lotus



previous page: 7.5 Other Operating Systems, emulation on a Mac (Viruses and the Mac)
  
page up: Viruses and the Mac FAQ
  
next page: 7.7 Esperanto.4733 (Viruses and the Mac)

7.6 AutoStart 9805 Worms (Viruses and the Mac)




Description

This article is from the Viruses and the Mac FAQ, by David Harley D.Harley@icrf.icnet.uk with numerous contributions by others.

7.6 AutoStart 9805 Worms (Viruses and the Mac)

AutoStart 9805 is not a virus, but a worm: that is, it replicates
by copying itself, but doesn't attach itself parasitically to a
host program. The original took hold rapidly in Hong Kong and
Taiwan in April 1998, and has been reported on at least four
continents. In addition to the original worm, there are five
variants. Virus Bulletin, July, 1998, includes a comprehensive
analysis of AutoStart and some of its variants.

CIAC Bulletin I-067 is based on Eugene Spafford's information
release on the original AutoStart worm. Unfortunately,this is now a
little out-of-date, particularly as regards the update status of
the antivirus software it mentions. Nor does it mention any of the
subsequently discovered variants.
<http://www.ciac.org/>

Symptoms: Perhaps the most noticeable symptom of the worms is that
an infected system will _lock up and churn with unexplained disk
activity_ every 6, 10, or 30 minutes.[SL]

Affected platforms: any PowerMac. Macintoshes and clones driven by
Motorola 680x0 series CPUs can't run the replicative code. It works
under any version of Mac OS, if QuickTime 2.0 or later is installed
and CD-ROM AutoPlay is enabled in the "QuickTime Settings" Control
Panel.

Transmission media: HFS or HFS+ volumes (hard disks, diskettes,
most types of removable media, even disk images). Audio CDs can't
transmit the virus, and it isn't necessary to disable "Audio CD
AutoPlay".

Transmission method: infected media contain an invisible
application file named "DB" or "BD" or "DELDB" in the root
directory (type APPL, creator ????). This is an AutoStart file:
i.e. it will run automatically if CD-ROM autoplay is enabled. If
the host Mac isn't already infected, it copies itself to the
Extensions folder. The new copy is renamed "Desktop Print Spooler"
or "Desktop Printr Spooler", or "DELDesktop Print Spooler"
respectively (type appe, creator ????). Unlike the legitimate
Desktop Printer Spooler extension, the worm file has the invisible
attribute set, and isn't listed as a running process by the system
software, though it can be seen with Process Watcher or Macsbug.
After copying itself, it reboots the system and is now launched
every time the system restarts. At approximately 6, 10, or 30
minute intervals, it examines mounted volumes to see if they're
infected: if not, it writes itself to the root directory and sets
up AutoStart (however, AutoStart won't work on a server volume).

Damage: files with names ending "data", "cod" or "csa" are targeted
if the data fork is larger than 100 bytes. Files with names ending
"dat" are targeted if the whole file is c. 2Mb or larger. Targeted
files are attacked by overwriting the data fork (up to the 1st Mb)
with garbage.

Besides the original, there are five variants: AutoStart 9805-B,
which is less noticeable but can cause irreparable damage to files
of type 'JPEG', 'TIFF', and 'EPSF'; AutoStart 9805-C and AutoStart
9805-D which do not intentionally damage data; AutoStart 9805-E
which spreads like B and is most similar to the original; and
AutoStart 9805-F which is most similar to A and E.
Dr Solomon's, Sophos, and Symantec had descriptions on the Web:
<http://www.drsolomon.com/vircen/valerts/mac/>
<http://www.sophos.com/virusinfo/analyses/autostart9805.html>
<http://www.symantec.com/avcenter/data/autostart.9805.html>
Dead Mac Virus link cleaned.

Detection: updates to deal with the worms are available for Virex
(http://www.drsolomon.com/products/virex/), for NAV and SAM
(http://www.symantec.com/avcenter/download.html), and for Rival
(http://www.intego.com/).

The last versions of VirusScan for Mac and Disinfectant did not detect
AutoStart. [Reference to Dr Solomon's for Mac removed, as the product is
no longer supported.]

Prevention: uninfected systems can be protected by disabling the
AutoStart option in QuickTime settings (QuickTime 2.5 or later only
- earlier versions don't have a disable option). This should also
prevent infection by future malware exploiting the same loophole,
but will fail if a setup is booted from a volume with an infected
Extensions Folder [SL].

Removal: the easiest and safest method for most people will be to
use the updated version of their favoured anti-virus software, as
it becomes available.

The worms can be also be removed manually.
* Reboot with extensions disabled (hold down the shift key till an
alert box tells you that extensions are off).
* Use Find File to search all volumes for all instances of a file
called "DB" or "BD" or "DELDB" with the invisibility attribute set
(hold down Option key when clicking on "Name" pop-up menu to select
for visibility). Trash 'em.
* Use Find File to find and trash an invisible "Desktop Print
Spooler", "Desktop Printr Spooler", or "DELDesktop Print Spooler"
file (-not- Desktop Printer Spooler, which is a legitimate and
usually necessary system file).
* Empty the trash.
* Disable AutoStart in QuickTime Settings Control Panel.
* Restart.

 

Continue to:















TOP
previous page: 7.5 Other Operating Systems, emulation on a Mac (Viruses and the Mac)
  
page up: Viruses and the Mac FAQ
  
next page: 7.7 Esperanto.4733 (Viruses and the Mac)