FOR OFFICIAL DOE USE ONLY--DO NOT DISTRIBUTE OUTSIDE OF DOE
________________________________________________________________________
               THE COMPUTER INCIDENT ADVISORY CAPABILITY

                                 CIAC

                        INFORMATION BULLETIN
________________________________________________________________________

The MDEF or Garfield Virus on Macintosh Computers


May 23, 1990, 1000 PST                                     Number A-25 

Summary

A new Macintosh virus called MDEF or the Garfield virus is spreading
rapidly.  This virus is not a variant of the WDEF virus, and should not
be confused with WDEF.  The MDEF virus spreads through system and
application files, and may cause serious damage to the menu system.
Disinfectant 1.8, GateKeeper,  Virus Detective DA are effective against
this virus, but Vaccine can cause undesirable side effects.
_______________________________________________________________________________

Name: MDEF
Types: Only one known variant
Platform: Apple Macintosh models 128K and 512K, 512KE, Mac Plus, SE, SE/30, II,
        IIx, IIcx, IIci and IIfx. 
Damage: Possible removal of system menus.
Symptoms:  The virus can cause:
  % both the Macintosh 128K and 512K to crash.
  % system menus to be removed
Detection/Eradication: Disinfectant 1.8, GateKeeper,  Virus Detective DA; others
        should be available shortly.

                       Critical MDEF Facts 
_______________________________________________________________________________
 
Introduction

CIAC has learned of a new Macintosh virus called the MDEF or Garfield
virus.  Although its name is similar to WDEF, MDEF is an entirely
different virus.  Currently, the MDEF virus is known to infect the
Macintosh 128K and 512K, 512KE, Mac Plus, SE, SE/30, II, IIx, IIcx,
IIci and IIfx.  This virus will not spread from 128K or 512K
Macintoshes, but will cause these models to crash.

MDEF actually refers to one of the resources on Macintosh computers.
The MDEF virus is so named because this virus infects the MDEF
resources.  If you attempt to detect the MDEF virus using ResEdit or a
similar tool and discover the MDEF resources, this does not indicate
that your computer is infected by the MDEF virus.


Symptoms

Preliminary indications are that after performing a currently
unspecified set of actions, the virus will remove itself from the
system along with the code to control the menu system.  This will
result in the loss of all menus generated by the system.  Regardless of
the particular model of Macintosh computer subject to infections by the
MDEF virus, this virus infects the system file and applications.
Typically, the finder and DA handler also become infected.  However,
neither the desktop nor the document files become infected.  The MDEF
virus infects the system file when an infected application is run, and
infects other applications when they are executed on an infected
system.  On the Macintosh IIci and IIfx, the MDEF virus spreads from
infected applications to uninfected system files, but does not
propagate from infected systems to uninfected applications.

Detection and Eradication

Disinfectant 1.8 has recently been released to detect and eradicate the
MDEF virus.   GateKeeper also prevents the MDEF virus from infecting
the system file.  To use the Virus Detective DA, add the following
search strings:

  Resource MDEF & Name "Garfield"
  Resource MDEF & ID = 5378

CAUTION:  CIAC has been advised that the use of Vaccine may have an
undesirable side effect.  Vaccine will inform the user that the system
file has been infected, but is only partially effective in preventing
this virus from infecting the system file!  The system file will be
damaged as a result of running Vaccine when an application containing
the MDEF virus is executed.

For additional information or assistance, or to obtain a copy of
Disinfectant 1.8, please contact CIAC:

  Eugene Schultz
  (415) 422-8193 or (FTS) 532-8193
  FAX:  (415) 294-5054, (415) 423-0913 or (415) 422-4294

You may also send e-mail to:

  ciac@tiger.llnl.gov
 
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty,  expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.