The Macintosh virus count increased by one last Monday when a new virus called either MDEF or Garfield was found at Cornell University. Contrary to an article in MacWEEK, the virus was found by Gordon Suggs of Cornell Information Technologies and Adam Engst of TidBITS. Tom Young, also of CIT, did an excellent job clarifying and distributing information about Garfield to the virus protection authors and the world at large.
The virus is fairly simple and is partially stopped by CE Software’s Vaccine. Chris Johnson’s Gatekeeper stops it completely. The virus was discovered when a number of Macs attached to public laser printers failed to drop any menus. Vaccine had been reporting attempts to add an MDEF resource, but those attempts had been denied. Garfield’s first step is to renumber the MDEF 0 resource in the System to MDEF 5378. Vaccine does not stop the renumbering, and when the System cannot find MDEF 0, menus no longer drop. The second step is for Garfield to copy itself into the System as MDEF 0, at which point it can copy itself to applications unnoticed since the menus still work (apparently it calls the original MDEF resource when necessary). Added evidence of the virus’ simplicity is that it cannot infect later models of the Mac (after the SE) since the MDEF resource is in ROM in those machines.
John Norstad’s Disinfectant and the commercial programs SAM and Virex were updated within days to find and eradicate the Garfield virus. The latest version of Disinfectant is 1.8 and Virex is at 2.7. Symantec Corp. is publishing the methods of finding MDEF with SAM. If you have Jeff Shulman’s Virus Detective 4.0 or later, you can add this search strings to look for MDEF:
Resource MDEF & ID=0 & WData 4546#58EA9AB#C3F#B6048; To find Garfield MDEF
MacWEEK — 22-May-90, Vol. 4 #20, pg. 10