Anti-virus

NotAGolf · 16 Feb 2008 at 16:12

Hi guys, I think my gf may have a virus on her mac. I know it's doubtful but I want to double check. I've had a quick search through this forum section and the only mention I can find is ClamXav, is this the best going? It's only to going to be a one-off scan just to check she doesn't intend on keeping it running the whole time.

Thanks for any advice.

*edit* - needs to be free as well if possible!

mortals · 16 Feb 2008 at 16:17

I've not tried it yet, but found a UK mirror for ClamXAV

http://www.mirrorservice.org/sites/www.clamxav.com/ClamXav_1.1.0_TigerLeopard_e92.dmg

iSam · 16 Feb 2008 at 16:34

Clam is good. Why do you think that there is a virus?

mortals · 16 Feb 2008 at 16:35

I just put it on (just out of interest really) and tried selecting the drive, but it said you cannot scan the whole drive. After looking on the site tho you can.

7a. How can I scan my entire hard drive?

When you click "Choose what to scan...", select your hard drive but don't click "OK" yet. What you have to do is hold down the command key (the one with the Apple symbol) and then select everything you see in there. Then click "OK" and continue as normal.

NotAGolf · 16 Feb 2008 at 16:44

Isotope said:
Clam is good. Why do you think that there is a virus?

Well I did some work on her mac the other day on microsoft word, saved it onto my usb stick, plugged it back into my PC (using windows XP) and nod32 said there was an virus in the word document I just made. It wasn't just my computer that throws up the virus notification, it's happened before on other PC's with different anti-virus software. I've tried formatting the stick, and scanning it but thats clean to.

iSam · 16 Feb 2008 at 17:07

mpledge52 said:
Well I did some work on her mac the other day on microsoft word, saved it onto my usb stick, plugged it back into my PC (using windows XP) and nod32 said there was an virus in the word document I just made. It wasn't just my computer that throws up the virus notification, it's happened before on other PC's with different anti-virus software. I've tried formatting the stick, and scanning it but thats clean to.

Right see where you are coming from. Well get Clam installed and scan the hard drive. That should nail it. This is the first time I have seen a virus showing up on a Mac.

NotAGolf · 16 Feb 2008 at 17:11

Yea I have not heard anything like this either. I have a feeling, and I'm kind of hoping, that its down to MS word.

WotDa · 16 Feb 2008 at 17:19

mpledge52 said:
And I'm kind of hoping, that its down to MS word.

Sounds to me like the Mac is acting as a nest for the virus, which is then spreading via files transferred to other machines.

For this reason, and this reason alone, I recommend using AV on a Mac in a corporate environment, especially if you're using it at home and at work.

theheyes · 16 Feb 2008 at 19:23

Just to clarify...

You created the Word Doc on the Mac or did you just work on it? If you just worked on it, where did the original file come from?

What version of MS Word for Mac are you using - 2004 or 2008?

NotAGolf · 16 Feb 2008 at 20:26

theheyes said:
Just to clarify...

You created the Word Doc on the Mac or did you just work on it? If you just worked on it, where did the original file come from?

I think the first couple of times it happened I created the document on the mac, but this latest issue happened when working on an existing document -one that I created on windows.

theheyes said:
What version of MS Word for Mac are you using - 2004 or 2008?

2004.

I'm running the virus check now but it's not finished yet! I'll update when its finished.

NotAGolf · 17 Feb 2008 at 08:37

The virus check has finally completed. Below is a copy of the findings:

/Users/spa/.Trash/Final Report.doc: W97M.Walker FOUND
/Users/spa/.Trash/Final Report1.doc: W97M.Walker FOUND
/Users/spa/Desktop/S.doc: W97M.Walker FOUND
/Users/spa/Desktop/work/general uni/union work app form.doc: W97M.Walker FOUND
/Users/spa/Desktop/work/part 3/cms/brief.doc: W97M.Walker FOUND
/Users/spa/Desktop/work/part 3/cms/cms assignment 1: W97M.Walker FOUND
/Users/spa/Desktop/work/part 3/dissertation/BA_brief_2007_8.doc: W97M.Walker FOUND
/Users/spa/Desktop/work/part 3/dissertation/dissertation proposal 2.doc: W97M.Walker FOUND
/Users/spa/Desktop/work/part 3/dissertation/Key Stage 1 Pictograms.doc: W97M.Walker FOUND
/Users/spa/Desktop/work/part 3/dissertation/Rcher.doc: W97M.Walker FOUND
/Users/spa/Desktop/work/part 3/fraiser project/Civilisation / Chapter1.doc: W97M.Walker FOUND
/Users/spa/Desktop/work/part 3/general/small timetable.doc: W97M.Walker FOUND
/Users/spa/Desktop/work/part 3/information wall/info wall layouts/9am-1.doc: W97M.Walker FOUND
/Users/spa/Desktop/work/part 3/self directed study/brief.doc: W97M.Walker FOUND
/Users/spa/Desktop/work/part 3/self directed study/sds olympic info.doc: W97M.Walker FOUND
/Users/spa/Desktop/work/part 3/series design /waves - the oceanides.doc: W97M.Walker FOUND
/Users/spa/Documents/Microsoft User Data/Normal: W97M.Walker FOUND
/Users/spa/Documents/Speed Download 4/intcodec-v6.541.exe: Trojan.Downloader.Zlob-1208 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 213732
Engine version: 0.92
Scanned directories: 91669
Scanned files: 331193
Infected files: 18
Data scanned: 48772.03 MB
Time: 25927.857 sec (432 m 7 s)

ClamXav v1.1.0 - ClamAV 0.92/5837/Sat Feb 16 17:14:09 2008 - ClamXav

Couple of things I've noticed. All of them bar one are word documents, and this walker virus is something to do with macros. 90% of the word documents above were not created on the mac, they were either mine from my PC (I've scanned my PC btw -its clean), or from lecturers/other students she doesn't know whether the documents would be created in windows or a OSX.

The other virus is a trojan downloader but it's a .exe - I take it thats not a problem because mac's cant execute .exe's, or am I mistaken? (I know sod all about macs and OSX!)

One final question. It says that it has found these 18 files, but it hasn't said that it has cleaned/deleted them. Has it actually done anything or do you have to manually delete them?

Thanks very much.

iSam · 17 Feb 2008 at 10:34

Ouch, sounds like your Mac was harbouring PC viruses that wont affect the Mac but could infect any computer you transferred files to.

It should move the files into quarantine, where they can do no damage. They aren't actually deleted.

NotAGolf · 17 Feb 2008 at 12:12

Well I've just looked up the files, they are still on the mac, they havent been moved anywhere. I havn't opened them or anything though. Is there any way I can "clean" them because some of them are quite important so I dont really want to delete them.

Thanks.

barnettgs · 17 Feb 2008 at 13:14

http://www.f-secure.com/v-descs/sattelit.shtml

W97M/Walker.L is an encrypted class infector that infects the global template when an infected document is opened. After the global template has been infected, the virus infects all documents that are opened or closed.

It is actually an old virus which it works on Win 95 + 98 only. Does that rings any bells?

NotAGolf · 17 Feb 2008 at 13:54

barnettgs said:
http://www.f-secure.com/v-descs/sattelit.shtml

It is actually an old virus which it works on Win 95 + 98 only. Does that rings any bells?

Yea I had a look at that, I thought I was either reading it wrongly, or reading about a different type of virus. I know that she and I havn't touched windows 95/98 for a good 7 or 8 years now lol. But yes that does seem to be roughly what is happening - I dont think EVERY file that is opened/created is being infected though.

The only thing I'm worried about now is that if she starts working on new work, all this new work will be corrupted by this stuff. How can I clean the system completely?

Thanks again.

barnettgs · 17 Feb 2008 at 14:05

mpledge52 said:
Yea I had a look at that, I thought I was either reading it wrongly, or reading about a different type of virus. I know that she and I havn't touched windows 95/98 for a good 7 or 8 years now lol. But yes that does seem to be roughly what is happening - I dont think EVERY file that is opened/created is being infected though.

The only thing I'm worried about now is that if she starts working on new work, all this new work will be corrupted by this stuff. How can I clean the system completely?

Thanks again.

Ok, it is window virus and I am not sure if it can be spread to other documents in Mac.

The link I posted, says something about the global template in MS Word, I'm not sure what it is. I am under the impression is that if you open the template you use with other documents, then you still have virus there.

To find out, try creating a new document, random typing it, save it as and close it and then scan this file to see if it has a virus or not.

NotAGolf · 17 Feb 2008 at 14:18

Thanks barnettgs. I've just spotted that one of those files listed as a virus in the list above (/Users/spa/Documents/Microsoft User Data/Normal: W97M.Walker FOUND) is actually a template file. I've since deleted that file so I'm hoping that might the troublesome one. I'll try what you mentioned soon but I'm going to back up all important work before I do anything else.

Thanks again.

theheyes · 17 Feb 2008 at 20:30

I find it very strange that an old virus would be able to infect the template system on the Macintosh side of things. Like barnettgs said: Are you 100% sure that if you create a new file in Office 2004 it is infected?

NotAGolf · 18 Feb 2008 at 09:05

theheyes said:
I find it very strange that an old virus would be able to infect the template system on the Macintosh side of things. Like barnettgs said: Are you 100% sure that if you create a new file in Office 2004 it is infected?

Definately, although in the majority of cases it seems to be existing documents that have been edited are the ones infected.

I have deleted the dodgy looking template file, and since then I have made a new word document, saved it onto my stick and checked it with my AV and its clean so I may be onto something! I ran the virus check again last night and all it found were the infected documents. If I open these infected documents is the virus likely to spread or should it be ok because of got rid of the dodgy template file?

Thanks again.

iSam · 18 Feb 2008 at 12:53

mpledge52 said:
Definately, although in the majority of cases it seems to be existing documents that have been edited are the ones infected.

I have deleted the dodgy looking template file, and since then I have made a new word document, saved it onto my stick and checked it with my AV and its clean so I may be onto something! I ran the virus check again last night and all it found were the infected documents. If I open these infected documents is the virus likely to spread or should it be ok because of got rid of the dodgy template file?

Thanks again.

Sounds like the template was the problem. I would have thought you should be ok to open the documents. Save it again in a new place and delete the old infected file.