3   Founded By:    3 :  Network Information Access   : 3   Founded By:    3
 3 Guardian Of Time 3D:            15APR90            :D3 Guardian Of Time 3
 3   Judge Dredd    3 :          Judge Dredd          : 3   Judge Dredd    3
          3           HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<           3
          3                 IMMMMMMMMMMMMMMMMMMM;                 3

$_The ZUC Virus

The ZUC virus was first discovered in Italy in March, 1990. It is named
after the discoverer, Don Zucchini.

ZUC only infects applications. It does not infect system files or data
files. Applications do not have to be run to become infected.

ZUC was timed to activate on March 2, 1990. Before that date it only
spread from application to application. After that date, approximately
90 seconds after an infected application is run, the cursor begins to
behave unusually whenever the mouse button is held down. The cursor
moves diagonally across the screen, changing direction and bouncing
like a billiard ball whenever it reaches any of the four sides of the
screen. The cursor stops moving when the mouse button is released.

The behavior of the ZUC virus is similar to that of a desk accessory
named Bouncy. The virus and the desk accessory are different, and
they should not be confused. The desk accessory does not spread, and
it is not a virus. ZUC does spread, and it is a virus.

ZUC has two noticeable side effects. On some Macintoshes it causes the
desktop pattern to change. It also often causes long delays and an
unusually large amount of disk activity when infected applications are

ZUC can spread over a network from individual Macintoshes to servers
and from servers to individual Macintoshes.

Except for the unusual cursor behavior, ZUC does not attempt to do any

$_Disinfectant 1.7

Disinfectant 1.7 is a new release of our free Macintosh virus
detection and repair utility.

Version 1.7 recognizes the new ZUC virus. Thanks to Don Zucchini and
Francesco Giagnorio for discovering and reporting this new virus.

Vaccine is not effective against ZUC. GateKeeper 1.1.1, however, is
effective against ZUC.

ZUC does not change the last modification date when it infects a file,
so you cannot use the last modification dates in the Disinfectant
report to trace the source of a ZUC infection.

$_Other Changes in Version 1.7

Some people have used ResEdit to add a copy of the standard system WDEF
0 resource to Desktop files in an attempt to inoculate their disks
against the WDEF virus, even though we do not recommend this practice.
Version 1.6 incorrectly reported that such Desktop files were infected
by an unknown strain of WDEF. This problem has been fixed in version

Some of the nVIR clones have offensive names. These names appeared in
plain text in various resources in Disinfectant version 1.6, and caused
concern for some people who discovered them using ResEdit or a file
editor. Version 1.7 encodes the resources so that the names do not
appear in plain text.

Version 1.6 contained an error which could cause crashes, hangs,
unexpected error messages, or other unusual behavior in some
circumstances. The error is corrected in version 1.7.

$_How to Get a Copy of Version 1.7

Disinfectant 1.7 is available now via anonymous FTP from site
acns.nwu.edu [].  It will also be available soon on
sumex-aim, rascal, comp.binaries.mac, CompuServe, Genie, Delphi, BIX,
MacNet, America Online, Calvacom, AppleLink, and other popular sources
for free and shareware software.

Macinstosh users who do not have access to bulletin boards,
networks, user groups, or online services may obtain a copy of
Disinfectant by sending a self-addressed stamped envelope and an
800K floppy disk to the author at the address below.

John Norstad
Academic Computing and Network Services
Northwestern University
2129 Sheridan Road
Evanston, IL 60208

Bitnet: jln@nuacc
Internet: jln@acns.nwu.edu
CompuServe: 76666,573
AppleLink: A0173


SAM Intercept can also prevent infection by the ZUC virus (at least
version 2.0 with "standard" or higher protection turned on).  The
information below was provided by the author of SAM to the Virus-L
list and comp.virus.
- - - - - -
For SAM 2.0 users:

A new virus has recently been discovered (now named ZUC). If you
happen to run across the ZUC with SAM 2.0, you can expect to see the

1) If you are running in standard, advanced, or custom levels, SAM
will alert you to ZUC's attempt to change CODE resources within
applications when ZUC is trying to spread itself. Denying this attempt
with SAM keeps the infection from spreading.

2) If you have previously inoculated your applications with Virus
Clinic 2.0, then if ZUC has infected any files since inoculation (if,
for instance, you had SAM Intercept turned off or set to basic level),
then SAM will alert you to an inoculation discrepancy when you try to
launch the infected file.

3) SAM Virus Clinic will also alert you to a checksum change to any
infected files if you have turned on checksumming in the Virus Clinic

4) You can configure SAM (both Virus Clinic and Intercept) to find ZUC
during scans and application launches with the new virus definition
feature. Using the Add Virus Definition option in Virus Clinic, create
a new one with these fields:

     Virus Name:   ZUC
  Resource Type:   CODE
    Resource ID:   1
  Resource Size:   Any
  Search String:   4E56FF74A03641FA04D25290    (hexadecimal)
  String Offset:   Any

You can then add this definition to both Virus Clinic and SAM

One other note: SAM 2.0 also repairs files infected with multiple

Paul Cozza
SAM Author