This article originally appeared in TidBITS on 1992-02-24 at 12:00 p.m.
The permanent URL for this article is:
Include images: Off

MBDF Virus

by Adam C. Engst

Just after I wrote last week that the Mac world hasn't seen a virus in some time, one has to pop up. The latest and slimiest entry into the virus hall of infamy (I know some people who are in a kneecap-breaking mood over this one) is called MBDF after the resource that it uses to infect System files and applications. MBDF resources are normally present in some files, so do not be alarmed if you see them while poking around with ResEdit.

The MBDF virus was discovered in Wales. Early detection was made possible by the foresight of Claris programmers who included integrity checking code in their applications, something which other application programmers would do well to add. As a suggestion, perhaps someone (at Claris perhaps?) could release some integrity checking code into the public domain so that it would be easy for all programmers to add such capabilities to their applications.

Several popular Internet archive sites contained some infected games for a short period of time, so a number of people around the world were affected. The games were named "10 Tile Puzzle" and "Obnoxious Tetris." In addition to these two games, a third game named "Tetricycle" or "tetris-rotating" was a Trojan horse which installed the virus. If you have any of these programs sitting around, do everyone a favor and delete them. It's all too easy to release these viruses again.

I don't think that MBDF was as widespread as some of the earlier viruses, such as nVIR, but there is a possibility that your Mac has been infected by a completely different program so it is worth checking your Mac with the latest virus checking software. We recommend Disinfectant 2.6 because it is free and easy to use, but new versions of Virus Detective (5.0.1), Gatekeeper (1.2.4), or any of the updated commercial programs should also do the trick.

Disinfectant identifies both infected files and the Trojan horse as being infected by the MBDF virus and can repair any infected files, which removes the virus and returns the file to its original clean state. Repairing the Trojan horse renders it ineffective and inoperable. Shucks.

The MBDF virus is not malicious, but it can cause damage in certain instances. In particular, the virus takes quite a long time to infect the System file when it first attacks a system. The delay is so long that people often think that their Mac is hung, so they do a restart. Restarting the Mac while the virus is in the process of writing the System file very often results in a damaged System file which cannot be repaired. The only solution in this situation is to reinstall a new System file from scratch. There have also been reports of directory damage which may or may not be related to the restart process.

Special thanks to John Norstad, as usual, for his excellent and timely response to the new virus, and to the folks at Claris for providing the defensive code that helped find this virus early on before it had a chance to spread its evil tentacles even further. Ooo, there's not much like a virus for evoking some good imagery.

Now that you've read the technical details, here's the human interest side. We just heard that two arrests have been made at Cornell University in Ithaca, New York. The virus had been traced to Cornell fairly quickly, and an internal investigation led to the arrests of two sophomores, David Blumenthal and Mark Pilgrim. The two suspects have been charged with second degree computer tampering and are spending the night in Tompkins County jail. Further charges are pending based on the distribution of the files to and to its mirror sites around the world, specifically Japan. The legal system will decide whether or not these two are guilty of the charges and what the punishment will be, but if I were them, I'd be watching my kneecaps.

Information from:
John Norstad --
Chris Johnson --
Jeff Shulman --
Mark H. Anbinder --
and many others around the world who helped nail
this virus to the wall.