   We have detected what I believe to be a new Macintosh virus.  This virus can be referred to as the MDEF or Garfield virus, for reasons that will become clear below.  I'm passing along all that I have verified about the virus.  Some local folks are working on further analysis, and I will be sending samples of this virus to some of the national anti-virus experts.
   This virus replaces the System file's native MDEF resource with a new resource, named Garfield.  MDEF is a resource that is part of the Mac's menu generation system.  The original MDEF resource is apparently retained but given an ID of 5378; the substitute resource has the normal ID of zero.  This new "Garfield" MDEF resource will propagate to application files, and an infected application file can spread the virus to a fresh System file.  The viral MDEF resource will also attach itself to the Finder.
   After some period of time or after some set of actions, the viral MDEF resource will delete itself from the System, resulting in the loss of all menus generated by the System.  We have not yet tracked down the details of the conditions under which this happens.
   The Vaccine program will successfully block an infection.  When an application is launched, Vaccine will display a message asking if you wish to grant permission to add an MDEF resource.  If you see this message, you have the new virus.
   If you use the Virus Detective DA, you can add the following two search strings to check for the new virus:
     Resource MDEF & Name "Garfield"
     Resource MDEF & ID = 5378
Using these two search strings, you should be able to scan your disks for an infection.
   Disinfectant WILL NOT find this virus when it scans a disk.  This is a new virus that this anti-virus program doesn't know about.
   At present, there is no software that will automatically remove this virus.  The simplest solution is to replace all files that check positive for an infection, and then use Virus Detective to rescan for any signs of the virus.  More sophisticated remedies will certainly be developed in the near future.
   It may be possible to repair an infection by (1) deleting the "Garfield" resource from the System and changing the ID of the MDEF resource that remains from 5378 to zero; (2) simply deleting the "Garfield" resource from all other files in which it is found.  There is no guarantee this will work, and it should only be attempted by the technically venturesome.
Tom Young
Cornell Information Technologies
Workstation Systems Services

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

The first time through this virus adds itself as MDEF ID=0, Name="Garfield", Size=314, renumbering the old MDEF ID=0 to ID=5378. It infects applications and the System file. 
Does not appear to do anything harmful except propagate and *assume* the first MDEF message is mSizeMsg. It will fail on pre-Mac Plus machines since it uses Get1Resource.

The VirusDetective 4.x search string to find this virus is:

 Resource MDEF & ID=0 & WData 4546#58EA9AB#C3F#B6048 ; For finding Garfield MDEF

Jeff Shulman
VirusDetective author


Subj:  Garfield Virus                        90-05-17 12:19:50 EDT
From:  LeslieM

A new virus has recently been discoverd. It is called Garfield (or MDEF by some). It only attempts to propagate itself. It can cause some unexpected behavior however, especially with menu (see below). If you happen to run across Garfield with SAM 2.0, you can expect to see the following.
 
1) If you are running in advanced level, or custom leve; with change/add code resource checked on, SAM will alert you to Garfields' attempt to change/add MDEF resources within applicationsand the System file when Garfield is trying to spread itself. Denying these attemps with SAM keeps the infection from spreading. However, Garfield can modify the system files' menu definition procedure ID. Though the infection doesn't spread, the result may be odd menu behavior on some Macintoshes. The symptom to look for is menus that don't pop-down when clicked on. The simplest solution is to replace the system file with a new copy.

2) SAM Virus Clinic will also alert you to a checksum change to any infected files if you have turned on checksumming in the Virus Clinic scans.

3) You can confiigure SAM (both Virus Clinic and Intercept) to find Garfield during scans and application launches with the new virus definition feature with these fields.

      Virus Name: Garfield
   Resource Type: MDEF
     Resource ID: 0
   Resource Size: 314
   Search String: 2F3C434F44454367A9A0 (hexadecimal)
   String Offset: 42

You can then add this definition to both Virus Clinic and SAM Intercept.


Leslie Miley
Utilities Group
Symantec Corp.                                                                        