Portrait of Aldus Manutius   PAGEMAKR: PageMaker for Desktop Publishers
Easy Access:  
Search Net Search PAGEMAKR web site
PAGEMAKR List
decorative dotHome
decorative dotWelcome!
decorative dotSubscription Help
decorative dotPageMaker FAQ
decorative dotList Archives
decorative dotPM Scripting
decorative dotSubscriber Pages
decorative dotDTP Humor

Special Interest
decorative dotDamaged PM Docs
decorative dotPM Color Mgmt
decorative dotPageMaker History
decorative dotLearning PageMaker
decorative dotMonthly Essays
decorative dotThe Euro
decorative dotViruses & PM

Desktop Publishing
decorative dotGlossary
decorative dotTips & Tricks
decorative dotType & Typography
decorative dotBooks
decorative dotClip Art
decorative dotUtilities & Plug-Ins
decorative dotDownloads

PageMaker at Adobe
decorative dotAdobe PageMaker
decorative dotTech Support
decorative dotUpdates
decorative dotTechnical Docs
decorative dotFeature Requests
decorative dotAdobe Magazine
decorative dotQ&A Archives
decorative dotUser-to-User Forums

Related Links
decorative dotFormat Newsletter
decorative dotBefore & After
decorative dotInside PageMaker
decorative dotAbout DTP
decorative dotPDF Zone
decorative dotGraphics list
decorative dotAdobe Photoshop
decorative dotPhotoshop list
decorative dotAdobe InDesign
decorative dotInDesign List
decorative dotIllustrator
decorative dotIllustrator list
decorative dotFreehand
decorative dotFreehand list

Listserv et al
decorative dotSearch for a List
decorative dotLiszt search
decorative dotListserv manual

How you can help!

You can donate money to offset the cost of hosting the site with Paypal by clicking the "donate" button above.

About This Site

Maintained by Peter C.S. Adams and Gordon Woolf.

Design philosophy: all information in this web site should be accessible to the intended audience regardless of platform, browser, or size of screen. Graphics are kept to a minimum to reduce download times. If you see a frame or an animated GIF, feel free to flame me mercilessly.

Valid CSS!

This site uses fully compliant cascading style sheets (CSS). Older browsers should display text in their default fonts, while more recent browsers will all display fully formatted text. (However, the styles sheets will look best viewed in Internet Explorer 4.0 or above.) The site also complies with major accessibility standards.

Bobby Approved

Colophon

The base font for this page is Trebuchet MS, a free font from Microsoft designed for on-screen readability at small point sizes. The headlines are 32 pt Times bold italic, combining elegance, classical proportions, and compactness.

The logo is variation on the original logo from Aldus PageMaker and depicts Aldus Manutius, a student of Johannes Gutenberg and inventor of italics. This is to echo the roots of desktop publishing, both in the 1450s and the 1980s. The logo uses Courier from ITC to evoke the feel of metal type and Poetica from Adobe Systems to evoke the era of hand lettering.

Made on a Macintosh using Adobe Photoshop and Macromedia DreamWeaver.

  

Viruses and the Desktop Publisher

by Peter C.S. Adams <adamsp@cs.umb.edu>

Virus News

Virus Encyclopedias & Anti-Virus Software

Real Threats

CIAC Advisories

IBM anti-virus Research Center

FedCIRC

Virus Bulletin

Joe Wells Virus Encyclopedia

Joe Wells Wild List

Hoaxes

Hoaxes & Myths

Urban Legends

Urban Legends Reference Pages

Hoax Kill

Mac Info & Software

Mac Virus FAQ

Virex

Sophos Antivirus

Norton Antivirus

Tech Tool Pro

Windows Info & Software

AVG Pro (free edition available)

Sophos Antivirus

DataFellows (F-Prot)

Trend Micro

Symantec

Network Associates (McAfee)

Antiviral Toolkit Pro

Project VGrep

Quarterdeck

Stiller Research

Cheyenne

NOD32 Antivirus

(Yes, it's "viruses." In Latin, "virus" was a mass word like "air"; there was no plural. It is only in modern usage that "virus" has come to mean a thing, something capable syntactically of taking a plural form. Hence Latin rules do not apply; English ones do, making the correct plural "viruses." For more information on the "correct" plural of "virus," see what the authors of Perl and the folks at Dictionary.com have to say on the matter.)

Viruses are of particular interest to the desktop publisher because we frequently exchange disks with clients, open other people's Word files to edit them, and receive unsolicited files via email — all examples of "at risk" behavior. Everyone should practice "safe computing" and Windows users especially should make certain their anti-virus software is kept up to date. A list of vendors and informational sites can be found in the sidebar on the right.

However, viruses pose no specific threat to PageMaker users. There is no PageMaker virus, and for the most part, PageMaker users are at low risk. However, there are four major areas of concern:

  • Import problems: Word files infected with macro viruses can prevent PageMaker from importing them, or cause other strange problems. Example: you open a client's file to save as RTF and then import into PageMaker. Later, you fine the work "Wazzu" scattered throughout the publication.

  • Loss of data: any virus represents a possible risk to your data, whether it actively does damage or simply causes crashes.

  • Nuisance factor: If you are receiving viruses via email, they can tie up your internet connection, and if you are spreading them, your ISP may cancel your account without warning.

  • Loss of business: there are few better ways to lose a customer's confidence than to inadvertently mass mail them the latest email virus or send them a disc infected with a virus.

Therefore, you should be wary and heed some commonsense advice.

Viruses and the Mac

In general, viruses are not a major problem on the Mac, with the following exceptions:

  • Virus Hoaxes and Melissa-style macros, while not detructive, are still time wasters.

  • Word macro viruses can replicate and run in Word 6, Word98, and Word 2001 for the Mac, just as they can in their Windows counterparts. In most cases, the virus' payload is broken or non-destructive; however, this is not true of viruses like "Wazzu" which alter the Word document itself. These are just as destructive on the Mac as they are under Windows.

  • The "Autostart" worm of 1998-99 is still occasionally found on machines running old anti-virus software, although it can no longer spread in newer versions of the Mac OS. See below for more information on Autostart.

  • There are occasionally new viruses and outbreaks of oldies like MDEF.

  • Trojan Horses, while not as common as they are in Windows, are just as dangerous.

This is not to say that virus problems will not recur in the Mac world. The "Simpsons" worm was moderately clever, but far too slow and easy to detect and remove to be considered a real threat. However, Mac users should still be cautious. Practice "safe computing" and be as aware as PC users of Word macro viruses and email worms.

This is especially true for Mac OS X users. First, there are no on-access virus scanners for Mac OS X, only on-demand scanners. Second, as a relatively new operating system, Mac OS X is relatively untested. Mac OS 9 and the FreeBSD base of Mac OS X are considered highly secure, but, as the Software Update Security Vulnerability showed, it takes time to shake down an OS in the real world.

Viruses and Windows PCs

Viruses have been a huge and destructive problem for Wintel PCs since the "Brain" virus appeared in the early '80s. Theses viruses fall into five main categories:

Because few people boot computers from floppy disks today, you will rarely see a boot sector virus. The others, however, are a different matter. Word macro viruses are cross platform and can access nearly any function on the PC, including formatting the disk. The same is true of email and other worms. Therefore, PC users should be especially wary and pay close attention to virus warnings from reputable sources and keep their anti-virus software up to date.

Boot Sector Viruses

These are thankfully quite rare today

floppy disks

Form

Word Macro Viruses

Until "Melissa," these were the most common virus threats.

Email “Worms”

These are not technically viruses because they do not infect other files, but rather spread by making copies of themselves, making them "worms." (But who cares?)

In virtually every case, the virus writer attempts to trick you into manually activation the attached file.

Naked Wife

Sircam -- real file name

Yahoo.com

Trojan Horses

Like the famous horse filled with enemy soldiers for which they were named, this type of threat is neither a virus nor a worm, but a real threat nonetheless.

Miscellaneous Security Issues

Quicken/ActiveX

web scripting host

code red-nimda

firewall

--------------------------------

Well, you can go to

One point well-made concerns anti-virus software particularly:

Am I saying that anti-virus software is useless? For most people, yes. If you follow the guidelines in this issue, and you handle only attachments that contain photos or sound/music files, anti-virus software is a waste of money and can make your computer slower and less reliable.

If you deal with word processor files or spreadsheets, if you (or your kids) download software then using an anti-virus program may be a good idea. But be aware that it can only protect you from the viruses it KNOWS about. I've heard from LOTS of people who faithfully kept their anti-virus software updated, but they still got the ILOVEYOU virus (or one of the many variants) because of careless email handling.

For those who are sitting at Macs saying, "It can't happen here," I'd just like to remind you that every script kiddie on the planet has a copy of Red Hat or Mandrake, and isn't that pretty much what OS X is based on? Linux? I expect it's just a matter of time (months, not years).

this would not be enough now if you use unpatched Outlook, OE and IE - as 90% of users probably do. The Klez.h worm - just spotted in the wild - can start its attack when you simply *read* the infected message, thanks to the IFRAME vulnerability in the Internet Explorer security system. I just got a warning from Kaspersky Labs:

This special feature practically discounts the human factor and many times over raises the effectiveness of Klez.h to infect and to spread

Mac "Virus" Autostart 9805

There is a significant new piece of malicious code ("malware") for the Macintosh for the first time in several years, commonly called the "Hong Kong virus," since it originated there. This is not technically a virus, however, but a worm, so its official designation is "Autostart 9805 worm."

Note: the worm can ONLY spread on Power Macs running QuickTime 2.0 or greater. Damage ranges from slowdowns due to excessive disk and network activity to irretrievable data loss from the worm overwriting files with garbage.

Dr. Solomon's was the first anti-virus vendor to introduce protection against this worm, but other vendors have caught up. Check with your anti-virus vendor for details. If you choose, you can .find and remove this worm manually. Instructions follow, after a technical overview.

Technical Information

The Autorun 9805 worm was discovered earlier this month in Hong Kong. It spreads rapidly and has been reported in Vancouver, B.C., already. It can spread to and from any mountable Macintosh volume, including floppy disks and Zip disks, except Audio CDs. CD-ROMs can carry the infection, but cannot be infected, since they are read-only. An infected Mac can infect a file server (assuming the Mac is logged in with appropriate access); however, mounting the file server cannot then infect another Mac.

It spreads through the "autorun" feature introduced in QuickTime 2.0 which allows CDs (and, apparently, ANY mountable volume) to run a program automatically. Beginning in QuickTime 2.5, this feature can be turned off, so it is recommended that if you are running QuickTime 2.0, upgrade to 2.5 (or 3.0) and turn OFF the "Enable CD-ROM Autoplay" option in the QuickTime Settings control panel. (It is safe to leave the "Enable Audio CD Autoplay" feature on, since audio CDs cannot be infected.) However, this will not protect you if you boot from an infected volume, since the payload is carried in the System Folder of the infected Mac.

When a volume is mounted and CD-ROM Autoplay is enabled, the Macintosh will attempt to run an invisible file named "DB," located in the root directory of the volume. Upon launch, the DB checks to see if the Mac is already infected. If not, it copies itself to the Extensions folder and renames itself "Desktop Print Spooler" and restarts the computer. From then on, "Desktop Print Spooler" background application is automatically launched at startup. About every thirty minutes, it examines any mounted volumes. If any are not already infected, it attempts to infect them by copying itself to the root directory and turning on the disk's "CD-ROM Autoplay" feature.

Autostart 9805 can be identified by some or all of the following symptoms:

  1. The system unexpectedly restarts after mounting a diskette or other volume. (This will only happen when the initial infection occurs.)
  2. The "DB" application name flashes briefly in the menu bar when a disk is mounted. This is the Finder launching the application "DB."
  3. Extensive, unexplained disk activity occurs every 30 minutes. If server volumes are mounted, there will also be unusual network activity as indicated by flashing arrows in the upper left-hand corner of the menu bar.
  4. An invisible application file named "DB" exists on the root of disk volumes, or the invisible "Desktop Print Spooler" file appears in the extensions folder. Any file or disk utility, such as ResEdit or Norton Disk Doctor, that shows invisible files in its file selection dialogs can be used to check for the files. ("Desktop Print Spooler" should be be confused with the legitimate, visible "Desktop Printer Spooler" file, which is part of the Mac OS.)
  5. A process named "Desktop Print Spooler" exists when using Process Watcher or Macsbug. (This should not be confused with the legitimate process named "Desktop Printer Spooler," which is part of the Mac OS.)

Manually removing Autostart

If you find an infection, immediately reboot the Mac with extensions off (hold down the Shift key at startup until you see the message "Extensions Off") or, better, from a locked floppy disk or CD-ROM without QuickTime installed. A Norton Utilities Emergency Disk would be ideal. Using a utility capable of changing file attributes, such as Norton Disk Doctor, find the invisible "DB" file in the root directory and the invisible "Desktop Print Spooler" file in the extensions folder (not the legitimate "Desktop Printer Spooler, which is not invisible), make them visible, and change their types from "APPL" (application) to something else, like "JUNK." Once this is done, reboot again with extensions off and delete the files, which should now be visible. Repeat this process for each volume you have used recently which might be infected.

Reboot once again and the virus should be gone, but it would be wise to double-check!

For more information, see:

Mac OS Software Update Security Vulnerability

On July 8, 2002 several Mac sites reported that users of Apple's Mac OS X Software Update feature could be unwittingly downloading and updating their systems with code produced by hackers. The problem was that Apple's Software Update made an insecure connection to the Apple web site to download software. Users
of this feature were advised to stop using it until a patch was available from Apple. Fortunately, Apple released a patch very shortly thereafter, and since then has been better about discussing Mac OS X security on its web site.

Following is the description and interim solution posted to the PAGEMAKR mailing list.

The Problem

Software Update periodically checks with the Apple web site for new updates, downloads them and installs them, which is a great convenience. However, the transaction is made via an unauthenticated HTTP stream. This is not generally a problem, but on a large network, a hacker could use one of several techniques such as "DNS spoofing" and "DNS Cache Poisoning" to misdirect the user's request to a rogue machine one the network, rather than to Apple's site, tricking the user into installing a malicious program posing as an update from Apple. Once the user enters the administrative password, the update runs with full privileges and can do anything from erasing the hard disk to changing the administrative password. The problem exists in both Mac OS 9 and Mac OS X, but the Unix underpinnings of Mac OS X make the rogue code easier to produce.

Real World Risk

This is potentially a very serious problem, and rather embarrassing, as Apple recently submitted Mac OS X to the U.S. government's National Information Assurance for security testing pursuant to becoming an approved vendor for sensitive government agencies!

Fortunately, the exploit is not nearly as easy as the news sites have made it sound, and, in general, can only be done from within your local network. Add to this the fact that Software Update only runs periodically and requires user intervention and a password, and the timing would have to be perfect for the IP misdirection to work. While the potential risk is huge, the real world risk is very low for most users.

However, Apple clearly needs to add some sort of security, such as Kerberos, to this scheme to prevent even one Mac user from downloading rogue updates, which has not happened in the real world.

Recommendations

You can still use Software Update, but rather than letting it download updates and apply them for you, you should manually apply any updates and remove them from Software Update. Here's the procedure:

  1. Run Software Update and ask it for updates. Jot down the names of the ones that are available.
  2. Go to the Apple web site and manually download the updates you want.
  3. In Software Update, select the updates you downloaded and choose "Make Inactive" from the Update menu.
  4. Quit Software Update and apply your patches.

In addition, you can edit your local hosts table to add the Apple Software Update server. This should prevent your Mac from ever querying the DNS and therefore ever being fooled by a spoofed IP address. Here is the correct server information:

swscan.apple.com = 204.179.120.95

See the following Apple knowledgebase articles:

Since the exploit relies on the fact that Software Update must query a domain name server to resolve an IP address, this should work. However, it would cause Software Update to fail if Apple changed the IP address of the server.

To find out if you are being pointed to a rogue server, use an internet utility such as Network Utility (Mac OS X) or WhatRoute (Mac OS 9) to look up swscan.apple.com and verify that the IP address returned by the DNS server is the proper IP address (currently 204.179.120.95).

Adding the Software Update Server to your local Mac OS X Machine

From the Apple Knowledgebase article "How to add hosts to your local NetInfo Database"

  1. Open /Applications/Utilities/NetInfo Manager.
  2. To allow editing the NetInfo database, click the padlock in the lower left corner of the window.
  3. Enter your Admin password and click OK.
  4. In the second column of the browser view, select the node named "machines." You will see entries for -DHCP-, broadcasthost, and localhost in the third column.
  5. The quickest way to create a new entry is to duplicate an existing one. So select the "localhost" item in the third column.
  6. Choose Duplicate from the Edit menu. A confirmation alert appears.
  7. Click Duplicate. A new entry called "localhost copy" appears, and its properties are shown below the browser view.
  8. Double-click the value of the ip_address property and enter the IP address of the other computer.
  9. Double-click the value of the name property and enter the hostname you want for the other computer.
  10. Click the serves property and choose Delete from the Edit menu.
  11. Choose Save from the Domain menu. A confirmation alert appears.
  12. Click Update this copy.
  13. Repeat steps 6 through 12 for each additional host entry you wish to add.
  14. Choose Quit from the NetInfo Manager menu. You do not need to restart the computer.

Note: If you have a number of hosts that you wish to add, you can use the niload command to add them. The file needs to be a standard UNIX hosts file. For instance, if you have a hosts file named 'hosts.txt' you can enter the
following command in Terminal to load the hosts into your local NetInfo database:

sudo niload hosts . < hosts.txt

All rights reserved. Unless otherwise specified, all contents copyright © 1993– 2008 Peter C.S. Adams
Last modified March 16, 2004

STEPPS -- Stop Tax Exempt Private Property Sprawl -- Framingham