ZDDDDDDDDDDDDDDDDDD? IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ZDDDDDDDDDDDDDDDDDD? 3 Founded By: 3 : Network Information Access : 3 Founded By: 3 3 Guardian Of Time 3D: 15APR90 :D3 Guardian Of Time 3 3 Judge Dredd 3 : Judge Dredd : 3 Judge Dredd 3 @DDDDDDDDBDDDDDDDDDY : File 15 : @DDDDDDDDDBDDDDDDDDY 3 HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< 3 3 IMMMMMMMMMMMMMMMMMMM; 3 @DDDDDDDDDDDDDDDDD: ZUC VIRUS :DDDDDDDDDDDDDDDDDY HMMMMMMMMMMMMMMMMMMM< $_The ZUC Virus The ZUC virus was first discovered in Italy in March, 1990. It is named after the discoverer, Don Zucchini. ZUC only infects applications. It does not infect system files or data files. Applications do not have to be run to become infected. ZUC was timed to activate on March 2, 1990. Before that date it only spread from application to application. After that date, approximately 90 seconds after an infected application is run, the cursor begins to behave unusually whenever the mouse button is held down. The cursor moves diagonally across the screen, changing direction and bouncing like a billiard ball whenever it reaches any of the four sides of the screen. The cursor stops moving when the mouse button is released. The behavior of the ZUC virus is similar to that of a desk accessory named Bouncy. The virus and the desk accessory are different, and they should not be confused. The desk accessory does not spread, and it is not a virus. ZUC does spread, and it is a virus. ZUC has two noticeable side effects. On some Macintoshes it causes the desktop pattern to change. It also often causes long delays and an unusually large amount of disk activity when infected applications are opened. ZUC can spread over a network from individual Macintoshes to servers and from servers to individual Macintoshes. Except for the unusual cursor behavior, ZUC does not attempt to do any damage. $_Disinfectant 1.7 Disinfectant 1.7 is a new release of our free Macintosh virus detection and repair utility. Version 1.7 recognizes the new ZUC virus. Thanks to Don Zucchini and Francesco Giagnorio for discovering and reporting this new virus. Vaccine is not effective against ZUC. GateKeeper 1.1.1, however, is effective against ZUC. ZUC does not change the last modification date when it infects a file, so you cannot use the last modification dates in the Disinfectant report to trace the source of a ZUC infection. $_Other Changes in Version 1.7 Some people have used ResEdit to add a copy of the standard system WDEF 0 resource to Desktop files in an attempt to inoculate their disks against the WDEF virus, even though we do not recommend this practice. Version 1.6 incorrectly reported that such Desktop files were infected by an unknown strain of WDEF. This problem has been fixed in version 1.7. Some of the nVIR clones have offensive names. These names appeared in plain text in various resources in Disinfectant version 1.6, and caused concern for some people who discovered them using ResEdit or a file editor. Version 1.7 encodes the resources so that the names do not appear in plain text. Version 1.6 contained an error which could cause crashes, hangs, unexpected error messages, or other unusual behavior in some circumstances. The error is corrected in version 1.7. $_How to Get a Copy of Version 1.7 Disinfectant 1.7 is available now via anonymous FTP from site acns.nwu.edu [129.105.49.1]. It will also be available soon on sumex-aim, rascal, comp.binaries.mac, CompuServe, Genie, Delphi, BIX, MacNet, America Online, Calvacom, AppleLink, and other popular sources for free and shareware software. Macinstosh users who do not have access to bulletin boards, networks, user groups, or online services may obtain a copy of Disinfectant by sending a self-addressed stamped envelope and an 800K floppy disk to the author at the address below. John Norstad Academic Computing and Network Services Northwestern University 2129 Sheridan Road Evanston, IL 60208 Bitnet: jln@nuacc Internet: jln@acns.nwu.edu CompuServe: 76666,573 AppleLink: A0173 $_SAM SAM Intercept can also prevent infection by the ZUC virus (at least version 2.0 with "standard" or higher protection turned on). The information below was provided by the author of SAM to the Virus-L list and comp.virus. - - - - - - For SAM 2.0 users: A new virus has recently been discovered (now named ZUC). If you happen to run across the ZUC with SAM 2.0, you can expect to see the following. 1) If you are running in standard, advanced, or custom levels, SAM will alert you to ZUC's attempt to change CODE resources within applications when ZUC is trying to spread itself. Denying this attempt with SAM keeps the infection from spreading. 2) If you have previously inoculated your applications with Virus Clinic 2.0, then if ZUC has infected any files since inoculation (if, for instance, you had SAM Intercept turned off or set to basic level), then SAM will alert you to an inoculation discrepancy when you try to launch the infected file. 3) SAM Virus Clinic will also alert you to a checksum change to any infected files if you have turned on checksumming in the Virus Clinic scans. 4) You can configure SAM (both Virus Clinic and Intercept) to find ZUC during scans and application launches with the new virus definition feature. Using the Add Virus Definition option in Virus Clinic, create a new one with these fields: Virus Name: ZUC Resource Type: CODE Resource ID: 1 Resource Size: Any Search String: 4E56FF74A03641FA04D25290 (hexadecimal) String Offset: Any You can then add this definition to both Virus Clinic and SAM Intercept. One other note: SAM 2.0 also repairs files infected with multiple viruses. Paul Cozza SAM Author $_EOF [OTHER WORLD BBS]