh anti-viral 
utility.

Version 2.9 detects the new T4 virus. 

The T4 virus was discovered in several locations around the world in 
June, 1992. 

The virus was included in versions 2.0 and 2.1 of the game GoMoku. Copies 
of this game were posted to the USENET newsgroup comp.binaries.mac and to 
a number of popular bulletin boards and anonymous FTP archive sites.

The game was distributed under a false name. The name used in the posting, 
and embedded in the game's about box, is that of a completely uninvolved 
person. Please do not use this person's name in reference to the virus. 
The actual virus author is unknown, and probably used this person's name 
as a form of harassment.

The virus spreads to other applications and to the Finder. It also 
attempts to alter the System file.

When the virus infects an application, it damages it in such a way that 
the application cannot be repaired. When you use Disinfectant to attempt 
to repair an infected application, Disinfectant removes the virus from the 
file, but leaves the file damaged. You should not attempt to use such a 
file. Disinfectant issues the following error message:

   ### This file was damaged by the virus, and it cannot
   ### be repaired properly. You should delete the file
   ### and replace it with a known good copy.

The change to the System file results in alterations to the startup code 
under both Systems 6 and 7.  Under System 6 and System 7.0, the change 
results in INIT files and system extensions not loading. Under System 
7.0.1, the change may render the system unbootable or cause crashes in 
unpredictable circumstances. Disinfectant cannot repair this damage to 
the System file. If the virus damages your System file, you will have 
to reinstall it.

If your system suddenly stops loading INITs and system extensions for no 
good reason, it is a good indication that you may have been attacked by 
the T4 virus.

The virus masquerades as Disinfectant in an attempt to bypass general-
purpose suspicious activity monitors like Gatekeeper. If you see an alert 
from such an anti-viral tool telling you that "Disinfectant" is trying to 
make some change to a file, and if Disinfectant is not running, it is a 
good indication that T4 is attacking your system.

Once installed and active, the virus does not appear to perform any other 
overt damage.  At least one version of the virus may display the following 
message:

   Application is infected with the T4 virus.

There are two known strains of the T4 virus: T4-A (contained in GoMoku 2.0) 
and T4-B (contained in GoMoku 2.1). The two strains are very similar. The 
only significant difference is the trigger date. The trigger date for T4-A 
is August 15, 1992, while the trigger date for T4-B is June 26, 1992. 
Neither virus does anything before its trigger date. After the trigger 
date, the virus begins to spread to other files and attempts to alter the 
System file.

We know of an earlier third strain of the T4 virus which appears to have 
been used for testing. Disinfectant identifies this strain as "T4-beta".

For those people who may have missed the news about the MBDF virus, we
added the following paragraph to the description of MBDF in the 
Disinfectant online manual:

   Three undergraduate students at Cornell university have been charged 
   under New York state law with multiple felony counts of first-degree 
   computer tampering in connection with the release of the MBDF virus. 
   They are awaiting trial.

We hope that this news will help convince potential virus writers that 
computer viruses are not trivial or harmless, and that society takes the
problem very seriously indeed. Writing and releasing a virus is a 
serious offence which can and should be punished under the law.

Disinfectant 2.9 is available now via anonymous FTP from site 
ftp.acns.nwu.edu [129.105.113.52].  It will also be available soon on 
sumex-aim.stanford.edu, rascal.ics.utexas.edu, comp.binaries.mac, 
America Online, CompuServe, GEnie, Delphi, BIX, MacNet, Calvacom, 
AppleLink, and other popular sources of free and shareware software.

Macintosh users who do not have access to electronic sources of free and 
shareware software may obtain a copy of Disinfectant by sending a self-
addressed stamped envelope and an 800K floppy disk to the author at the 
address given below. People outside the US may send an international postal 
reply coupon instead of US stamps (available from any post office). Please 
use sturdy envelopes, preferably cardboard disk mailers.

People in Western Europe may obtain a copy of the latest version of 
Disinfectant by sending a self-addressed disk mailer and an 800K floppy 
disk to macclub benelux. Stamps are not required. The address is:

   macclub benelux
   Disinfectant Update
   Wirtzfeld Valley 140
   B-4761 Bullingen Belgium

Mactivity-macclub benelux is also offering a new international update 
service for Disinfectant. This service is available to people anywhere in 
the world, not just Western Europe. For a fee they will send you new 
versions of Disinfectant as new viruses appear. Write to them at the above 
address for more information.

John Norstad
Academic Computing and Network Services
Northwestern University
2129 Sheridan Road
Evanston, IL 60208 USA

Internet: j-norstad@nwu.edu
                                                                                                                                                                                                                                         