Two New Macintosh Virus Variants Discovered
           25 Feb 1993


First Virus (variant): CDEF
Damage: as with CDEF
Spread: unknown
Systems affected: Apple Macintosh computers running pre-Version 7.

A minor variant of the CDEF virus has been discovered.  The damage and
effects are identical to the original CDEF virus.  CDEF viruses only
affect Macintoshes running a version of the Mac OS prior to Version 7.  

Almost all Macintosh anti-virus tools already detect this new strain
of CDEF.  The authors of all other major Macintosh anti-virus tools
are planning updates to their tools to recognize this virus variant.
Some of these are listed below. We recommend that you obtain and run a
CURRENT version of AT LEAST ONE of these programs.



Second Virus (variant): T4-C
Damage: altered boot code; altered/damaged applications; damaged system
Spread: unknown
Systems affected: Apple Macintosh computers. All types.

The T4 virus was discovered in June of 1992.  A previously unseen
variant, being called T4-C, has recently been discovered.  Many
machines at the discovering site have been affected by T4-C, and the
potential for wider dissemintion exists.

Like the other T4 strains, this virus attempts to modify system boot
code, and also changes the names of some applications to
"Disinfectant".  The virus does not work as (we assume) the author
intended, and files may be left with changed names and possibly other
damage.  The system file may also be altered, and the damage may
render some systems unbootable.

The virus also attempts to modify application files on the system
disk.  These alterations may damage some applications by overwriting
portions of the programs with the virus code; as a result, some
damaged applications may need to be reinstalled after the virus has
been removed.

Once installed and active, the T4-C virus does not appear to perform
any other overt damage.  The virus, when active, may print a message
indicating that the system is infected with the T4 virus.


Some Macintosh anti-virus tools already detect this new strain of T4.
The authors of all other major Macintosh anti-virus tools are planning
updates to their tools to locate and/or eliminate this virus. Some of
these are listed below. We recommend that you obtain and run a CURRENT
version of AT LEAST ONE of these programs.


Some specific information on updated Mac anti-virus products follows:

    Tool: Central Point Anti-Virus
    Status: Commercial software
    Revision to be released: 2.01c
    Where to find: Compuserve, America Online, sumex-aim.stanford.edu,
                   Central Point BBS, (503) 690-6650
    When available: immediately
    Notes: Users do not need a revision of the AV application.  Users 
  need to obtain the 2/24/93 version of the MacSig file.


    Tool: Disinfectant
    Status: Free software (courtesy of Northwestern University and
    John Norstad)
    Revision to be released: 3.0
    Where to find: usual archive sites and bulletin boards --
             ftp.acns.nwu.edu, sumex-aim.stanford.edu,
                   rascal.ics.utexas.edu, AppleLink, America Online,
                   CompuServe, Genie, Calvacom, MacNet, Delphi,
                   comp.binaries.mac
    When available: immediately
    Note: release 3.0 is *not* a major new release of Disinfectant.
      Be sure to read the release notes for details of the version
      number change.


    Tool: Gatekeeper
    Status: Free software (courtesy of Chris Johnson)
    Revision to be released: No new revision needed; 1.2.7 works for both.
    Where to find: usual archive sites and bulletin boards --
             microlib.cc.utexas.edu, sumex-aim.stanford.edu,
                   rascal.ics.utexas.edu, comp.binaries.mac
    When available: immediately


    Tool: Rival
    Status: Commercial software
    Revision to be released: All current versions starting with 1.1.9w are
                             effective; no new release is needed.
    Where to find it: AppleLink, America Online, Internet, Compuserve.
    When available: Immediately.


    Tool: SAM (Virus Clinic and Intercept)
    Status: Commercial software
    Revision to be released: 3.5.3
    Where to find: CompuServe, America Online, Applelink, Symantec's
                   Customer Service @ 800-441-7234
    When available: immediately
    Notes: SAM 3.5 and SAM Intercept 3.0 both recognize these viruses, and
  both can remove the CDEF strain.  An update is required to
  remove the T4-C strain from undamaged files.  This may be
  obtained from the locations listed above, or by ftp from
  rascal.ics.utexas.edu in the mac/virus-catchers/SAM directory.


    Tool: Virex
    Status: Commercial software
    Revision to be released: Current version is effective: 3.91
    Where to find: Microcom, Inc (919) 490-1277 
    When available: February 28
    Comments: Virex 3.91 will detect the viruses in any file, and
  repair any file that has not been permanently damaged.  Users
  of Virex, version 3.82 or greater, are already able to detect
  the T4-C infection.  The CDEF virus is detected and repaired
  in versions 3.0 and greater.  All Virex subscribers will
  automatically be sent an update on diskette.  All other
  registered users will receive a notice by mail.  Datawatch's
  BBS number is: (919) 419-1602.


    Tool: VirusDetective
    Status: Shareware
    Revision to be released: no new release is needed; current version is 5.0.6
    When available: immediately



If you discover what you believe to be a virus on your Macintosh
system, please report it to the vendor/author of your anti-virus
software package for analysis.  Such reports make early, informed
warnings like this one possible for the rest of the Mac community.  If
you are otherwise unsure of who to contact, you may send e-mail to
spaf@cs.purdue.edu as an initial point of contact.

Also, be aware that writing and releasing computer viruses is more
than a rude and damaging act of vandalism -- it is also a violation of
many state and Federal laws in the US, and illegal in several other
countries.  If you have information concerning the author of this or
any other computer virus, please contact any of the anti-virus
providers listed above.  Several Mac virus authors have been
apprehended thanks to the efforts of the Mac user community, and some
have received criminal convictions for their actions.  This is yet one
more way to help protect your computers.