At 12:46 -0700 2000-06-05, Greg Paschall wrote:
>Does anybody have any idea when/if this will protection will be
>wrapped into a Virex update? I have a Mac user that received the
>virus from campus in a Word attachment and opened it before she saw
>the retraction. We downloaded the latest (6/1) Virex update and
>scanned her machine, and it came up clean. Today, she sent out a new
>Word document to our entire department, and the LBL scanner tells us
>it was infected with this dumb W97M_EIGHT941.D macro virus.
W97M/EIGHT is a Microsoft Word 97/98/2000 macro virus which has
infected some campus PCs and Macintoshes.
As noted by Greg Paschall, above, a new variant of that macro virus
is not yet detected by Virex, the campus's site licensed anti-virus
software for the Macintosh, even with the latest Virus Update of
2000-06-01.
Thanks to Greg, Pat McPeak, and Mikael Hansen, who provided sample
documents infected by this virus, earlier today we received an update
from Virex's vendor, Network Associates, Inc. (NAI), which enables
Virex to detect this variant of the W97M/EIGHT virus.
Until the Virus Update of 2000-07-01 is released (on or about July
1, 2000), you can make it possible for Virex to diagnose and repair
this macro virus by installing an 'extra driver' file (named
"EXTRA.DAT"). This file contains a 'signature' that enables Virex to
detect this virus.
After that Virus Update is released -- assuming NAI has rolled this
new signature into the Virus Update of 2000-07-01, as promised --
this EXTRA.DAT file will no longer be necessary. However, there is
no harm in leaving it installed after that date.
You can find this EXTRA.DAT file on the Cornucopia AppleShare file
server, in the "Workstation Support" AppleTalk zone, on the
"Anti-Virus" disk.
Later today, it will also be available from the Berkeley Macintosh
Support Web site at
http://mac.berkeley.edu/anti-virus/virex.html
Here's how to use this 'extra driver' file:
1. Install the Virex Virus Update of 2000-06-01
---------------------------------------------------------------
This Update is available from the file server and Web site
listed above.
If you are using Virex 6.1 or 6.0, you can also install
this Virus Update by clicking the "eUpdate" button in the
Virex application program's main window. This will
download the latest Virex Virus Update from Network
Associates, Inc.'s FTP site, and install the Update on
your computer
2. Install the 'extra driver' file, "EXTRA.DAT"
---------------------------------------------------------------
Here's how to install this file:
1) If the Virex application program is running, quit that program.
2) Open the System Folder on your Macintosh's startup disk.
3) Open the Extensions folder (within the System Folder).
4) From the "View" menu, select "as List" or "by Name".
5) Look for a file named "EXTRA.DAT". You may need to scroll
the Extensions folder's window up or down to see this file.
6) Add or update the EXTRA.DAT file. To do so:
6a) If this file *does not currently exist*, just drag this EXTRA.DAT
file into your Extensions folder.
6b) If an EXTRA.DAT file *already exists*, you can update it
by copying the following text to the Clipboard, and pasting it
at the end of your existing EXTRA.DAT file. (Make sure that
there's a blank line between every virus 'signature' - i.e. every
block of text similar to that below - in the EXTRA.DAT file.)
98 178 128 177 13 49 218 138 58 126 162 246 100 84 229 199
242 49 17 179 242 55 21 177 13 3 121 161 205 49 141 179
13 3 141 179 4 210 71 117 221 251 77 120 220 201 249 116
11 50 40 254 171 50 40 199 243 50 167 116 30 215 76 114
238 228 71 123 251 226 90 127 198 241 8 91 205 184 126 84
0 177 132 183 35 84 232 221 13 51 140 179 25 65 10 177
13 51 138
10461 256 10462 W97M/Eight
3. Check your disks for infected files
---------------------------------------------------------------
After you've installed or updated the EXTRA.DAT file:
7) Scan all of your volumes for viruses. To do so:
7a) Open the Virex application program.
7b) Make sure that all of your Macintosh's local (i.e. non-network)
volumes are selected in the list at the left-hand side of the Virex
application program's main window.
7c) Click the "Repair" button.
If Virex detects any infected files on your hard disk, you should
also scan any removable media (diskettes, ZIP disks, and the like)
that you have recently used with your computer.
If Virex still can't detect infected files
---------------------------------------------------------------
In most cases, the steps above should be sufficient: After
restarting your computer, Virex should now be able to use
your new (or updated) "EXTRA.DAT" file as an aid in detecting
this new variant of the W97M/EIGHT virus.
If for some reason Virex doesn't detect files that you believe to
be infected by this virus, you might try trashing the invisible file
"Virex SpeedScan". This file is located in the System Folder on
your Macintosh's startup disk, and at the top level of each of your
other volumes.
To do so:
- Open the Virex application program. Make sure that
the icons representing all of the volumes you wish to scan for
viruses (in the panel at the left) are highlighted.
- Then, while holding down the "Delete" key (above the "Return" key
on many Macintosh keyboards), pull down the Virex application's
"Edit" menu.
- Select "Remove SpeedScan File" from that menu. (This option will
only appear on the Edit menu if you have selected that menu with the
Delete key held down.
- At each prompt, "Do you really want to remove the SpeedScan
information from volume "____"?", click "Remove".
Questions or problems?
---------------------------------------------------------------
If you should have questions or problems specific to the
W97M/EIGHT virus on the Macintosh or these instructions,
you can correspond with us at <macfeedback@banter.berkeley.edu>,
or with me directly at <aron@socrates.berkeley.edu>.
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <URL:http://mac.berkeley.edu/help/magnet/>.
This archive was generated by hypermail 2b29 : Fri Jun 09 2000 - 11:05:56 PDT