lotus



previous page: 7.0 What viruses can affect Mac users?
  
page up: Viruses and the Mac FAQ
  
next page: 7.2 HyperCard infectors (Viruses and the Mac)

7.1 Mac-specific system and file infectors (Viruses and the Mac)




Description

This article is from the Viruses and the Mac FAQ, by David Harley D.Harley@icrf.icnet.uk with numerous contributions by others.

7.1 Mac-specific system and file infectors (Viruses and the Mac)

AIDS - infects application and system files. No intentional damage.
(nVIR B strain)

Aladin - close relative of Frankie

Anti (Anti-A/Anti-Ange, Anti-B, Anti Variant) - can't spread under
system 7.x, or System 6 under MultiFinder. Can damage applications
so that they can't be 100% repaired.

CDEF - infects desktop files. No intentional damage, and doesn't
spread under system 7.x.

CLAP: nVIR variant that spoofs Disinfectant to avoid detection
(Disinfectant 3.6 recognizes it).

Code 1: file infector. Renames the hard drive to "Trent Saburo".
Accidental system crashes possible.

Code 252: infects application and system files. Triggers when run
between June 6th and December 31st. Runs a gotcha message ("You
have a virus. Ha Ha Ha Ha Ha Ha Ha Now erasing all disks...
[etc.]"), then self-deletes. Despite the message, no intentional
damage is done, though shutting down the Mac instead of clicking to
continue could cause damage. Can crash System 7 or damage files,
but doesn't spread beyond the System file. Doesn't spread under
System 6 with MultiFinder beyond System and MultiFinder. Can cause
various forms of accidental damage.

Code 9811: hides applications, replacing them with garbage files
named "something like 'FIDVCXWGJKJWLOI'." According to Ken Dunham
who reported this virus in November, "The most obvious symptom of
the virus is a desktop that looks like electronic worms and a
message that reads 'You have been hacked by the Pretorians.'"

Code 32767: once a month tries to delete documents. This virus is
not known to be in circulation.

Flag: unrelated to WDEF A and B, but was given the name WDEF-C in
some anti-virus software. Not intentionally damaging but when
spreading it overwrites any existing 'WDEF' resource of ID '0', an
action which might damage some files. This virus is not known to be
in circulation.

Frankie: only affects the Aladdin emulator on the Atari or Amiga.
Doesn't infect or trigger on real Macs or the Spectre emulator.
Infects application files and the Finder. Draws a bomb icon and
displays 'Frankie says: No more piracy!"

Fuck: infects application and System files. No intentional damage.
(nVIR B strain)

Init 17: infects System file and applications. Displays message
"From the depths of Cyberspace" the first time it triggers.
Accidental damage, especially on 68K machines.

Init 29 (Init 29 A, B): Spreads rapidly. Infects system files,
applications, and document files (document files can't infect other
files, though). May display a message if a locked floppy is
accessed on an infected system 'The disk "xxxxx" needs minor
repairs. Do you want to repair it?'. No intentional damage, but can
cause several problems - Multiple infections, memory errors, system
crashes, printing problems, MultiFinder problems, startup document
incompatibilities.

Init 1984: Infects system extensions (INITs). Works under Systems 6
and 7. Triggers on Friday 13th. Damages files by renaming them,
changing file TYPE and file CREATOR, creation and modification
dates, and sometimes by deleting them.

Init-9403 (SysX): Infects applications and Finder under systems 6
and 7. Attempts to overwrite whole startup volume and disk
information on all connected hard drives. Only found on Macs
running the Italian version of MacOS.

Init-M: Replicates under System 7 only. Infects INITs and
application files. Triggers on Friday 13th. Similar damage
mechanisms to INIT-1984. May rename a file or folder to "Virus
MindCrime". Rarely, may delete files.

MacMag (Aldus, Brandow, Drew, Peace): first distributed as a
HyperCard stack Trojan, but only infected System files. Triggered
(displayed a peace message and self-deleted on March 2nd 1988, so
very rarely found.

MBDF (A,B): originated from the Tetracycle, Tetricycle or
"tetris-rotating" Trojan. The A strain was also distributed in
Obnoxious Tetris and Ten Tile Puzzle. Infect applications and
system files including System and Finder. Can cause accidental
damage to the System file and menu problems. A minor variant of
MBDF B appeared in summer 1997: Disinfectant and Virex have been
updated accordingly.

MDEF (MDEF A/Garfield, MDEF B/Top Cat, C, D): infect System file
and application files (D doesn't infect System). No intentional
damage, but can cause crashes and damaged files.

MDEF-E and MDEF-F: described as simple and benign. They infect
applications and system files with an 'MDEF' resource ID '0', not
otherwise causing file damage. These viruses are not known to be in
circulation.

nCAM: nVIR variant

nVIR (nVIR A, B, C - AIDS, Fuck, Hpat, Jude, MEV#, nFlu): infect
System and any opened applications. Extant versions don't cause
intentional damage. Payload is either beeping or (nVIR A) saying
"Don't panic" if MacInTalk is installed.

nVIR-f: nVIR variant.

prod: nVIR variant

Scores (Eric, Vult, NASA, San Jose Flu): aimed to attack two
applications that were never generally released. Can cause
accidental damage, though - system crashes, problems printing or
with MacDraw and Excel. Infects applications, Finder, DA Handler.

SevenDust-A through G (MDEF 9806-A through D, also known as 666, E
was at first called "Graphics Accelerator"): a family of five
viruses which spread both through 'MDEF' resources and a System
extension created by that resource. The first four variants are not
known to be in circulation. Two of these viruses cause no other
damage. On the sixth day of the month, MDEF 9806-B may erase all
non-application files on the current volume. The SARC encyclopedia
calls MDEF 9806-C, "polymorphic and encrypted, no payload," and
MDEF 9806-D, "encrypting, polymorphic, symbiotic," and says the
symbiotic part, "alters a 'WIND' resource from the host
application." SevenDust E, not to be confused with the legitimate
ATI driver "Graphics Accelerator", began as a trojan horse released
to Info-Mac and deleted there on or about September 26, 1998. Takes
two forms, 'INIT' resource ID '33' in an extension named
"\001Graphics Accelerator" and an 'MDEF' resource ID '1' to '255'.
Between 6:00 a.m. and 7:00 a.m. on the sixth and twelfth day of any
month, the virus will try to delete all non-application files on
the startup disk. John Dalgliesh describes "Graphics Accelerator"
on his Web page for AntiGax, a free anti-SevenDust E utility; any
errors here in translation are not his. SevenDust F uses a trojan
"ExtensionConflict", common extensions names, and creator 'ACCE'.[SL]

T4 (A, B, C, D): infects applications, Finder, and tries to modify
System so that startup code is altered. Under System 6 and 7.0,
INITs and system extensions don't load. Under 7.0.1, the Mac may be
unbootable. Damage to infected files and altered System is not
repairable by Disinfectant. The virus masquerades as Disinfectant,
so as to spoof behaviour blockers such as Gatekeeper. Originally
included in versions 2.0/2.1 of the public domain game GoMoku.

T4-D spreads from application to application on launch by appending
itself to the 'CODE' resource. Deletes files other than the System
file from the System Folder, and documents, and is termed dangerous.
The D strain is not known to be in circulation [SL].

WDEF (A,B): infects desktop file only. Doesn't spread under System
7. No intentional damage, but causes beeping, crashes, font
corruption and other problems.

zero: nVIR variant.

Zuc (A, B, C): infects applications. The cursor moves diagonally
and uncontrollably across the screen when the mouse button is held
down when an infected application is run. No other intentional
damage is done.

 

Continue to:















TOP
previous page: 7.0 What viruses can affect Mac users?
  
page up: Viruses and the Mac FAQ
  
next page: 7.2 HyperCard infectors (Viruses and the Mac)