Copy Link
Add to Bookmark
Report
CIAC A-17
________________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
CIAC
INFORMATION BULLETIN
________________________________________________________________________
Eradicating WDEF using Disinfectant 1.5 or 1.6
February 2, 1989, 1400 PST Number A-17
CIAC Information Bulletin A-9 reported the existence of the WDEF virus
on Macintosh computers. The purpose of this bulletin is to provide
additional information about eradicating this virus.
Disinfectant 1.5 and the most recent version, Disinfectant 1.6, are
capable of detecting and eradicating WDEF, but are not designed to
prevent the spread of WDEF during its execution. If an infected disk
is inserted into the Macintosh while Disinfectant is running (for the
purposes of eradicating WDEF), WDEF will infect ANY OTHER UNLOCKED
MOUNTED VOLUMES. If Disinfectant is to be used to eradicate a WDEF
infection, CIAC recommends the following procedure:
1. Prepare a system disk using locked originals. Use the
instructions provided with the Macintosh documentation if you require
assistance in preparing this system disk. If possible, you should not
use your hard disk to prepare this system disk. Copy Disinfectant
version 1.5 or version 1.6 to this disk. Lock the disk and shut down
the system.
2. Reboot the Macintosh using the prepared system disk.
Launch disinfectant off the floppy and use the SCAN function to check
your hard disk for the WDEF virus. If found, use the DISINFECT
function to remove WDEF from your hard disk. Quit disinfectant.
3. Reboot the Macintosh using this prepared system disk.
You should drag any hard disks that automatically appear on the
desktop to the trash to unmount them. Launch the copy of Disinfectant
on the system disk. Use the SCAN facility of Disinfectant to verify
that WDEF has not infected this system disk. If it has, you will have
to eject the system disk, unlock it, and insert it again. Use the
DISINFECT function of Disinfectant to eradicate WDEF. Next, you
should eject the system disk and lock it again. Reinsert the system
disk.
4. Use Disinfectant to scan all of your floppy disks.
WDEF will infect both system and non-system disks; to completely
eradicate WDEF you will have to disinfect all of your disks (including
backup disks). DO NOT USE YOUR HARD DRIVE DURING THIS PROCEDURE.
5. Once all of your floppy disks are disinfected, reboot
your system using the locked system disk. Now run Disinfectant and
disinfect your hard disk. Once WDEF has been eradicated from all
floppies and your hard disk, the eradication procedure is complete.
The most recent versions of other tools such as SAM, VIREX,
GATEKEEPER, and GATEKEEPER AID may also be used to eradicate or
prevent the spread of the WDEF virus. If you have questions
concerning these tools, contact CIAC for assistance.
For further information, or for a copy of Disinfectant 1.6, please
contact CIAC:
Tom Longstaff
(415) 423-4416 or (FTS) 543-4416
FAX: (415) 294-5054
CIAC's business hours phone number is (415) 422-8193 or (FTS)
532-8193. CIAC's 24-hour emergency hot-line number is (415)
971-9384. If you call the emergency number and there is no answer,
please let the number ring until voice mail comes on. Please leave a
voice mail message; someone will return your call promptly. You may
also send e-mail to:
ciac@tiger.llnl.gov
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.
CIAC BULLETINS ISSUED
SUN 386i authentication bypass vulnerability
nVIR virus alert
/dev/mem vulnerability
tftp/rwalld vulnerability
"Little Black Box" (Jerusalem) virus alert
restore/dump vulnerability
rcp/rdist vulnerability
Internet trojan horse alert
NCSA Telnet vulnerability
Internet hacker alert
Columbus Day (DataCrime) virus alert
Columbus Day (DataCrime) virus alert (follow-up, notice A-1)
HEPnet/SPAN network worm alert (notice A-2)
HEPnet/SPAN network worm alert (follow-up, notice A-3)
HEPnet/SPAN network worm alert (follow-up, notice A-4)
rcp vulnerability (second vulnerability, notice A-5)
Trojan horse in Norton Utilities (notice A-6)
UNICOS vulnerability (classified, limited distribution, notice A-7)
UNICOS problem (limited distribution, notice A-8)
WDEF virus alert (notice A-9)
PC CYBORG (AIDS) trojan horse alert (notice A-10)
Problem in the Texas Instruments D3 Process Control System (notice A-11)
DECnet hacker attack alert (notice A-12)
Vulnerability in DECODE alias (notice A-13)
Additional information on the vulnerability in the UNIX DECODE alias
(notice A-14)
Virus information update (notice A-15)
Vulnerability in SUN sendmail program (notice A-16)
Eradicating WDEF using Disinfectant 1.5 or 1.6 (notice A-17)
