Subject: Viruses and the Mac FAQ
Date: 5 Sep 1997 09:52:31 GMT
Summary: Why viruses are a Mac problem, too....

Archive-name: computer-virus/macintosh-faq
Posting-Frequency: Fortnightly
URL: http://www.macvirus.com/reference/
     http://www.webworlds.co.uk/dharley/
Copyright: Copyright 1996-1997 by David Harley and contributors
Maintainer: David Harley <D.Harley@icrf.icnet.uk> and Susan Lesch <lesch@macvirus.com>

                    Viruses and the Macintosh
                    =========================

             Release version 1.4a: 4th September 1997
                          David Harley

[Significant changes from the previous version are flagged with +
symbols in the first two columns at the start of the relevant
line or section. Amendments of minor grammatical or syntactical
errors are not flagged unless they affect factual accuracy or
clarity.]

Table of Contents
-----------------

         1.  Copyright Notice
         2.  Preface
         3.  Availability of this FAQ
         4.  Mission Statement
         5.  Where to get further information.
                5.1 alt.comp.virus FAQ
                5.2 VIRUS-L/comp.virus FAQ
                5.3 Disinfectant on-disk manual
                5.4 Virus Test Center, Hamburg
                5.5 "Robert Slade's Guide to Computer Viruses"
                5.6 Web Pages with Macintosh virus information
                5.7 Virus Bulletin
                5.8 Information on macro viruses
                5.9 Kevin Harris's Virus Reference (HyperCard stack)
                5.10 McAfee Mac Virus Encyclopaedia (includes macro viruses)
                5.11 Other resources
         6.  How many Mac viruses are there?
         7.  What viruses can affect Mac users?
                7.1 Mac-specific system and file infectors
                7.2 HyperCard Infectors
                7.3 Mac Trojans
                7.4 Macro viruses, trojans, variants
                7.5 Other OS viruses and malware when emulation is run on a Mac
         8.  What's the best antivirus package for the Macintosh?
         9.  Welcome Datacomp
        10.  Hoaxes and myths
                10.1 Good Times virus
                10.2 Modems and Hardware viruses
                10.3 E-mail viruses
                10.4 JPEG/GIF viruses
                10.5 Hoaxes Help
        11.  Glossary
        12.  General Reference Section.
                12.1 Mac Newsgroups and FAQs
                12.2 References
                12.3 Other Relevant Publications
        13.  Holes to Plug
                13.1 Mac Troubleshootng

1.0   Copyright Notice
      ----------------

Copyright on this document remains with the author(s), and all
rights are reserved. However, it may be freely distributed
and quoted - accurately, and with due credit.

It may not be reproduced for profit or distributed in part or as
a whole with any product for which a charge is made, except with
the prior permission of the copyright holder(s). To obtain such
permission, please contact the maintainers of the FAQ.

Primary author of this document is David Harley, who at present
co-maintains it with contributor Susan Lesch. Comments and
additional material have been received with gratitude from Ronnie
Sutherland, Henri Delger, and Eugene Spafford. Thanks go also to
Bruce Burrell, Michael Wright, David Miller, Ladd Van Tol, Jeremy
Goldman, Kevin White, Robert Slade, Robin Dover, and John Norstad
for their comments and suggestions.

2.0  Preface
     -------

This document is intended to help individuals with computer
virus-related problems and queries, and clarify the issue
of computer viruses on Macintosh platforms. It should *not* be
regarded as being in any sense authoritative, and has no legal
standing. The author(s) accept(s) no responsibility for errors or
omissions, or for any ill effects resulting from the use of any
information contained in this document.

Corrections and additional material are welcome, especially if
kept polite.... Contributions will, if incorporated, remain the
copyright of the contributor, and credited accordingly within
the FAQ.

        David Harley <D.Harley@icrf.icnet.uk>
        
3.0  Availability of this FAQ
     ------------------------

The latest version of this document will be available from:

      *  http://www.macvirus.com/reference/
      *  http://webworlds.co.uk/dharley/

The webworlds site is semi-mirrored at:

      *  http://www.totalweb.co.uk/dharley/

It's also available from Henri Delger's Prodigy Anti-Virus Center
file library, as is the alt.comp.virus FAQ.

There's an HTML version at:

    http://emt.doit.wisc.edu/macvir/macvir.html

4.0  Mission Statement
     -----------------

This document is a little different to the alt.comp.virus FAQ,
which David Harley also co-maintains (at time of writing). It is
concerned with one platform only, and though it deals with the
Macintosh platform at more length than the alt.comp.virus FAQ can
be expected to, it is a great deal shorter. Nor is there the same
degree of urgency about the Mac virus field, though the risk
element may be somewhat underestimated in general, at present.
This FAQ originated from a concern over the spread of macro
viruses, a theme that is taken up below. Since questions about
Macs and viruses tend to appear more often in the Mac groups than
alt.comp.virus or Virus-L, distribution of this FAQ is wider. So
far, though, there has been no direct feedback from the
Mac-specific groups to which it has been posted.

5.0  Where to get further information
     --------------------------------

        5.1 The alt.comp.virus FAQ (not much Mac-specific material)

            This is posted to alt.comp.virus approximately
            fortnightly. It includes a document that summarizes
            and gives contact information for a number of other
            virus-related FAQs.

            The latest version of is available from:

            * http://www.webworlds.co.uk/dharley/

            Other Sources:

              * ftp.gate.net/pub/users/ris1/acvfaqht.zip
                           (hypertext version)
              * ftp://ftp.gate.net/pub/users/ris1/acvfaq.zip
                           (text version)
              * http://www.drsolomon.com/
              * http://www.innet.net/~ewillems/
              * http://www.agora.stm.it/N.Ferri/infos.htm

        5.2 The VIRUS-L FAQ

            The Virus-L/comp.virus FAQ (also fairly low on
            Mac-specific information) is regularly posted to the
            comp.virus newsgroup (version 2.0 at time of writing).

            The latest version may be found at:

++          ftp://ftp.infospace.com/pub/virus-l/comp.virus-FAQ.09-Oct-95
            ftp://ftp.datafellows.com/pub/misc/anti-vir/vlfaq200.zip

            This FAQ is very long and very thorough. The document is
            subject to revision, so the file name may change.

        5.3 Disinfectant on-disk documentation

            The best single source of information on Mac viruses is
            the online help included in the freeware package
            Disinfectant. Contact details below.

        5.4 AntiVirus Catalog/CARObase (early work)

            ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/catalog/
            ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/
            ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/
           
        5.5 "Robert Slade's Guide to Computer Viruses"

            The disk included with the 2nd Edition of this excellent
            general resource includes most of the information
            available at the University of Hamburg (see 5.4). The
            book also contains a reasonable quantity of Mac-friendly
            information.

            The disk includes a copy of Disinfectant 3.6, which is now
            out-of-date.

            Very few books primarily about computer viruses deal at
            any length with Mac viruses (I can't think of one, at
            present). Some general books on the Mac touch on the subject,
            but none I can think of add anything useful. Some of the
            "Totally Witless User's Guide to......." books dealing with
            security in general include information on PC -and- Mac
            viruses. Unfortunately, the quality of virus-related
            information in such publications is generally low.

        5.6 Web Sites

            Many major vendors have a virus information database online
            on their Web sites. Symantec (www.symantec.com),
            McAfee (www.mcafee.com) and Datawatch
            (www.datawatch.com) include Macintosh virus
            information. The last time we checked, Dr. Solomon's
            (www.drsolomon.com) didn't, though (like nearly all
            on-line databases) they do include information on
            common macro viruses. Datawatch has the only Mac-only
            encyclopaedia on the Web (at this writing).

            Precise URLs tend to come and go, but you might like to try
            the following:

            Datawatch "Mac Viral Zoo"
            Macintosh Virus Encyclopedia
++          http://www.datawatch.com/home/virus/maczoo.html

            Symantec Antivirus Research Center
++          http://www.symantec.com/avcenter/vinfodb.html

            McAfee:
            http://www.mcafee.com/support/techdocs/vinfo/
            
++          Dr Solomon's (Macintosh part is not online at this writing)
            http://www.drsolomon.com/vircen/enc/
            

        5.7 Virus Bulletin

            The expensive (but, for the professional, essential)
            periodical Virus Bulletin includes Mac-specific
            information from time to time. However, if you have no
            interest in PC issues, you probably won't consider it
            worth the expense.

                Virus Bulletin Ltd
                21 The Quadrant
                Abingdon
                Oxfordshire
                OX14 3YS

                44 (0) 1234 555139
                Compuserve 100070,1340
                www.virusbtn.com
                virusbtn@vax.ox.ac.uk
 
            The proceedings of the 1997 Virus Bulletin conference
            will contain a paper by David Harley which significantly
            expands on many of the issues addressed in this FAQ.
            Contact Virus Bulletin for further information on the
            conference and on obtaining the proceedings without
            attending the conference.

        5.8 Macro virus information resources

++      University of Hamburg Virus Test Center Macro Virus List
        The definitive listing. All known macro viruses, some only
        found in research labs, some in the wild.

        ftp://agn-www.informatik.uni-hamburg.de/pub/texts/macro/


        Other Sources:

               http://www.drsolomon.com/
               http://www.datafellows.com/macrovir.htm
               http://www.symantec.com/
               http://www.mcafee.com/
               http://www.avp.ch/avpve/
               http://www.sophos.com/ (under Virus Information)

        [The following absolute URLs may change: such is the
        way of Web administrators..... If you get an error
        message, try the first part of the URL, e.g.
                http://www.symantec.com/
        and drill down from there.]

        Symantec AntiVirus Research Center
        http://www.symantec.com/avcenter/data/wmacro.html

        Dr Solomon's Software Ltd.
        http://www.drsolomon.com/vircen/enc/

        McAfee Associates
        http://www.mcafee.com/support/techdocs/vinfo/f_3057.html

        Data Fellows
        http://www.datafellows.com/macro/word.htm

        Richard Martin put together an FAQ on this subject,
        though it doesn't seem to have been updated recently.
        ftp.gate.net/pub/users/ris1/word.faq

        5.9 Kevin Harris's Virus Reference

        (Describes WM.Concept.A.) Last updated 31-Aug-95. HyperCard stack;
        requires HyperCard 2.1 or later.

++          ftp://mirrors.aol.com/pub/info-mac/vir/virus-reference-216-hc.hqx

        5.10 McAfee Mac Virus Encyclopaedia
       
            ftp://ftp.mcafee.com/pub/antivirus/mac/vencyc.hqx

++      The data definitions for McAfee VirusScan 2.0 included a free
        Macintosh virus encyclopaedia in both SimpleText and HTML formats.
        The information on Mac-specific viruses is pretty much the same
        as that included in the original Disinfectant documentation.
        Covers the viruses detected and repaired by VirusScan 2.0.9,
        including about 120 macro viruses. Current as of about April '97.

        5.11 Additional Resources

        There are excellent pages on HyperCard viruses at HyperActive
        Software. There is information on HyperCard infectors, a link to
        Bill Swagerty's free Vaccine utility for detecting and cleaning
        them, a note on false positives reported by commercial software,
        innoculation, and a free HyperCard virus detection service.

++          http://www.hyperactivesw.com/Virus1.html


        The CIAC virus database includes entries for PC, Macintosh,
        and a number of other platforms. The Macintosh section
        also includes a number of joke programs and one or two
        apparent hoaxes.

            http://ciac.llnl.gov/ciac/CIACVirusDatabase.html


++      Last we checked [03-Sep-97], these sites probably need updating,
        though some older files do have historical value.

        Info-Mac mirrors have Macintosh information and Disinfectant,
        but some outdated virus definitions and software at this
        writing; still, always worth a visit. [SL]

           <URL:ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/>
           <URL:http://hyperarchive.lcs.mit.edu/HyperArchive/
                Abstracts/vir/HyperArchive.html>

        Also of interest, again sometimes outdated:
            http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html
            http://www.unt.edu/virus/macgeneral.html

++      A list of Mac viruses is about to become available at:

            http://www.totalweb.co.uk/dharley/macvir.html

        At present, this mirrors information in this FAQ, but further 
        development will be on the website database rather than on these
        portions of the FAQ.


++      Keep an eye on http://www.macvirus.com/: very much under 
        construction at present, but promises to be an excellent
        resource.


6.0  How many Mac viruses are there?
     -------------------------------

There are around 35 Mac-specific viruses that I know of, though
Apple are, I've heard, quoting 2-300 hundred. I don't know if
these include every minor variant, Trojans, HyperCard infectors
and other macro viruses. However, since Apple are not noticeably
in the business of virus detection and disinfection, I'd as soon
go with the estimates of those who are.

Mac users with Word 6 or versions of Excel supporting Visual
Basic for Applications, however, are vulnerable to infection by
macro viruses which are specific to these applications. Indeed,
these viruses can, potentially, infect other files on any
hardware platform supporting these versions of these
applications. I don't know of a macro virus with a Mac-specific
payload that actually works at present, but such a payload is
entirely possible.

Word Mac version 5.1 and below do not support WordBasic, and are
not, therefore, vulnerable to direct infection. Not only do these
versions not only understand embedded macros, but they can't read
the Word 6 file format unaided. There is, however, at least one
freeware utility which allows Word 5.x users to read Word 6 files.
This will not support execution of Word 6 (or WinWord 2) macros
in Word 5.x, so I would not expect either an infection routine or
a payload routine to be able to execute within this application.

However, Word 5.x users may contribute indirectly to the spread of
infected files across platforms and systems, since it is perfectly
possible for a user whose own system is uninfectable to act as a
conduit for the transmission of infected documents, whether or not
s/he reads it personally.

Files infected with a PC-specific file virus (this excludes macro
viruses) can only execute on a Macintosh running DOS or DOS/Windows
emulation, if then. They can, of course, spread across platforms
simply by copying infected files from one system to another.

DOS diskettes infected with a boot sector virus can be read on a
Mac with Apple File Exchange, PC Exchange, DOS Mounter etc. without
(normally) risk to the Mac. However, leaving such an infected disk
in the drive while booting an emulator such as SoftPC can mean that
the virus attempts to infect the logical PC drive with unpredictable
results.

I am aware of at least one instance of a Mac diskette which, when read
on a PC running a utility for reading Mac-formatted disks after
being infected with a boot-sector infector, became unreadable as
a consequence of the boot track infection.

7.0  What viruses can affect Macintosh users?
     ----------------------------------------

Not all variants are listed here, yet, though I intend to reference
all the major variants at least by name eventually, but there might be
enough to get you going....

The following varieties are listed below:
        7.1 Mac-specific system and file infectors
        7.2 HyperCard Infectors
        7.3 Mac Trojans
        7.4 Macro viruses, trojans, variants
        7.5 Other OS viruses and malware when emulation is run on a Mac

It appears also that some Mac viruses may damage files on Sun systems
running MAE or AUFS.

        7.1   Mac-specific viruses, excluding HyperCard infectors

        AIDS - infects application and system files. No
        intentional damage. (nVIR B strain)

        Aladin - close relative of Frankie

        Anti (Anti-A/Anti-Ange, Anti-B, Anti Variant) - can't
        spread under system 7.x, or System 6 under MultiFinder.
        Can damage applications so that they can't be 100%
        repaired.

        CDEF - infects desktop files. No intentional damage, and
        doesn't spread under system 7.x.

        CLAP: nVIR variant that spoofs Disinfectant to avoid
        detection (Disinfectant 3.6 recognizes it).

        Code 1 - file infector. Renames the hard drive to "Trent
        Saburo". Accidental system crashes possible.

        Code 252 - infects application and system files. Triggers
        when run between June 6th and December 31st. Runs a
        gotcha message ("You have a virus. Ha Ha Ha Ha Ha Ha Ha
        Now erasing all disks... [etc.]"), then self-deletes.
        Despite the message, no intentional damage is done,
        though shutting down the Mac instead of clicking to
        continue could cause damage. Can crash System 7 or damage
        files, but doesn't spread beyond the System file. Doesn't
        spread under System 6 with MultiFinder beyond System and
        MultiFinder. Can cause various forms of accidental
        damage.

        Frankie - only affects the Aladdin emulator on the Atari
        or Amiga. Doesn't infect or trigger on real Macs or the
        Spectre emulator. Infects application files and the
        Finder. Draws a bomb icon and displays 'Frankie says: No
        more piracy!"

        Fuck: infects application and System files. No
        intentional damage. (nVIR B strain)

        Init 17: infects System file and applications. Displays
        message "From the depths of Cyberspace" the first time it
        triggers. Accidental damage, especially on 68K machines.

        Init 29 (Init 29 A, B): Spreads rapidly. Infects system
        files, applications, and document files (document files
        can't infect other files, though). May display a message
        if a locked floppy is accessed on an infected system 'The
        disk "xxxxx" needs minor repairs. Do you want to repair
        it?'. No intentional damage, but can cause several
        problems - Multiple infections, memory errors, system
        crashes, printing problems, MultiFinder problems, startup
        document incompatibilities.

        Init 1984: Infects system extensions (INITs). Works under
        Systems 6 and 7. Triggers on Friday 13th. Damages files
        by renaming them, changing file T?YPE and file CREATOR,
        creation and modification dates, and sometimes by
        deleting them.

        Init-9403 (SysX): Infects applications and Finder under
        systems 6 and 7. Attempts to overwrite whole startup
        volume and disk information on all connected hard drives.
        Only found on Macs running the Italian version of MacOS.

        Init-M: Replicates under System 7 only. Infects INITs and
        application files. Triggers on Friday 13th. Similar
        damage mechanisms to INIT-1984. May rename a file or
        folder to "Virus MindCrime". Rarely, may delete files.

        MacMag (Aldus, Brandow, Drew, Peace) - first distributed
        as a HyperCard stack Trojan, but only infected System
        files. Triggered (displayed a peace message and
        self-deleted on March 2nd 1988, so very rarely found.

        MBDF (A,B): originated from the Tetracycle, Tetricycle or
        "tetris-rotating" Trojan. The A strain was also
        distributed in Obnoxious Tetris and Ten Tile Puzzle.
        Infect applications and system files including System and
        Finder. Can cause accidental damage to the System file
        and menu problems. A minor variant of MBDF B appeared in
        summer 1997: Disinfectant and Virex have been updated
        accordingly.

        MDEF (MDEF A/Garfield, MDEF B/Top Cat, C, D): infect
        System file and application files (D doesn't infect
        System). No intentional damage, but can cause crashes and
        damaged files.

        nCAM: nVIR variant

        nVIR (nVIR A, B, C - AIDS, Fuck, Hpat, Jude, MEV#, nFlu):
        infect System and any opened applications. Extant
        versions don't cause intentional damage. Payload is
        either beeping or (nVIR A) saying "Don't panic" if
        MacInTalk is installed.

        nVIR-f: nVIR variant.

        prod: nVIR variant

        Scores (Eric, Vult, NASA, San Jose Flu): aimed to attack
        two applications that were never generally released. Can
        cause accidental damage, though - system crashes,
        problems printing or with MacDraw and Excel. Infects
        applications, Finder, DA Handler.

        T4 (A, B, C): infects applications, Finder, and tries to
        modify System so that startup code is altered. Under
        System 6 and 7.0, INITs and system extensions don't load.
        Under 7.0.1, the Mac may be unbootable. Damage to
        infected files and altered System is not repairable by
        Disinfectant. The virus masquerades as Disinfectant, so
        as to spoof behaviour blockers such as Gatekeeper.
        Originally included in versions 2.0/2.1 of the public
        domain game GoMoku.

        WDEF (A,B): infects desktop file only. Doesn't spread
        under System 7. No intentional damage, but causes
        beeping, crashes, font corruption and other problems.

        zero: nVIR variant.

        Zuc (A, B, C): infects applications. The cursor moves
        diagonally and uncontrollably across the screen when the
        mouse button is held down when an infected application is
        run. No other intentional damage is done.

      7.2  HyperCard infectors

      These are a somewhat esoteric breed, but a couple have been
      seen since Disinfectant was last upgraded in 1995, and most
      of the commercial scanners detect them.

        Dukakis - infects the Home stack, then other stacks used
        subsequently. Displays the message "Dukakis for
        President", then deletes itself, so not often seen.

        HC 9507 - infects the Home stack, then other running
        stacks and randomly chosen stacks on the startup disk.
        On triggering, displays visual effects or hangs the
        system. Overwrites stack resources, so a repaired stack
        may not run properly.

        HC 9603 - infects the Home stack, then other running
        stacks. No intended effects, but may damage the Home
        stack.

        HC virus/HyperCard/Two Tunes - infects stack scripts.
        Visual/Audio effects: 'Hey, what are you doing?' message;
        plays the tune "Muss I denn"; plays the tune "Behind the
        Blue Mountains"; displays HyperCard toolbox and pattern
        menus; 'Don't panic!' fifteen minutes after activation.

        MerryXmas - appends to stack script. On execution,
        attempts to infect the Home stack, which then infects
        other stacks on access. There are several strains,
        most of which cause system crashes and other anomalies.
        At least one strain replaces the Home stack script and
        deletes stacks run subsequently. Variants include
        Merry2Xmas, Lopez, and the rather destructive Crudshot.
++      [Ken Dunham discovered the merryXmas virus. His program
        merryxmasWatcher 2.0 was very popular and still can
        eradicate the most common two strains, merryXmas and
        merry2Xmas. merryxmasWatcher 2.0 is outdated for the rest
        this family.]

        Antibody is a recent virus-hunting virus which propagates between
        stacks checking for and removing MerryXmas, and inserting an
        innoculation script.

++      Independance (sic) Day was reported in July, 1997. It attempts to
        to be destructive, but fortunately is not well enough written to
        be more than a nuisance. More information at:

            http://www.hyperactivesw.com/Virus1.html#IDay

      7.3 Trojans (Trojan Horses)

      These are often unsubtle and immediate in their effects:
      while these effects may be devastating, Trojans are
      usually very traceable to their point of entry. The few
      Mac-specific Trojans are rarely seen, but of course the
      commercial scanners generally detect them.

        ChinaTalk - system extension - supposed to be sound
        driver, but actually deletes folders.

        CPro - supposed to be an update to Compact Pro, but
        attempts to format currently mounted disks.

        FontFinder - supposed to lists fonts used in a document,
        but actually deletes folders.

        MacMag - HyperCard stack (New Apple Products) that was
        the origin of the MacMag virus. When run, infected the
        System file, which then infected System files on
        floppies. Set to trigger and self-destruct on March 2nd,
        1988, so rarely found.

        Mosaic - supposed to display graphics, but actually
        mangles directory structures.

        NVP - modifies the System file so that no vowels can be
        typed. Originally found masquerading as 'New Look', which
        redesigns the display.

        Steroid - Control Panel - claims to improve QuickDraw
        speed, but actually mangles the directory structure.

        Tetracycle - implicated in the original spread of MBDF

        Virus Info - purported to contain virus information but
        actually trashed disks. Not to be confused with Virus
        Reference.

        Virus Reference 2.1.6 mentions an 'Unnamed PostScript
        hack' which disables PostScript printers and requires
        replacement of a chip on the printer logic board to
        repair. I'm indebted to Gene Spafford for the following
        summary.

        "The PostScript 'Trojan' was basically a PostScript job
        that toggled the printer password to some random string
        a number of times.  Some Apple laser printers have a
        firmware counter that allows the password to only be
        changed a set number of times (because of PRAM behavior
        or licensing -- I don't remember which), so eventually
        the password would get "stuck" at some random string that
        the user would not know.  I have not heard any reports
        of anyone suffering from this in many years."

++      AppleScript Trojans - A demonstration destructive compiled
        AppleScript was posted to the newsgroups alt.comp.virus,
        comp.sys.mac.misc, comp.sys.mac.system, it.comp.macintosh,
        microsoft.public.word.mac, nl.comp.sys.mac, no.mac, and
        symantec.support.mac.sam.general on 16-Aug-97, apparently
        in response to a call for help originally posted to
        alt.comp.virus on 14-Aug-97 and followup on 15-Aug-97.
        On 03-Sep-97, MacInTouch published Xavier Bury's finding of a
        second AppleScript trojan horse, which, like the call for help
        followup, mentioned Hotline servers. It reportedly sends
        out private information while running in the background.
        A note to users from Hotline Communications CEO Adam Hinkley
        is now posted at <http://www.macvirus.com/news/970903a.html>.

        AppleScripts should be downloaded only from known trusted
        sources. It is nigh impossible for an average person to know
        what any given compiled script will do.

     7.4 Macro viruses/Trojans

     At the time of the longstanding second-to-last upgrade of
     Disinfectant (version 3.6 in early 1995), there were no known
     macro viruses in the wild, apart from HyperCard infectors. In
     any case, Disinfectant was always intended to deal with system
     viruses, not trojans or macro/script viruses. However, many
     users are unaware of these distinctions and assume that
     Disinfectant is a complete solution.

     Unfortunately, the number of known macro viruses is at the time
     of writing [11-Aug-97] well in excess of 1000, though the
     number in the wild is far fewer.

     Most macro viruses (if they have a warhead at all) target Intel
     platforms and assume FAT-based directory structures, so they
     usually have no discernible effect on Macs when they trigger.
     Viruses that manipulate text strings within a document may
     work just as well on a Macintosh as on a PC.

     In any case, the main costs of virus control are not recovery
     from virus payloads, but the costs of establishing detection
     and protection (or of not establishing them). The costs of
     not establishing these measures can be considerable,
     irrespective of damage caused on infected machines,
     especially in corporate environments. Secondary distribution
     of infected documents may result in:

        * civil action - for instance, inadvertent
        distribution of an infected document to external
        organisations may be in breach of contractual obligations

        * legal action in terms of breach of data-protection
        legislation such as the UK Data Protection Act or the
        European Data Protection directive. The eighth principle
        of the Data Protection Act, for instance, requires that
        security measures are taken to protect against
        unauthorised access to, and alteration, disclosure and
        destruction of personal data, or its accidental loss.

        * damage to reputation - no legitimate organisation wants
        to be seen as being riddled with viruses.

     Since Word 6.x for Macintosh supports WordBasic macros, it
     is as vulnerable as Word 6.x and 7.x on Intel platforms to
     being infected by macro viruses, and therefore to generating
     other infected documents (or, strictly speaking, templates).
     Working Excel viruses are now beginning to appear also, and
     any future Macintosh application that supports Visual Basic
     for Applications will also be vulnerable. Note also that the
     possibility of virus-infected files embedded as objects in
     files associated with other applications: this possibility
     exists on any platform that supports OLE.

     Macro viruses are therefore highly transmissible via
     Macintoshes, even if they don't have a destructive effect on
     Motorola platforms, if there is an equivalent application
     available on the Macintosh. For instance, although Word for
     Windows versions before vs. 6 support WordBasic, Word
     versions for the Mac up to and including version 5.1 do not.
     [Thus Word 5.1 users can not be directly infected, but may,
     like anyone, pass on infected documents to vulnerable systems.]

     Unless running DOS/Windows emulation, the Green Stripe macro
     virus is not normally a danger on Macs, since there is no
     AmiPro/WordPro for Macintosh.

     McAfee, Symantec, Datawatch and Dr. Solomon's all make
     known-virus scanners that detect a range of macro viruses.
     Microsoft make available a free 'protection tool' whose
     effectiveness is often overestimated.
     (See below.)

For further information on specific macro viruses, try one of
the information resources given earlier.

++   7.5 Other Operating Systems (DOS/Windows in Emulation)

     Any Mac running any sort of DOS or Windows emulation such as
     Virtual PC, SoftPC, SoftWindows, RealPC, or a DOS compatibility
     card is a potential target for any PC virus, including Boot Sector
     Infectors/Multipartites; (effects will vary). It is highly
     recommended that anyone with such a system should run a reputable,
     up-to-date PC antivirus program under emulation, as well as a good
     Mac antivirus program. [Dr. Solomon's for the Mac detects PC boot
     sector infectors as well as Mac viruses, but doesn't detect PC file
     viruses (apart from macro viruses), and so is not sufficient
     protection for a Mac with DOS emulation.]

     F-PROT, by Frisk Software International, is free for private use,
     and highly regarded; commercial licenses and professional versions
     are available. "fp-..." (for example, fp-227a.zip) in this directory
     should be current: ftp://mirrors.aol.com/pub/simtelnet/msdos/virus/

     To find a commercial or shareware package, check through
     the independent comparative reviews sites:

       University of Hamburg Virus Test Center
         http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm

       University of Tampere Virus Research Unit
         http://www.uta.fi/laitokset/virus/

       Secure Computing
         http://www.westcoast.com/

       Virus Bulletin
         http://www.virusbtn.com/

     Robert Michael Slade's lists may also be helpful.
       http://www.freenet.victoria.bc.ca/techrev/quickref.html
       http://www.freenet.victoria.bc.ca/techrev/rms.html


8.0  What's the best anti-virus package for the Macintosh?
     -----------------------------------------------------

As ever, I can't give a definitive answer to this. Here are some
thoughts on the main contenders.

     8.1 Microsoft's Protection Tool

     Microsoft's Macro Virus Protection Tool detects Concept (Nuclear
     and DMV are also mentioned in the documentation, but there is no
     indication that it actually recognises them), but its principal
     purpose is merely to warn users that the document they are about
     to open contains macros and offer the choice of opening the file
     without macros, opening it with macros, or cancelling the File
     Open. It can be obtained from:

        http://www.microsoft.com/msoffice/
        (look for mvtool1222.hqx)
        MSN: GO MACROVIRUSTOOL
        AOL: the Word forum
        CompuServe: the Word forum
        Microsoft Product Support Services
                206-462-9673 (WinWord)
                206-635-7200 (Word Mac)
        email: wordinfo@microsoft.com

      NB The Protection Tool traps some File Open operations, but
      not all. There are a number of ways of opening a document
      which bypass it, some of which are rather commonly used
      (e.g. double-clicking or using the Recent Documents list).

      The Protection Tool can be used to scan for Concept-infected files,
      but there are a number of possible problems with it.

      * Earlier versions could only handle a limited size of directory
        tree, and ran very slowly if a large number of files required
        scanning. Speed is certainly still a problem: I can't say about
        the overflow problem.
      * Files created in Word for Windows won't be scanned until they've
        been opened in Word 6 for Mac (this is a system issue, not a
        bug in the code). However, Microsoft suggest that you open the
        file in Word for the Macintosh and save it before scanning.
        This will do the job, but will also infect your system, if the
        file is infected. If it's infected with a virus -other- than
        Concept, this could create problems if the Protection Tool is
        bypassed on a subsequent file open.
      * Infected files embedded in OLE2 files or e-mail files will not
        be detected.

    Windows 95 users should be aware that this tool is not recommended
    for use with MS Word 7.0a for Windows with internal detection
    enabled, as these two tools will cancel each other out.

  Microsoft's home page now recommends using an NCSA-certified antivirus
  utility and sidesteps any hint of responsibility for any macro virus
  or SCANPROT related problems. 

  (1) not everyone is happy with the current implementation of NCSA 
      certification 
  (2) NCSA certification is not at present Mac-aware. 

        8.2 Disinfectant

        Disinfectant is an excellent anti-virus package with exemplary
        documentation, and doesn't cost a penny: however, it doesn't
        detect all the forms of malware that a commercial package usually
        does, including HyperCard infectors, most Trojans, jokes or macro
        viruses. Unlike some commercial packages, it doesn't scan
        compressed files, either: compressed files should be expanded
        before scanning. Self-extracting archives should probably be
        scanned before unpacking, then again when unpacked.

++      Anyone using recent versions of Microsoft Office applications
        should be aware that macro viruses -do- infect on these software
        platforms and may trigger on them too. Disinfectant is, therefore,
        no longer sufficient protection by itself for systems that have
        these applications installed. There -is- clearly still a commitment 
        to updating Disinfectant to address those types of virus which it 
        -does- deal with.

        Arguably, systems that don't have these applications should also
        be protected:

        * With a view to protection in the future from infected files
          acquired now, if the user should change to Office in the future.
        * To guard against the spreading of infected files by way of
          uninfectable systems.

        Disinfectant is available from:

                ftp://ftp.acns.nwu.edu/pub/disinfectant/
                CompuServe
                GEnie
                America Online
                Calvacom
                Delphi
                BIX
                Info-Mac mirrors in the ../vir/ directory

        The Disinfectant README has been updated with 3.7.x and includes
        the following note.

: Important Note
: ==============
:
: Disinfectant only attempts to deal with Mac system viruses, not Trojan
: horses, practical jokes, DOS or Windows viruses, worms,
: application-specific scripting or macro viruses like the Hypercard and MS
: Word 6 viruses, or any other kind of computer "malware".
:
: Microsoft Word 6 cross-platform "macro viruses" like the widespread
: "Concept" virus are currently a major problem for MS Word 6 users. You
: don't have to worry about them if you don't use Word 6. If you need
: protection against the MS Word 6 macro viruses, I recommend a commercial
: anti-virus product.

This addresses fully my previous complaint that the README could be taken 
as an endorsement of Microsoft's inadequate protection tool. I'd still
quibble at the assertion that people who don't use Word 6 don't have to
worry about macro viruses.

(1) Not all macro viruses are Word-specific
(2) Even if your own system can't be infected, you can still pass on
    an infected file inadvertantly, if you aren't running a known-virus
    scanner which detects that particular class of virus.

        8.3 McAfee VirusScan.

        This is considered below, since it is a fully fledged commercial
        package. However, unlike the other commercial packages listed,
        a 30-day evaluation version is available from their Web site:

                http://www.mcafee.com/

        8.4 Other freeware/shareware packages

        For other freeware\shareware mac packages, try
        Info-Mac mirrors like:

                ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/

        The University of Texas holds some older documentation on
        Mac viruses.

                http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html

        Gatekeeper was not a scanner, but a generic tool. It is no
        longer supported by its author, but is still available on
        some sites. It is probably not safe to use or rely on modern
        systems, and I believe the author recommends that people
        don't attempt to use it, though I've been unable to
        contact him to get confirmation.

        In January 1997 Padgett Peterson, author of the PC utility
        DiskSecure, released the first version of his MacroList macro
        detection tool, which has been tested by the author on
        Macs (System 7.5 on SE/30, IIci and PowerMac) as well as
        Windows PCs, using considerably more macro viruses than
        Microsoft seem to have heard of..... The MacroList
        template is accessed by a button in the standard toolbar.
        This is not a virus scanner, but allows disabling of
        automacros, listing of any macros found in the current
        document etc. Version 1.10 was due for release by the time of
        writing (February 1997), and an adaptation for Office97
        is in progress. Watch the Web page for further details.

        [v1.1 and the Office 97 "late beta" were available
        as at 18th March 1997.]

              http://www.freivald.org/~padgett/

        (under Anti-Virus Hobby) - NB change of URL.

        MacroList is freeware, but please be sure to read the
        TRIALS link.

        8.5 Commercial packages

        Commercial packages include SAM (Symantec Antivirus for Macintosh),
        Virex for Macintosh, McAfee VirusScan and Dr. Solomon's AntiVirus
        ToolKit for Macintosh.

        McAfee have a virus scanner for the Mac based on
        Disinfectant: version 2 of VirusScan, however, includes
        detection of Trojans, macro viruses etc. It also includes
        an installation wizard that I found a little inflexible,
        but could save effort. It provides background scanning,
        monitoring, scans compressed files, has a scheduling
        option, and can be administered remotely. Version 2.3 of
        the data definitions includes a free Mac virus
        encyclopaedia. (See section 5.10.)

        Version 2.1 (2.0.9 and later) includes scanning of files
        compressed with StuffIt. NB, scanning compressed archives is off by
        default. More information in the Readme file.

++      Version 2.1 is not Mac OS 8 compatible, as reported at
        MacInTouch. Version 3.0, due out this fall, will be.

        A fully-functional 30-day evaluation copy can be
        downloaded from McAfee's Web site.

        SAM and Virex offer checksumming/integrity checking (detecting
        possible infection by unknown viruses, by monitoring changes in
        infectable files - the correct checksums or fingerprints for
        individual files are kept in a database file. Both applications
        check files compressed with utilities such as StuffIt.

        SAM is particularly oriented towards behaviour blocking: the
        Intercept tool can be configured to raise an alert at the
        slightest whiff of a 'suspicious' operation. Unfortunately, this
        can be counterproductive in real life, since an over-stringent
        alert policy is apt to result in the facility being turned off
        altogether. However, configuration is very flexible.
        Version 4.5 includes the SAM Administrator package for
        distribution and customization of installations,
        including password locking.

        Virex offers very fast scanning is easy to update, and
        includes checksumming for the detection of unknown viruses.
        It's also possible to buy an administration package. The
        basic package includes a control panel for scanning on
        file or diskette access which can be locked independently
        of the administration package. Installation and interface
        are easy and efficient. The May 1997 Virex Virus
        Definitions Updater is claimed to improve drastically on 
        Virex's handling of macro viruses.

        To sign up for Virex tech support and news mailing lists, see:
++        http://www.datawatch.com/home/virex/mlist.html

++      It has been reported that both SAM and Virex had
        development difficulties this year due to the large number
        of new macro virus definitions. Virex Memory Expander 1.0
        has corrected this problem for users of Virex 5.6 and later.
        This tiny patch can be downloaded from Datawatch.
    
            http://www.datawatch.com/home/virex/updatenow.html
            
        Virex application (but not control panel) memory can be
        manually increased in 5.5.x, the earliest version that
        supports current Virex updates. (Datawatch recommends users
        upgrade to the current release, 5.7.x.) Version 5.5.x is the
        only commercial Macintosh anti-virus package that will
        still run current virus definitions with System 6.0.5.
        Though the 5.5.x control panel may no longer load, on-demand
        functionality may be useful to some people.
        
++      Symantec also released a patch. Designed for SAM Intercept
        4.0.8 to 4.5.x, this corrects "segment loading errors."

           <URL:ftp://ftp.symantec.com/public/english_us_canada/
                  products/symantec_antivirus_macintosh/
                  ver4.5/updates/samintup.sea.hqx>

        Dr. Solomon's for Macintosh has the unusual capacity for
        detecting (not cleaning) PC boot-sector viruses on DOS
        floppies, which could be very useful in a mixed
        environment. It doesn't detect compressed files (oddly,
        since this is one of the strengths of the DOS/Windows
        version). Nor does it include checksumming. The manual is
        a bit sloppy, especially the virus descriptions (unlike
        the versions for other platforms, there is no on-line
        Virus Encyclopaedia): for instance, there's no indication
        that Frankie doesn't affect real Macs, only emulators.
        Terminology is a bit idiosyncratic, too: the frequent
        references to 'link' viruses are rather non-standard. The
        MacGuard control panel scans on file access, launch of
        INITs etc.

        Dr. Solomon's, McAfee, Virex and SAM all address Trojans,
        and macro viruses, and can do scheduled scanning.

        Sophos, who supply the Sweep scanner for PCs etc., do not have
        a stand-alone Macintosh scanner, but do have a Macintosh client
        version of their InterCheck technology. This runs as an extension
        and communicates with the InterCheck server when an application
        is run on the client machine.


        8.6 Contact Details

        Datawatch Corporation (for Virex)

                234 Ballardvale Street
                Wilmington MA 01887
                +1 508 988 9700
                fax: +1 508 988 0105
                http://www.datawatch.com/
                ftp://ftp.datawatch.com/pub/virex/

        McAfee (for VirusScan).

                McAfee Associates
                2710 Walsh Ave
                Santa Clara, CA  95051
                95054-3107  USA
                Voice (408) 988-3832
                FAX   (408) 970-9727
                BBS   (408) 988-4004
                CompuServe ID: 76702,1714 or GO MCAFEE
                mcafee@netcom.com
                ftp://ftp.mcafee.com/pub/antivirus/
                http://www.mcafee.com/

        Dr. Solomon's Software Ltd.
             (for Dr. Solomon's AntiVirus ToolKit)

                Alton House
                Gatehouse Way
                Aylesbury
                Buckinghamshire HP19 3XU
                United Kingdom
                UK Support: support@uk.drsolomon.com
                US Support: support@us.drsolomon.com
                UK Tel: +44 (0)1296 318700
                USA Tel: +1 617-273-7400
                CompuServe: GO DRSOLOMON
                Web: http://www.drsolomon.com
                FTP: ftp://ftp.drsolomon.com

       Symantec Corporation (for SAM)

                10201 Torre Avenue
                Cupertino CA 95014
                +1 408 725 2762
                Fax: +1 408 253 4992
                US Support:  541-465-8420
                AOL:  SYMANTEC
                European Support:  31-71-353-111
                Australian Support:  61-2-879-6577
                http://www.symantec.com/
                ftp://ftp.symantec.com

        Sophos plc

                The Pentagon
                Abingdon
                Oxon
                England OX14 3YP
                http://www.sophos.com/

9.0  Welcome Datacomp
     ----------------

>From time to time there are reports from Mac users that the
message 'Welcome Datacomp' appears in their documents without
having been typed. This is the result of using a Trojanised
3rd-party Mac-compatible keyboard with this 'joke' hard-coded
into the keyboard ROM. It's not a virus - it cannot infect
anything. The only cure is to replace the keyboard.

10.0 Hoaxes and myths
     ----------------

Some of these are PC-specific, rather than Mac-specific, while
some have no basis in reality on any system. [I look forward to
hearing about the first Turing machine infector....] They are
included here (a) because Mac support staff are accustomed to
being asked about them (b) because anything that -might- work
on a real PC -might- also work with DOS emulation, in principle.

        10.1 Good Times virus

            There is *no* Good Times virus that trashes your hard
            disk and launches your CPU into an nth-complexity binary
            loop when you read mail with "Good Times" in the
            Subject: field.

            You can get a copy of the latest version of Les Jones' FAQ
            on the Good Times Hoax on the World Wide Web:

                http://members.aol.com/macfaq/goodtimes.html 
                http://www.public.usit.net/lesjones/goodtimes.html

            There's a Mini-FAQ available as:

                http://www.public.usit.net/lesjones/gtminifaq.html 
                http://users.aol.com/macfaq/gtminifaq.html 


        10.2 Modems and Hardware viruses
            There is no modem virus that spreads via an undocumented
            subcarrier - whatever that means.... There is no virus
            that causes damage to hardware.

        10.3 Email viruses
            Any file virus can be transmitted as an E-mail attachment.
            However, the virus code has to be executed before it
            actually infects. Sensibly configured mailers and browsers
            don't allow this: check yours. In particular, check that
            your Web browser doesn't automatically pass Word documents
            to Word 6 to open, since this may result in embedded macros
            being launched.

        10.4 JPEG/GIF viruses
            There is no known way in which a virus could sensibly be
            spread by a graphics file such as a JPEG or .GIF file,
            which does not contain executable code. Macro viruses work
            because the files to which they are attached are not 'pure'
            data files. 

++      10.5 Hoaxes Help
            If you should receive a virus warning, look at these sites
            before forwarding it along. A statement like, "Please
            forward to everyone!" is one mark of a hoax.

            Computer Virus Myths home page
                http://www.kumite.com/myths/

            CIAC
                http://ciac.llnl.gov/ciac/CIACHoaxes.html

            Data Fellows
                http://www.datafellows.com/news/hoax.htm

11.0 Glossary
     --------

* Change Detectors/Checksummers/Integrity Checkers - programs that
  keep a database of the characteristics of all executable files on
  a system and check for changes which might signify an attack by
  an unknown virus.
* Cryptographic Checksummers use an encryption algorithm to lessen
  the risk of being fooled by a virus that targets that particular
  checksummer.
* Dropper - a program that installs a virus or Trojan, often
  covertly.
* Generic - catch-all name for antivirus software that doesn't
  know about individual viruses, but attempts to detect viruses
  by detecting virus-like code, behaviour, or changes in files
  containing executable code.
* Heuristic scanners - scanners that inspect executable files for
  code using operations that might denote an unknown virus.
* Monitor/Behaviour Blocker - a TSR that monitors programs while
  they are running for behaviour which might denote a virus.
* Scanner (conventional scanner, command-line scanner, on-demand
  scanner) - a program that looks for known viruses by checking for
  recognisable patterns ('scan strings', 'search strings',
  'signatures') or using a more flexible algorithmic approach for
  detection of polymorphic viruses, which can't be found by a
  search for a simple scan string. These are not usually
  associated with the Macintosh platform, but there is a
  bimorphic Word Macro virus.
* Trojan (Trojan Horse) - a program intended to perform some covert
  and usually malicious act that the victim did not expect or want.
  It differs from a destructive virus in that it doesn't reproduce,
  (though this distinction is by no means universally accepted).
* Virus - a program (a block of executable code) that attaches
  itself to, overwrites or otherwise replaces another program in
  order to reproduce itself without the knowledge of the computer
  user. Most viruses are comparatively harmless, and may be present
  for years with no noticeable effect: some, however, may cause
  random damage to data files (sometimes insidiously, over a long
  period) or attempt to destroy files and disks. Others cause
  unintended damage. Even benign viruses (apparently non-destructive
  viruses) cause significant damage by occupying disk space and/or
  main memory, by using up CPU processing time, and by the time and
  expense wasted in detecting and removing them.

12.0 General Reference Section
     -------------------------

        12.1 Mac newsgroups and FAQs

            comp.sys.mac.apps
            comp.sys.mac.comm
            comp.sys.mac.misc
            comp.sys.mac.system

            comp.virus
            alt.comp.virus

            The focus on these two groups tends to be IBM-compatible,
            but Mac issues are certainly aired. Alt.comp.virus is
            unmoderated, and the quality of the advice and opinions
            aired there is very variable - there are many reputable and
            expert posters, and many mischievous and misleading
            contributions. Caveat lector.... 

            FAQs for c.s.m.misc and c.s.m.system
                http://www.macfaq.com/miscfaq.html
                http://www.macfaq.com/systemfaq.html

            Word for Macintosh FAQ
                ftp://mirrors.aol.com/pub/info-mac/info/sft/word-mac-faq-04.hqx


        12.2  References

            Sensei Consulting Macintosh WAIS Archives
                http://wais.sensei.com.au/searchform.html

           "Inside the Apple Macintosh" - Peter Norton & Jim Heid
            (Brady) (The 2nd Edition is pre-PowerMac, and I haven't
            seen a later one, but there's some surprisingly useful
            stuff in there). 

           "Inside Macintosh" (Addison Wesley).
            Essential reading for Mac programmers. (Umpteen volumes of
            fairly low-level info. Expensive (in the UK, at any rate),
            and whenever you get near some useful info, it refers you
            to one of the volumes you haven't got. However, the series
            has been re-vamped since I acquired my copies, and this may
            be less than just. It's possible to download them in
            Acrobat and in some cases other formats from:
                http://devworld.apple.com/
            where you can also order hardcopy and CD versions.
            Lots of other useful files etc.

            MacFixIt "Troubleshooting for the Macintosh"
                http://www.macfixit.com

            "Sad Macs, Bombs and other Disasters" (2nd Edition). 
            Ted Landau (Addison Wesley) [3rd edition now out in US]

            MacInTouch home page (info and services)
                http://www.macintouch.com

            MacWEEK magazine
                http://www.macweek.com/
            Macworld magazine
                http://www.macworld.com/
            MacUser magazine
                http://www.macuser.com/
            TidBITS
                http://www.tidbits.com/
@@              Have done many good articles on Mac/macro virus issues.

13.0     Mac troubleshooting
         -------------------

Since the initial release of this document, a number of people
have E-mailed me asking for help with a possibly virus-related
problem. While I'll always help if I can, I should point out
(1) I'm an experienced Mac user and an IT support professional,
but I don't claim to be a Mac expert (2) pressure of work and
other commitments and a huge E-mail turnover means that I can't
promise a quick response. Whether you mail direct or post to a
relevant newsgroup, it's helpful if you can supply a few details,
such as:

* Which model of Macintosh you're using. It may be useful to
  know how much RAM it has, the size of the hard disk, and any
  peripherals you're using.
* Which version of MacOS you're using.
* Which applications you're using, and which version. If you're
  using Word, it may be critical to know whether you're
  using version 6 or later, or an earlier version.
* Which, if any, antivirus packages you use, and what version
  number. If you're using Disinfectant, for instance, are you
  using version 3.6?
* List any error messages or alerts that have appeared.
* List any recent changes in configuration, additional hardware
  etc.
* List any diagnostic/repair packages you've tried, and the
  results.
* List any other steps you've taken towards determining the cause
  of the problem and/or trying to fix it, e.g. rebuilding the
  desktop, booting without extensions, zapping PRAM etc.

Here are a few steps that it might be appropriate to try if virus
scanning with an up-to-date scanner finds nothing. This section will
be improved when and if I have time.

Rebuilding the desktop is by no means a cure-all, but rarely does
any harm. It may be worth disabling extensions when you do this,
especially if the operation doesn't seem to be completed
successfully.

To disable extensions, restart the machine with the shift key
held down until you see an Extensions Off message. If you're
rebuilding the desktop, release the shift key and hold down
Command (the key with the Apple outline icon) & Options (alt)
until requested to confirm that you want to rebuild.

Disabling extensions is also a good starting point for tracking
down an extensions conflict. If booting without extensions
appears to bypass the problem, try removing extensions with
Extensions Manager (System 7.5) - remove one at a time, and
replace it before removing the next one and booting with that one
removed. Remember that if removing one stops the problem, it's
still worth putting it back and trying all the others to see if
you can find one it's conflicting with. Extensions Manager also
lets you disable control panels. If you don't have Extensions
Manager, try Now Utilities or Conflict Catcher.

Parameter RAM (PRAM) contains system information, notably the
settings for a number of system control panels. 'Zapping' PRAM
returns possibly corrupt PRAM data to default values. A likely
symptom of corrupted PRAM is a problem with date and time (but
could be a symptom of a corrupted system file). With system 7,
hold down Command-Option-P-R at bootup until the Mac beeps and
restarts. You may have restore changes to some control panels
before your system works properly. If the reset values aren't
retained, the battery may need replacing.


--
End of Mac virus FAQ
