Southern Connections

Macintosh File Viruses

• AIDS - infects application and system files.
• Aladin - close relative of Frankie.
• Anti (Anti-A/Anti-Ange, Anti-B, Anti Variant) - can't spread under system 7.x, or System 6 under MultiFinder. Can damage applications so that they can't be 100% repaired.
• CDEF - infects desktop files. No intentional damage, and doesn't spread under system 7.x.
• CLAP: nVIR variant that spoofs Disinfectant to avoid detection (Disinfectant 3.6 recognizes it).
• Code 1: file infector. Renames the hard drive to "Trent Saburo". Accidental system crashes possible.
• Code 252: infects application and system files. Triggers when run between June 6th and December 31st. Runs a gotcha message ("You have a virus. Ha Ha Ha Ha Ha Ha Ha Now erasing all disks... [etc.]"), then self-deletes. Despite the message, no intentional damage is done, though Norstad points out that shutting down the Mac instead of clicking to continue could cause damage. Can crash System 7 or damage files, but doesn't spread beyond the System file. Doesn't spread under System 6 with MultiFinder beyond System and MultiFinder. Can cause various forms of accidental damage.
• Code 9811: hides applications, replacing them with garbage files named "something like 'FIDVCXWGJKJWLOI'." According to Ken Dunham who reported this virus in November, "The most obvious symptom of the virus is a desktop that looks like electronic worms and a message that reads 'You have been hacked by the Pretorians.'"
• Code 32767: once a month tries to delete documents. This virus is not known to be in circulation.
• Flag: unrelated to WDEF A and B, but was given the name WDEF-C in some anti-virus software. Not intentionally damaging but when spreading it overwrites any existing 'WDEF' resource of ID '0', an action which might damage some files. This virus is not known to be in circulation.
• Frankie: only affects the Aladdin emulator on the Atari or Amiga. Doesn't infect or trigger on real Macs or the Spectre emulator. Infects application files and the Finder. Draws a bomb icon and displays 'Frankie says: No more piracy!"
• Fuck: infects application and System files. No intentional damage. (nVIR B strain).
• Init 17: infects System file and applications. Displays message "From the depths of Cyberspace" the first time it triggers. Accidental damage, especially on 68K machines.
• Init 29 (Init 29 A, B): Spreads rapidly. Infects system files, applications, and document files (document files can't infect other files, though). May display a message if a locked floppy is accessed on an infected system 'The disk "xxxxx" needs minor repairs. Do you want to repair it?'. No intentional damage, but can cause several problems - Multiple infections, memory errors, system crashes, printing problems, MultiFinder problems, startup document incompatibilities.
• Init 1984: Infects system extensions (INITs). Works under Systems 6 and 7. Triggers on Friday 13th. Damages files by renaming them, changing file TYPE and file CREATOR, creation and modification dates, and sometimes by deleting them.
• Init-9403 (SysX): Infects applications and Finder under systems 6 and 7. Attempts to overwrite whole startup volume and disk information on all connected hard drives. Only found on Macs running the Italian version of MacOS.
• Init-M: Replicates under System 7 only. Infects INITs and application files. Triggers on Friday 13th. Similar damage mechanisms to INIT-1984. May rename a file or folder to "Virus MindCrime". Rarely, may delete files.
• MacMag (Aldus, Brandow, Drew, Peace): first distributed as a HyperCard stack Trojan, but only infected System files. Triggered (displayed a peace message and self-deleted) on March 2nd 1988, so very rarely found.
• MBDF (A,B): originated from the Tetracycle, Tetricycle or "tetris-rotating" Trojan. The A strain was also distributed in Obnoxious Tetris and Ten Tile Puzzle. Infect applications and system files including System and Finder. Can cause accidental damage to the System file and menu problems. A minor variant of MBDF B appeared in summer 1997.
• MDEF (MDEF A/Garfield, MDEF B/Top Cat, C, D): infect System file and application files (D doesn't infect System). No intentional damage, but can cause crashes and damaged files.
• MDEF-E and MDEF-F: described as simple and benign. They infect applications and system files with an 'MDEF' resource ID '0', not otherwise causing file damage. These viruses are not known to be in circulation.
• nCAM: nVIR variant
• nVIR (nVIR A, B, C - AIDS, Fuck, Hpat, Jude, MEV#, nFlu): infect System and any opened applications. Extant versions don't cause intentional damage. Payload is either beeping or (nVIR A) saying "Don't panic" if MacInTalk is installed.
• nVIR-f: nVIR variant.
• prod: nVIR variant.
• Scores (Eric, Vult, NASA, San Jose Flu): aimed to attack two applications that were never generally released. Can cause accidental damage, though - system crashes, problems printing or with MacDraw and Excel. Infects applications, Finder, DA Handler.
• SevenDust-A through G (MDEF 9806-A through D, also known as 666, E was at first called "Graphics Accelerator"): a family of five viruses which spread both through 'MDEF' resources and a System extension created by that resource. The first four variants are not known to be in circulation. Two of these viruses cause no other damage. On the sixth day of the month, MDEF 9806-B may erase all non-application files on the current volume. The SARC encyclopedia calls MDEF 9806-C, "polymorphic and encrypted, no payload," and MDEF 9806-D, "encrypting, polymorphic, symbiotic," and says the symbiotic part, "alters a 'WIND' resource from the host application." SevenDust E, not to be confused with the legitimate ATI driver "Graphics Accelerator", began as a trojan horse released to Info-Mac and deleted there on or about September 26, 1998. Takes two forms, 'INIT' resource ID '33' in an extension named "\001Graphics Accelerator" and an 'MDEF' resource ID '1' to '255'. Between 6:00 a.m. and 7:00 a.m. on the sixth and twelfth day of any month, the virus will try to delete all non-application files on the startup disk. John Dalgliesh describes "Graphics Accelerator" on his Web page for AntiGax, a free anti-SevenDust E utility; any errors here in translation are not his. SevenDust F uses a trojan "ExtensionConflict", common extensions names, and creator 'ACCE'.[SL]
• T4 (A, B, C, D): infects applications, Finder, and tries to modify System so that startup code is altered. Under System 6 and 7.0, INITs and system extensions don't load. Under 7.0.1, the Mac may be unbootable. Damage to infected files and altered System is not repairable by Disinfectant. The virus masquerades as Disinfectant, so as to spoof behaviour blockers such as Gatekeeper. Originally included in versions 2.0/2.1 of the public domain game GoMoku. T4-D spreads from application to application on launch by appending itself to the 'CODE' resource. Deletes files other than the System file from the System Folder, and documents, and is termed dangerous. The D strain is not known to be in circulation [SL].
• WDEF (A,B): infects desktop file only. Doesn't spread under System 7. No intentional damage, but causes beeping, crashes, font corruption and other problems.
• zero: nVIR variant.
• Zuc (A, B, C): infects applications. The cursor moves diagonally and uncontrollably across the screen when the mouse button is held down when an infected application is run. No other intentional damage is done.

Macintosh Trojan Horses

• ChinaTalk - system extension - supposed to be sound driver, but actually deletes folders.
• CPro - supposed to be an update to Compact Pro, but attempts to format currently mounted disks.
• ExtensionConflict - supposed to identify Extensions conflicts, but installs one of the six SevenDust a.k.a. 666 viruses.
• FontFinder - supposed to lists fonts used in a document, but actually deletes folders.
• MacMag - HyperCard stack (New Apple Products) that was the origin of the MacMag virus. When run, infected the System file, which then infected System files on floppies. Set to trigger and self-destruct on March 2nd, 1988, so rarely found.
• Mosaic - supposed to display graphics, but actually mangles directory structures.
• NVP - modifies the System file so that no vowels can be typed. Originally found masquerading as 'New Look', which redesigns the display.
• Steroid - Control Panel - claims to improve QuickDraw speed, but actually mangles the directory structure.
• Tetracycle - implicated in the original spread of MBDF.
• Virus Info - purported to contain virus information but actually trashed disks. Not to be confused with Virus Reference.
• Virus Reference 2.1.6 mentions an 'Unnamed PostScript hack' which disables PostScript printers and requires replacement of a chip on the printer logic board to repair. A Mac virus guru says:
• "The PostScript 'Trojan' was basically a PostScript job that toggled the printer password to some random string a number of times. Some Apple laser printers have a firmware counter that allows the password to only be changed a set number of times (because of PRAM behavior or licensing -- I don't remember which), so eventually the password would get "stuck" at some random string that the user would not know. I have not heard any reports of anyone suffering from this in many years."
• AppleScript Trojans - A demonstration destructive compiled AppleScript was posted to the newsgroups alt.comp.virus, comp.sys.mac.misc, comp.sys.mac.system, it.comp.macintosh, microsoft.public.word.mac, nl.comp.sys.mac, no.mac, and symantec.support.mac.sam.general on 16-Aug-97, apparently in response to a call for help originally posted to alt.comp.virus on 14-Aug-97 and followup on 15-Aug-97. On 03-Sep-97, MacInTouch published Xavier Bury's finding of a second AppleScript trojan horse, which, like the call for help followup, mentioned Hotline servers. It reportedly sends out private information while running in the background. A note to users from Hotline Communications CEO Adam Hinkley was formerly posted at http://www.macvirus.com/news/press/970903a.html AppleScripts should be downloaded only from known trusted sources. It is nigh impossible for an average person to know what any given compiled script will do.

Macintosh Worms

• AutoStart 9805 is the best know and probably the most destructive. It is a worm because it replicates by copying itself. It does not attach itself parasitically to a host program. Ther are at lesat five variants. It can infect any PowerMac. It travels on any HFS or HFS+ volume, but not on audio CDs. It targets and wries over files whose names end in "data", "cod" or "csa." variants target image files.

Macintosh HyperCard Viruses

• Dukakis - infects the Home stack, then other stacks used subsequently. Displays the message "Dukakis for President", then deletes itself, so not often seen.
• HC 9507 - infects the Home stack, then other running stacks and randomly chosen stacks on the startup disk. On triggering, displays visual effects or hangs the system. Overwrites stack resources, so a repaired stack may not run properly.
• HC 9603 - infects the Home stack, then other running stacks. No intended effects, but may damage the Home stack.
• HC "Two Tunes" (referred to by some sources as "Three Tunes") - infects stack scripts. Visual/Audio effects: 'Hey, what are you doing?' message; plays the tune "Muss I denn"; plays the tune "Behind the Blue Mountains"; displays HyperCard toolbox and pattern menus; displays 'Don't panic!' fifteen minutes after activation. Even sources which describe this virus as "Three Tunes" seem to describe the symptoms consistently with the description here, but we will, for completeness, attempt to resolve any possible confusion when time allows. This virus has no known with the PC file infector sometimes known as Three Tunes.
• MerryXmas - appends to stack script. On execution, attempts to infect the Home stack, which then infects other stacks on access. There are several strains, most of which cause system crashes and other anomalies. At least one strain replaces the Home stack script and deletes stacks run subsequently. Variants include Merry2Xmas, Lopez, and the rather destructive Crudshot. [Ken Dunham discovered the merryXmas virus. His program merryxmasWatcher 2.0 was very popular and still can eradicate the most common two strains, merryXmas and merry2Xmas. merryxmasWatcher 2.0 is outdated for the rest this family.]
• Antibody is a recent virus-hunting virus which propagates between stacks checking for and removing MerryXmas, and inserting an inoculation script.
• Independance (sic) Day - reported in July, 1997. It attempts to to be destructive, but fortunately is not well enough written to be more than a nuisance. More information at: http://www.hyperactivesw.com/Virus1.html#IDay.
• Blink - reported in August, 1998. Nondestructive but spreads; infected stacks blink once per second starting in January, 1999.
• WormCode, a nondestructive HyperCard infector, was reported in February 2000. More information at: http://www.hyperactivesw.com/Virus1.html.

Key Vulnerabilities

• Using Microsoft Internet Explorer can create several known security problems, whether it is used on Mac OS 8.x, Mac OS 9.x or any version of OS X. Patches for the known problems have been provided by Microsoft. Unfortunately, new and very serious problems that are easily exploited seem to appear regularly.
• Using the builtin Web server (exporting the Web folder) on either Mac OS 9.x or Mac OS X can open your local machine's hard drives to outsiders. This can be prevented. Some expertise and great care are required, however.