New Macintosh Viruses Discovered (CODE-1 & MBDF-B)
            4 Nov 1993


Virus: CODE-1
Damage: Alters applications and system file; may rename hard disk;
  may crash system or damage some files.  See below.
Spread: possibly limited, but has potential to spread quickly
Systems affected: All Apple Macintosh computers, under Systems 6 & 7.

Several sites have reported instances of a new Macintosh virus on
their systems.  This virus spreads to application programs and the
system file.  Its only explicit action, other than spreading, is to
rename the hard disk to "Trent Saburo" if the system is restarted on
October 31 of any year.  However, the virus changes several internal
code pointers that may be set by various extensions and updates.  This
may lead to system failures, failures of applications to run
correctly, and other problems.  Under some conditions the virus may
cause the system to crash.

The virus detected by some virus protection programs on some Macintosh
machines (but no anti-virus program released prior to this date
specifically recognizes this virus).  This behavior depends on the
nature of the hardware and software configuration of the infected
machine.  All current anti-virus programs should be updated to the
versions listed below to ensure that the virus can be found.



Virus: MBDF-B
Damage: minimal, but see below
Spread: probably limited
Systems affected:  Apple Macintosh computers.  The virus spreads on 
                   all types of Macs except MacPlus systems and
                   (perhaps) SE systems; it may be present on MacPlus
                   and SE systems and not spread, however.

A new variant of the MBDF-A virus has recently been discovered.  It
seems that a person or persons unknown has modified the original
MBDF-A virus slightly and released it. Like the original, this virus
does not intentionally cause damage, but it may spread widely.

The virus does not necessarily exhibit any symptoms on infected
systems.  Some abnormal behavior has been reported in machines
infected with MBDF-A, involving system crashes and malfunctions in
various programs, which may possibly be traced to the virus.  Some
specific symptoms include:
    * Infected Claris applications will indicate that they have
      been altered 
    * The "BeHierarchic" shareware program ceases to work correctly.
    * Some programs will crash if something in the menu
      bar is selected with the mouse.
The MBDF-B virus should behave similarly and will spread under both
System 6 and System 7.

Some Mac anti-virus tools will detect this virus.  However, all
anti-virus tools should be updated so as to properly identify and
remove this virus from infected systems.



The authors of all major Macintosh anti-virus tools are planning
updates to their tools to locate and/or eliminate these viruses. Some
of these are listed below. We recommend that you obtain and use a
CURRENT version of AT LEAST ONE of these programs.


Some specific information on updated Mac anti-virus products follows:

    Tool: Central Point Anti-Virus
    Status: Commercial software
    Revision to be released: 3.0a
    Where to find: Central Point BBS, (503) 690-6650
    When available: November 5, 1993
    Comments: Registered users will receive postcards. Also, users can
        download the file 'Mac CPAV Antidotes 11/5/93' from the
              usual places to receive the update.


    Tool: Disinfectant
    Status: Free software (courtesy of Northwestern University and
    John Norstad)
    Revision to be released: 3.3
    When available: November 5, 1993
    Where to find: usual archive sites and bulletin boards --
             ftp.acns.nwu.edu, sumex-aim.stanford.edu,
                   rascal.ics.utexas.edu, AppleLink, America Online,
                   CompuServe, Genie, Calvacom, MacNet, Delphi,
                   comp.binaries.mac


    Tool: Gatekeeper
    Status: Free software (courtesy of Chris Johnson)
    Revision to be released: 1.2.9
    When available: November 8, 1993
    Where to find: usual archive sites and bulletin boards --
             microlib.cc.utexas.edu, sumex-aim.stanford.edu,
                   rascal.ics.utexas.edu, comp.binaries.mac
    Comments: 1.2.8 is already effective against MBDF-B. Gatekeeper Aid will
              identify it as an "Unknown Strain" of MBDF, but will remove it
              without difficulty.


    Tool: Rival
    Status: Commercial software
    Revision to be released: CODE-1 Vaccine 
    When available: Immediately.
    Where to find: AppleLink, America Online, Calvacom, Compuserve, Internet
                   XELPH's Customer Service @ 415/327-9563
    When available: immediately
    Comments: The vaccine will be e-mailed to all registered users.
    Comments: The existing Rival MBDF Vaccine already detects/removes MBDF-B.


    Tool: SAM (Virus Clinic and Intercept)
    Status: Commercial software
    Revision to be released:  3.5.9
    When available: November 5, 1993
    Where to find: CompuServe, America Online, Applelink, Symantec's
                   Customer Service @ 800-441-7234
    Comments: Updates to various versions of SAM to detect and remove
          CODE-1 and MBDF-B are available from the above sources.


    Tool: Virex
    Status: Commercial software
    Revision to be released: 4.1
    Where to find: Datawatch Corporation, (919) 549-0711
    When available: November 5, 1993
    Comments: Datawatch's BBS number is (919) 549-0042
    Comments: Virex currently detects and repairs the MBDF-B virus but
        identifies it as the MBDF-A virus.
    Comments: UDV for CODE-1 virus; Guide Number = 13656448
        1:  020A 30FA 7D90 7610  / 8C
        2:  00A9 C60C AF00 0A00  / F1
        3:  3EA0 0B4E 7581 8090  / 59


    Tool: VirusDetective
    Status: Shareware
    Revision to be released: 5.0.10
    When available: immediately
    Where to find: various Mac archives
    Comments: VirusDetective is shareware.  Search strings for the CODE-1
           virus will be sent only to registered users via e-mail.
     Registered users without e-mail access should contact the
     author for the search string.  The MBDF-B virus is already
     detected by the MBDF-A search string.


If you discover what you believe to be a virus on your Macintosh
system, please report it to the vendor/author of your anti-virus
software package for analysis.  Such reports make early, informed
warnings like this one possible for the rest of the Mac community.  If
you are otherwise unsure of who to contact, you may send e-mail to
spaf@cs.purdue.edu as an initial point of contact.

Also, be aware that writing and releasing computer viruses is more
than a rude and damaging act of vandalism -- it is also a violation of
many state and Federal laws in the US, and illegal in several other
countries.  If you have *ANY* information concerning the author(s) of
these or any other computer virus, please contact any of the
anti-virus providers listed above.  Several Mac virus authors have
been apprehended thanks to the efforts of the Mac user community, and
some have received criminal convictions for their actions.  This is
yet one more way to help protect your computers.