Mac Virus ALERT! Do not open email topic "Class Synopsis"

[editor]

I received this file from a friend by accident, no blame, it could happen to any one of us. The title of the email is "Class Synopsis" or "I send this file asking for your advice." Its a "mean spirited" well written little program. The actual attachment is a .PIF file. After having a look at its source code I found out that P.I.F. means "Puter Is Fu****" After spending all yesterday ridding my network of the virus, an almost impossible task once loosed on your Mac; without a lot of Mac knowledge, programming knowledge, specialized software tools and a lot of time. Norton Anti Virus, nor any of the main stream virus tools recognizes it as a virus. The program is designed to destroy any boot device used as a stag•ing area (A temporary platform or system of platforms used for support) to attack it from. It tells the current OS that all HD's are full Zero K available on all disks, so no place to install tools to help you out, boot from a CD it attacks all HD drivers. With each fresh boot up, it spreads until you have no place to stage a counter attack from... even a floppy is infected upon booting from one. I have to admire the bastard who wrote it, everything I could think of, he had already thought of, except one thing. Disconnect all HD's, boot from CD-ROM (a Locked Volume, with Norton system works on it.). Turn Norton Anti Virus on, set to full protection, although Norton does not recognize the virus. It allows you to stop "Virus like activity." Re-attach HD's one at a time, re-boot (NORTON WARNING=STOP ALL VIRUS LIKE ACTIVITY=RESPOND YES) after each HD is attached, install a new driver on each HD as soon as it mounts, with Apple. Drive Setup and run Norton disc doctor on the disc. The virus seems to attack HD drivers as step one, step two attacks B-Tree directory info, step three is Master directory Block/Driver attack wave two.

In short, make a bootable CD on another computer, with Norton system works installed on the CD's system you create, set CD to auto-launch Norton from the CD, set to FULL VIRUS protection. Disconnect all discs from the infected cpu. Boot from the CD you made once with no HD's attached, then attach HD#1 reboot from the CD you made, instantly install an apple HD driver as soon as the volume mounts or does not mount but is recognized; and run Norton disc doctor. Do this for each disc one at a time. The virus untreated will eventually wipe out all your MDB's and crash your HD's.... OF COURSE, IF YOU RECEIVE A "PIF" ATTACHMENT or THIS EMAIL VIRUS MSG., DO NOT OPEN THE ATTCHMENT. ERASE RIGHT AWAY.

------------------FWD:
PLEASE NOTE: A virus was sent to me, randomly. It's sending it out, randomly... Some people were in my address book, others were not. The Subject seems to be changing -- the one I've sent is "Class Synopsis" . Regardless of Subject, DO NOT open the file attachment if you get a message from me that reads:

"Hi. How are you? I send you this file in order to have your advice."--------------------------------

[PBerolz]

Thanks, E, for yet another informative & important post.

[Darrell Diaz]

Hey E! I received that email/virus last week from a record company. They called and warned me after I'd already tried to open it using Word & from inside of Virtual PC (since it said it was an Office doc) Anyway, norton didn't recognize it as a virus but I trashed it, and so far seem to have suffered no ill effects. Still wondering if it's lingering around waiting to cause future damage. Also, no one in my address book seems to have gotten it from me, so maybe it's gone.

[editor]

<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:<HR>Originally posted by Darrell Diaz:
Hey E! I received that email/virus last week from a record company. They called and warned me after I'd already tried to open it using Word & from inside of Virtual PC (since it said it was an Office doc) Anyway, norton didn't recognize it as a virus but I trashed it, and so far seem to have suffered no ill effects. Still wondering if it's lingering around waiting to cause future damage. Also, no one in my address book seems to have gotten it from me, so maybe it's gone.<HR></BLOCKQUOTE>

I took the exact steps you did Word/VPC. Yes the virus is possibly still on your system. Do search by .pif use command F, then hit command M while sherlock is open. Check? file is invisible, enter .pif as a serach string, then search. I found that the virus had made an out going file, dozens of them for each email program I had. Each outgoing file was set to be sent on Oct 17. I erased all the invisible files and suddenly my HD's reflected the correct amount of space available, I freed up about 20 gigs doing this. Also empty the trash cache, after taking a look at what is inside it. This is a nasty virus. Do a final search for invisible files, enter no txt. string, just search with invisible checked and look at what you see. So far everything seems ok, after getting rid of the invisible virus files.

Regards

e

[jeffro]

<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:<HR>Originally posted by editor:
I received this file from a friend by accident, no blame, it could happen to any one of us. The title of the email is "Class Synopsis" or "I send this file asking for your advice."<HR></BLOCKQUOTE>

Doesn't look like a Mac virus, but check out one of the following for more info:
http://vil.mcafee.com/dispVirus.asp?virus_k=99141&
http://vil.nai.com/vil/virusSummary.asp?virus_k=99141
http://www.symantec.com/avcenter/[email protected]

[shaggy]

Bookmark this site...my fleabitten brethren.

Computer Emergency Response Team {CERT}

[shaggy]

Sounds like the dreaded malformed macro...

FX both .pc and macintosh platforms-

MS Excel & Powerpoint 97,98,2000,2001,2002

The fix is from Microsoft. http://www.microsoft.com/technet/tre...n/MS01-050.asp

[lamp]

I read somewhere that if you create a new contact in your address book and name It **!0000 with no e-mail address and put it at the top of your contact list,it will stop out going viruses.I did it. Don't know if it works.

[Park Seward]

<BLOCKQUOTE><font size="1" face="Verdana, Arial">quote:<HR>Originally posted by lamp:
I read somewhere that if you create a new contact in your address book and name It **!0000 with no e-mail address and put it at the top of your contact list,it will stop out going viruses.I did it. Don't know if it works.<HR></BLOCKQUOTE>

It won't

[shaggy]

(we got the Snowite(sp) virus {Sircan Worm} this summer....Spit out 2,000 copies of itself in one hour- from inbox addresses) But that's .pc only.

Norton only catches it after LiveUpdate FWIW

Now if anyone can figure out how to run a binary executable on a macintosh...I can apply the 'fix'

Those Microsoft wizards did it again.