New Macintosh Virus Discovered
          17 April 1992

Virus: CODE 252
Damage: no direct damage reported
Spread: unknown (see text)
Systems affected: Apple Macintosh computers. All types, but see text.

A new virus, which has been designated "CODE 252", has been discovered
on Apple Macintosh computer systems. This virus is designed to trigger
if an infected application is run or system booted between June 6 and
December 31, inclusive.  When triggered, the virus brings up a dialog
box with the message:
   You have a virus.
   Ha Ha Ha Ha Ha Ha Ha
   Now erasing all disks...
   Ha Ha Ha Ha Ha Ha Ha
   P.S. Have a nice day.
   Ha Ha Ha Ha Ha Ha Ha
   (Click to continue...)

Despite this message, no files or directories are deleted in the
versions of the virus we have seen; however, a worried user might
power down the system upon seeing the message, and thus corrupt the
disk -- this could lead to significant damage.  Furthermore, the virus
may interact with some applications in such a manner as to damage
them.

Between January 1 and June 5, inclusive, the virus simply spreads from
applications to system files, and then on to other application files.
At the present moment, we have no indication that the virus causes
direct damage to any existing applications.

The virus does not spread to other applications under MultiFinder on
System 6.x systems, nor will it spread under System 7.  However, it
will run on those systems if an infected application is executed.  It
may also cause abnormal operation on those systems.  Even if you are
running one of these systems, we recommend you obtain an use one of
latest versions of appropriate anti-virus software.

As of the date of this announcement (17 April 92), we have had limited
reported sightings of this virus.  This, combined with the nature of
operation of the virus, leads us to believe that the virus is not yet
widespread.

The current versions of Gatekeeper and SAM Intercept (in advanced and
custom mode) are effective against this virus.  Either program should
generate an alert if the virus is present and attempts to spread to
other files.  The Virex Record/Scan feature will also detect the virus.


Authors of all major Macintosh anti-virus tools are planning updates
to their tools to locate and/or eliminate this virus. Some of these
are listed below. We recommend that you obtain and run a CURRENT
version of AT LEAST ONE of these programs.

Some specific information on updated Mac anti-virus products follows:

    Tool: Disinfectant
    Status: Free software (courtesy of Northwestern University and
    John Norstad)
    Revision to be released: 2.8
    Where to find: usual archive sites and bulletin boards --
             ftp.acns.nwu.edu, sumex-aim.stanford.edu,
                   rascal.ics.utexas.edu, AppleLink, America Online,
                   CompuServe, Genie, Calvacom, MacNet, Delphi,
                   comp.binaries.mac
    When available: soon


    Tool: Gatekeeper
    Status: Free software (courtesy of Chris Johnson)
    Revision to be released: 1.2.6 (probably)
    Where to find: usual archive sites and bulletin boards --
             microlib.cc.utexas.edu, sumex-aim.stanford.edu,
                   rascal.ics.utexas.edu, comp.binaries.mac
    When available: eventually
    Comments:
    Gatekeeper should find this virus if it attempts to infect your
    system or applications, and thus does not need an update.
    Gatekeeper Aid will need an update to "know" exactly what virus it
    is seeing so it can remove the virus, but the update is not
    crucial for continued protection.  As Gatekeeper is freeware and
    Chris has a "real" life, this update may not be immediate.


    Tool: Rival
    Status: Commercial software
    Revision to be released: Rival 1.1.9v (CODE 252 Vaccine or Refresh 1.1.9v)
    Where to find it: AppleLink, America Online, Internet, Compuserve.
    When available: Immediately.


    Tool: SAM (Virus Clinic and Intercept)
    Status: Commercial software
    Revision to be released: 3.0.8
    Where to find: CompuServe, America Online, Applelink, Symantec's
                   Bulletin Board @ 408-973-9598
    When available: 17 April 1992.  Version 3.0.8 of the Virus
                    Definitions file are also available.


    Tool: Virex INIT
    Status: Commercial software
    Revision to be released: 3.8
    Where to find: Microcom, Inc (919) 490-1277
    When available: Immediately.
    Comments:
    Virex 3.8 will detect and repair the virus. All
    Virex subscribers will automatically be sent an update on
    diskette. All other registered users will receive a notice with
    information to update prior versions to be able to detect
    CODE 252. This information is also available on Microcom's BBS.
    (919)419-1602, and is presented here:
  Guide Number = 6324448
  1: 0203 3001 7778 2A00 / 79
  2: 0C50 4EFA 0003 A9AB / C4
  3: 0004 A9AA 0002 A647 / B2
  4: 8180 9090 9090 9090 / 1B


    Tool: Virus Detective
    Status: Shareware
      Revision to be released: 5.0.4
    Where to find: Usual bulletin boards will announce a new search string.
                   Registered users will also get a mailing
               with the new search string.
    When available: Immediately.
    Comments: search strings are:
Resource Start & Size < 1200 & WData 2F2C#23F3C#2A9A0*3F3C#24878#2A9AB ; For
 find CODE 252 in Appl's
Filetype=ZSYS & Resource INIT & Size < 1200 & WData
 2F2C#23F3C#2A9A0*3F3C#24878#2A9AB ; For find CODE 252 in System


If you discover what you believe to be a virus on your Macintosh
system, please report it to the vendor/author of your anti-virus
software package for analysis.  Such reports make early, informed
warnings like this one possible for the rest of the Mac community.