previous page: 7.2 HyperCard infectors (Viruses and the Mac)
page up: Viruses and the Mac FAQ
next page: 7.4 Macro viruses, trojans, variants (Viruses and the Mac)

7.3 Mac Trojan Horses (Viruses and the Mac)


This article is from the Viruses and the Mac FAQ, by David Harley D.Harley@icrf.icnet.uk with numerous contributions by others.

7.3 Mac Trojan Horses (Viruses and the Mac)

These are often unsubtle and immediate in their effects: while
these effects may be devastating, Trojans are usually very
traceable to their point of entry. The few Mac-specific Trojans are
rarely seen, but of course the commercial scanners generally detect

ChinaTalk - system extension - supposed to be sound driver, but
actually deletes folders.

CPro - supposed to be an update to Compact Pro, but attempts to
format currently mounted disks.

+ ExtensionConflict - supposed to identify Extensions conflicts, but
installs one of the six SevenDust a.k.a. 666 viruses.

FontFinder - supposed to lists fonts used in a document, but
actually deletes folders.

MacMag - HyperCard stack (New Apple Products) that was the origin
of the MacMag virus. When run, infected the System file, which then
infected System files on floppies. Set to trigger and self-destruct
on March 2nd, 1988, so rarely found.

Mosaic - supposed to display graphics, but actually mangles
directory structures.

NVP - modifies the System file so that no vowels can be typed.
Originally found masquerading as 'New Look', which redesigns the

Steroid - Control Panel - claims to improve QuickDraw speed, but
actually mangles the directory structure.

Tetracycle - implicated in the original spread of MBDF

Virus Info - purported to contain virus information but actually
trashed disks. Not to be confused with Virus Reference.

Virus Reference 2.1.6 mentions an 'Unnamed PostScript hack' which
disables PostScript printers and requires replacement of a chip on
the printer logic board to repair. A Mac virus guru says:

"The PostScript 'Trojan' was basically a PostScript job that
toggled the printer password to some random string a number of
times. Some Apple laser printers have a firmware counter that
allows the password to only be changed a set number of times
(because of PRAM behavior or licensing -- I don't remember which),
so eventually the password would get "stuck" at some random string
that the user would not know. I have not heard any reports of
anyone suffering from this in many years."

AppleScript Trojans - A demonstration destructive compiled
AppleScript was posted to the newsgroups alt.comp.virus,
comp.sys.mac.misc, comp.sys.mac.system, it.comp.macintosh,
microsoft.public.word.mac, nl.comp.sys.mac, no.mac, and
symantec.support.mac.sam.general on 16-Aug-97, apparently in
response to a call for help originally posted to alt.comp.virus on
14-Aug-97 and followup on 15-Aug-97. On 03-Sep-97, MacInTouch
published Xavier Bury's finding of a second AppleScript trojan
horse, which, like the call for help followup, mentioned Hotline
servers. It reportedly sends out private information while running
in the background. A note to users from Hotline Communications CEO
Adam Hinkley is posted at
AppleScripts should be downloaded only from known trusted sources.
It is nigh impossible for an average person to know what any given
compiled script will do.


Continue to:

previous page: 7.2 HyperCard infectors (Viruses and the Mac)
page up: Viruses and the Mac FAQ
next page: 7.4 Macro viruses, trojans, variants (Viruses and the Mac)