Viruses and the Mac FAQ
Susan Lesch
Posting-Frequency: Fortnightly
Last-modified: Wed, 22 Jul 1998 22:41 PDT
URL: http://www.macvirus.com/reference/
http://www.webworlds.co.uk/dharley/
Copyright: Copyright 1996-1998 by David Harley and contributors
Maintainer: David Harley <D.Ha...@icrf.icnet.uk> and Susan Lesch <le...@macvirus.com>
Viruses and the Macintosh
=========================
Version 1.5g: 22nd July 1998
David Harley
[Significant changes from the previous version are flagged with +
symbols in the first two columns at the start of the relevant
line or section. Amendments of minor grammatical or syntactical
errors are not flagged unless they affect factual accuracy or
clarity.]
++
Sections tagged with [DH] or [SL] usually denote personal opinions
or other data which the originator doesn't feel the other maintainer
should be held responsible for. Untagged sections using the first
person are usually hangovers from when DH was sole maintainer of the
FAQ.
David Harley
Table of Contents
-----------------
1. Copyright Notice
2. Preface
3. Availability of this FAQ
4. Mission Statement
5. Where to get further information.
5.1 alt.comp.virus FAQ
5.2 VIRUS-L/comp.virus FAQ
5.3 Disinfectant on-disk manual
5.4 Virus Test Center, Hamburg
5.5 "Robert Slade's Guide to Computer Viruses"
5.6 Web Pages with Macintosh virus information
5.7 Virus Bulletin
5.8 Information on macro viruses
5.9 Kevin Harris's Virus Reference (HyperCard stack)
5.10 McAfee Mac Virus Encyclopaedia
5.11 Other resources
6. How many Mac viruses are there?
7. What viruses can affect Mac users?
++ 7.1 Mac-specific system and file infectors
7.2 HyperCard Infectors
7.3 Mac Trojans
7.4 Macro viruses, trojans, variants
7.5 Other, when emulation is run on a Mac
++ 7.6 AutoStart 9805 Worms
++ 7.7 Esperanto.4733
8. What's the best antivirus package for the Macintosh?
9. Welcome Datacomp
10. Hoaxes and myths
10.1 Good Times virus
10.2 Modems and Hardware viruses
10.3 E-mail viruses
10.4 JPEG/GIF viruses
10.5 Hoaxes Help
11. Glossary
12. General Reference Section.
12.1 Mac Newsgroups and FAQs
12.2 References
12.3 Other Relevant Publications
13. Holes to Plug
13.1 Mac Troubleshootng
1.0 Copyright Notice
----------------
Copyright on this document remains with the author(s), and all
rights are reserved. However, it may be freely distributed
and quoted - accurately, and with due credit.
It may not be reproduced for profit or distributed in part or as
a whole with any product for which a charge is made, except with
the prior permission of the copyright holder(s). To obtain such
permission, please contact the maintainers of the FAQ.
Primary author of this document is David Harley, who at present
co-maintains it with contributor Susan Lesch. Comments and
additional material have been received with gratitude from Ronnie
Sutherland, Henri Delger, Mike Groh and Eugene Spafford. Thanks
to Bruce Burrell, Michael Wright, David Miller, Ladd Van Tol, Eric
Hildum, Jeremy Goldman, Kevin White, Bill Jackson, Robert Slade,
Robin Dover, and John Norstad for their comments and suggestions.
2.0 Preface
-------
This document is intended to help individuals with computer
virus-related problems and queries, and clarify the issue
of computer viruses on Macintosh platforms. It should *not* be
regarded as being in any sense authoritative, and has no legal
standing. The authors accept no responsibility for errors or
omissions, or for any ill effects resulting from the use of any
information contained in this document.
Corrections and additional material are welcome, especially if
kept polite.... Contributions will, if incorporated, remain the
copyright of the contributor, and credited accordingly within
the FAQ.
David Harley <D.Ha...@icrf.icnet.uk>
3.0 Availability of this FAQ
------------------------
The latest version of this document will be available from:
* http://www.macvirus.com/reference/
(the primary source)
* http://webworlds.co.uk/dharley/
It's also available from Henri Delger's Prodigy Anti-Virus Center
file library, as is the alt.comp.virus FAQ.
There are HTML versions at:
[J&A link removed. There are some very good links there, but
also some ethical conflicts which I prefer at present to
sidestep - DH]
http://www.cis.ohio-state.edu/hypertext/faq/usenet/computer-virus/
macintosh-faq/faq.html
http://www.faqs.org/faqs/computer-virus/macintosh-faq/
http://emt.doit.wisc.edu/macvir/macvir.html
4.0 Mission Statement
-----------------
This document is a little different to the alt.comp.virus FAQ,
which David Harley also co-maintains (at time of writing). It is
concerned with one platform only, and though it deals with the
Macintosh platform at more length than the alt.comp.virus FAQ can
be expected to, it is a great deal shorter. Nor is there the same
degree of urgency about the Mac virus field, though the risk
element may be somewhat underestimated in general, at present.
This FAQ originated from a concern over the spread of macro
viruses, a theme that is taken up below. Since questions about
Macs and viruses tend to appear more often in the Mac groups than
alt.comp.virus or Virus-L, distribution of this FAQ is wider.
5.0 Where to get further information
--------------------------------
5.1 The alt.comp.virus FAQ (not much Mac-specific material)
This is posted to alt.comp.virus approximately
fortnightly. It includes a document that summarizes
and gives contact information for a number of other
virus-related FAQs.
The latest version is available from:
http://www.webworlds.co.uk/dharley/
5.2 The VIRUS-L FAQ
The Virus-L/comp.virus FAQ (also fairly low on
Mac-specific information) is regularly posted to the
comp.virus newsgroup (version 2.0 at time of writing).
The latest version may be found at:
ftp://ftp.infospace.com/pub/virus-l/comp.virus-FAQ.09-Oct-95
ftp://ftp.datafellows.com/pub/misc/anti-vir/vlfaq200.zip
This FAQ is very long and very thorough. The document is
subject to revision, so the file name may change.
5.3 Disinfectant on-disk documentation
The best single source of information on native Mac
viruses the online help included in the freeware
package Disinfectant. However, development of
Disinfectant has been discontinued (May 1998).
Current contact details are given below, but it's
unlikely that they will continue to apply
indefinitely.
5.4 AntiVirus Catalog/CARObase (early work)
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/catalog/
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/carobase/
ftp://ftp.informatik.uni-hamburg.de/pub/virus/texts/viruses/
These links may be out-of-date: if they don't work, try
ftp://agn-www.informatik.uni-hamburg.de
5.5 "Robert Slade's Guide to Computer Viruses" [Springer]
The disk included with the 2nd Edition of this excellent
general resource includes most of the information
available at the University of Hamburg (see 5.4). The
book also contains a reasonable quantity of Mac-friendly
information. The disk includes a copy of Disinfectant 3.6,
which is now out-of-date -- 3.7.1 is the latest and final
release.
http://www.amazon.com/exec/obidos/ISBN=0387946632/
Very few books primarily about computer viruses deal at
any length with Mac viruses (I can't think of one, at
present). Some general books on the Mac touch on the subject,
but none I can think of add anything useful. Some of the
"Totally Witless User's Guide to......." books dealing with
security in general include information on PC -and- Mac
viruses. Unfortunately, the quality of virus-related
information in such publications is generally low.
5.6 Web Sites
Many major vendors have a virus information database online
on their Web sites. Symantec (www.symantec.com),
Network Associates (www.nai.com) and Dr. Solomon's
(www.drsolomon.com) include Macintosh virus information.
Precise URLs tend to come and go, but you might like to try
the following:
Dr Solomon's "Mac Viral Zoo"
Macintosh Virus Encyclopedia
http://www.drsolomon.com/products/virex/zoo/maczoopg.html
Symantec Antivirus Research Center
Virus Encyclopedia
http://www.symantec.com/avcenter/vinfodb.html
Network Associates, formerly McAfee Associates:
Virus Information Library
http://www.nai.com/vinfo/
http://www.nai.com/vinfo/f_13707.asp
5.7 Virus Bulletin
The expensive (but, for the professional, essential)
periodical Virus Bulletin includes Mac-specific
information from time to time. However, if you have no
interest in PC issues, you probably won't consider it
worth the expense.
Virus Bulletin Ltd
21 The Quadrant
Abingdon
Oxfordshire
OX14 3YS
44 (0) 1234 555139
Compuserve 100070,1340
www.virusbtn.com
viru...@vax.ox.ac.uk
The proceedings of the 1997 Virus Bulletin conference
contained a paper by David Harley which significantly
expands on many of the issues addressed in this FAQ.
Contact Virus Bulletin for further information on the
annual conference and on obtaining the proceedings. The
paper can also be found (by permission of Virus
Bulletin) at the author's website:
http://webworlds.co.uk/dharley/
5.8 Macro virus information resources
University of Hamburg Virus Test Center Macro Virus List
The definitive listing. All known macro viruses, some only
found in research labs, some in the wild. Doesn't include
information on individual viruses apart from name and
platform.
ftp://agn-www.informatik.uni-hamburg.de/pub/texts/macro/
http://agn-www.informatik.uni-hamburg.de/vtc/eng.htm
Other Sources:
http://www.drsolomon.com/
http://www.datafellows.com/vir-info/
http://www.symantec.com/avcenter/
http://www.nai.com/
http://www.avpve.com/
http://www.sophos.com/ (under Virus Information)
[The following absolute URLs may change: such is the
way of Web administrators..... If you get an error
message, try the first part of the URL, e.g.
http://www.nai.com/
and drill down from there.]
Dr Solomon's Software Ltd.
http://www.drsolomon.com/vircen/enc/
Central Command
http://www.avpve.com/viruses/macro/
Network Associates
http://www.nai.com/vinfo/f_3057.asp
Data Fellows
http://www.datafellows.com/macro/word.htm
Richard Martin put together an FAQ on the subject of
Word viruses. It's well out-of-date in many respects,
though.
ftp.gate.net/pub/users/ris1/word.faq
5.9 Kevin Harris's Virus Reference
(Describes WM/Concept.A.) Last updated 31-Aug-95. HyperCard stack;
requires HyperCard 2.1 or later.
ftp://mirrors.aol.com/pub/info-mac/vir/virus-reference-216-hc.hqx
5.10 McAfee Mac Virus Encyclopaedia
ftp://ftp.nai.com/pub/antivirus/mac/vencyc.hqx
The data definitions for McAfee VirusScan 2.0 included a free
Macintosh virus encyclopaedia in both SimpleText and HTML formats.
The information on Mac-specific viruses is pretty much the same
as that included in the original Disinfectant documentation.
Covers the viruses detected and repaired by VirusScan 2.0.9,
including about 120 macro viruses. Current as of about March '97.
5.11 Additional Resources
There are excellent pages on HyperCard viruses at HyperActive
Software. There is information on HyperCard infectors, a link to
Bill Swagerty's free Vaccine utility for detecting and cleaning
them, a note on false positives reported by commercial software,
innoculation, and a free HyperCard virus detection service.
http://www.hyperactivesw.com/Virus1.html
The CIAC virus database includes entries for PC, Macintosh,
and a number of other platforms. The Macintosh section
also includes a number of joke programs and one or two
apparent hoaxes.
http://ciac.llnl.gov/ciac/CIACVirusDatabase.html
Last we checked [03-Sep-97], these sites probably need updating,
though some older files do have historical value.
Info-Mac mirrors have Macintosh information, but includes
some outdated virus information and software at this
writing; still, always worth a visit.
<URL:ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/>
<URL:http://hyperarchive.lcs.mit.edu/HyperArchive/
Abstracts/vir/HyperArchive.html>
Also of interest, again sometimes outdated:
http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html
http://www.unt.edu/virus/macgeneral.html
A list of Mac viruses is available at:
http://webworlds.co.uk/dharley/macvir.html
++ At present, this mirrors information in this FAQ, and updating
it is considered a low priority.
6.0 How many Mac viruses are there?
-------------------------------
There are around 35 Mac-specific viruses and related threats.
Mac users with Word 6 or versions of Excel supporting Visual
Basic for Applications, however, are vulnerable to infection by
macro viruses which are specific to these applications. Indeed,
these viruses can, potentially, infect other files on any
hardware platform supporting these versions of these
applications. I don't know of a macro virus with a Mac-specific
payload that actually works at present, but such a payload is
entirely possible.
Word Mac version 5.1 and below do not support WordBasic, and are
not, therefore, vulnerable to direct infection. Not only do these
versions not only understand embedded macros, but they can't read
the Word 6 file format unaided. There is, however, at least one
freeware utility which allows Word 5.x users to read Word 6 files.
This will not support execution of Word 6 (or WinWord 2) macros
in Word 5.x, so I would not expect either an infection routine or
a payload routine to be able to execute within this application.
However, Word 5.x users may contribute indirectly to the spread of
infected files across platforms and systems, since it is perfectly
possible for a user whose own system is uninfectable to act as a
conduit for the transmission of infected documents, whether or not
s/he reads it personally.
Files infected with a PC-specific file virus (this excludes macro
viruses) can only execute on a Macintosh running DOS or DOS/Windows
emulation, if then. They can, of course, spread across platforms
simply by copying infected files from one system to another.
DOS diskettes infected with a boot sector virus can be read on a
Mac with Apple File Exchange, PC Exchange, DOS Mounter etc. without
(normally) risk to the Mac. However, leaving such an infected disk
in the drive while booting an emulator such as SoftPC can mean that
the virus attempts to infect the logical PC drive with unpredictable
results.
I am aware of at least one instance of a Mac diskette which, when read
on a PC running a utility for reading Mac-formatted disks after
being infected with a boot-sector infector, became unreadable as
a consequence of the boot track infection.
Some Mac viruses may damage files on Sun systems running MAE or
AUFS.
7.0 What viruses can affect Macintosh users?
----------------------------------------
++
Not all variants are listed here. It was originally intended to
reference all the major variants at least by name eventually, but
since the information is of academic interest at best to most
users (and available elsewhere anyway), it's no longer considered
a priority. The main problem affecting Mac users nowadays is the
spread of macro viruses, and I can't possibly find time to
catalogue them individually, so they are only considered generally.
Native Mac viruses are rather rarely seen nowadays, and most
people don't need to know about them in detail -- in fact, what
they need most is to know that their favoured antivirus software
will deal with them. Note that neither of the co-maintainers are
primarily in the business of hands-on virus analysis, and cannot
accept responsibility for descriptive errors based on third-party
information. [DH]
The following varieties are listed below:
7.1 Mac-specific system and file infectors
7.2 HyperCard Infectors
7.3 Mac Trojans
7.4 Macro viruses, trojans, variants
7.5 Other OS viruses and malware when emulation is run on a Mac
7.6 AutoStart 9805 Worms
++ 7.7 Esperanto 4733
7.1 Mac-specific viruses, excluding HyperCard infectors
AIDS - infects application and system files. No
intentional damage. (nVIR B strain)
Aladin - close relative of Frankie
Anti (Anti-A/Anti-Ange, Anti-B, Anti Variant) - can't
spread under system 7.x, or System 6 under MultiFinder.
Can damage applications so that they can't be 100%
repaired.
CDEF - infects desktop files. No intentional damage, and
doesn't spread under system 7.x.
CLAP: nVIR variant that spoofs Disinfectant to avoid
detection (Disinfectant 3.6 recognizes it).
Code 1 - file infector. Renames the hard drive to "Trent
Saburo". Accidental system crashes possible.
Code 252 - infects application and system files. Triggers
when run between June 6th and December 31st. Runs a
gotcha message ("You have a virus. Ha Ha Ha Ha Ha Ha Ha
Now erasing all disks... [etc.]"), then self-deletes.
Despite the message, no intentional damage is done,
though shutting down the Mac instead of clicking to
continue could cause damage. Can crash System 7 or damage
files, but doesn't spread beyond the System file. Doesn't
spread under System 6 with MultiFinder beyond System and
MultiFinder. Can cause various forms of accidental
damage.
Frankie - only affects the Aladdin emulator on the Atari
or Amiga. Doesn't infect or trigger on real Macs or the
Spectre emulator. Infects application files and the
Finder. Draws a bomb icon and displays 'Frankie says: No
more piracy!"
Fuck: infects application and System files. No
intentional damage. (nVIR B strain)
Init 17: infects System file and applications. Displays
message "From the depths of Cyberspace" the first time it
triggers. Accidental damage, especially on 68K machines.
Init 29 (Init 29 A, B): Spreads rapidly. Infects system
files, applications, and document files (document files
can't infect other files, though). May display a message
if a locked floppy is accessed on an infected system 'The
disk "xxxxx" needs minor repairs. Do you want to repair
it?'. No intentional damage, but can cause several
problems - Multiple infections, memory errors, system
crashes, printing problems, MultiFinder problems, startup
document incompatibilities.
Init 1984: Infects system extensions (INITs). Works under
Systems 6 and 7. Triggers on Friday 13th. Damages files
by renaming them, changing file T?YPE and file CREATOR,
creation and modification dates, and sometimes by
deleting them.
Init-9403 (SysX): Infects applications and Finder under
systems 6 and 7. Attempts to overwrite whole startup
volume and disk information on all connected hard drives.
Only found on Macs running the Italian version of MacOS.
Init-M: Replicates under System 7 only. Infects INITs and
application files. Triggers on Friday 13th. Similar
damage mechanisms to INIT-1984. May rename a file or
folder to "Virus MindCrime". Rarely, may delete files.
MacMag (Aldus, Brandow, Drew, Peace) - first distributed
as a HyperCard stack Trojan, but only infected System
files. Triggered (displayed a peace message and
self-deleted on March 2nd 1988, so very rarely found.
MBDF (A,B): originated from the Tetracycle, Tetricycle or
"tetris-rotating" Trojan. The A strain was also
distributed in Obnoxious Tetris and Ten Tile Puzzle.
Infect applications and system files including System and
Finder. Can cause accidental damage to the System file
and menu problems. A minor variant of MBDF B appeared in
summer 1997: Disinfectant and Virex have been updated
accordingly.
MDEF (MDEF A/Garfield, MDEF B/Top Cat, C, D): infect
System file and application files (D doesn't infect
System). No intentional damage, but can cause crashes and
damaged files.
nCAM: nVIR variant
nVIR (nVIR A, B, C - AIDS, Fuck, Hpat, Jude, MEV#, nFlu):
infect System and any opened applications. Extant
versions don't cause intentional damage. Payload is
either beeping or (nVIR A) saying "Don't panic" if
MacInTalk is installed.
nVIR-f: nVIR variant.
prod: nVIR variant
Scores (Eric, Vult, NASA, San Jose Flu): aimed to attack
two applications that were never generally released. Can
cause accidental damage, though - system crashes,
problems printing or with MacDraw and Excel. Infects
applications, Finder, DA Handler.
T4 (A, B, C): infects applications, Finder, and tries to
modify System so that startup code is altered. Under
System 6 and 7.0, INITs and system extensions don't load.
Under 7.0.1, the Mac may be unbootable. Damage to
infected files and altered System is not repairable by
Disinfectant. The virus masquerades as Disinfectant, so
as to spoof behaviour blockers such as Gatekeeper.
Originally included in versions 2.0/2.1 of the public
domain game GoMoku.
WDEF (A,B): infects desktop file only. Doesn't spread
under System 7. No intentional damage, but causes
beeping, crashes, font corruption and other problems.
zero: nVIR variant.
Zuc (A, B, C): infects applications. The cursor moves
diagonally and uncontrollably across the screen when the
mouse button is held down when an infected application is
run. No other intentional damage is done.
++ NAV (Norton AntiVirus), SAM, and Virex from Dr Solomon's as of July-98
list as detected the viruses we listed as "unverified" in an earlier
FAQ. They are not known to be in circulation. The following descriptions
are sketchy and borrowed -- any errors here are mine [SL].
CODE 32767: once a month tries to delete documents.
T4-D: deletes files other than the System file from the System Folder,
and documents, and is termed dangerous.
Flag: unrelated to WDEF A and B, but was given the name WDEF-C in
some anti-virus software. Not intentionally damaging but when
spreading it overwrites any existing 'WDEF' resource of ID '0', an
action which might damage some files.
MDEF-E and MDEF-F: described as simple and benign. They infect
applications and system files, not otherwise causing file damage
intentionally.
SevenDust-A through D, also known as MDEF 9806-A through D, also
known as 666: a family of four viruses which spread both through
'MDEF' resources and a System extension created by those resources.
Three of these viruses cause no other damage. On the sixth day of the
month, one may erase all non-application files on the current volume.
7.2 HyperCard infectors
These are a somewhat esoteric breed, but a couple have been
seen since Disinfectant was last upgraded in 1995, and most
of the commercial scanners detect them.
Dukakis - infects the Home stack, then other stacks used
subsequently. Displays the message "Dukakis for
President", then deletes itself, so not often seen.
HC 9507 - infects the Home stack, then other running
stacks and randomly chosen stacks on the startup disk.
On triggering, displays visual effects or hangs the
system. Overwrites stack resources, so a repaired stack
may not run properly.
HC 9603 - infects the Home stack, then other running
stacks. No intended effects, but may damage the Home
stack.
HC "Two Tunes" (referred to by some sources as "Three Tunes")
- infects stack scripts. Visual/Audio effects: 'Hey, what are
you doing?' message; plays the tune "Muss I denn"; plays the tune
"Behind the Blue Mountains"; displays HyperCard toolbox and
pattern menus; displays 'Don't panic!' fifteen minutes after
activation. Even sources which describe this virus as "Three
Tunes" seem to describe the symptoms consistently with the
description here, but we will, for completeness, attempt to
resolve any possible confusion when time allows. This virus has
no known with the PC file infector sometimes known as Three
Tunes.
MerryXmas - appends to stack script. On execution,
attempts to infect the Home stack, which then infects
other stacks on access. There are several strains,
most of which cause system crashes and other anomalies.
At least one strain replaces the Home stack script and
deletes stacks run subsequently. Variants include
Merry2Xmas, Lopez, and the rather destructive Crudshot.
[Ken Dunham discovered the merryXmas virus. His program
merryxmasWatcher 2.0 was very popular and still can
eradicate the most common two strains, merryXmas and
merry2Xmas. merryxmasWatcher 2.0 is outdated for the rest
this family.]
Antibody is a recent virus-hunting virus which propagates between
stacks checking for and removing MerryXmas, and inserting an
innoculation script.
Independance (sic) Day was reported in July, 1997. It attempts to
to be destructive, but fortunately is not well enough written to
be more than a nuisance. More information at:
http://www.hyperactivesw.com/Virus1.html#IDay
7.3 Trojans (Trojan Horses)
These are often unsubtle and immediate in their effects:
while these effects may be devastating, Trojans are
usually very traceable to their point of entry. The few
Mac-specific Trojans are rarely seen, but of course the
commercial scanners generally detect them.
ChinaTalk - system extension - supposed to be sound
driver, but actually deletes folders.
CPro - supposed to be an update to Compact Pro, but
attempts to format currently mounted disks.
FontFinder - supposed to lists fonts used in a document,
but actually deletes folders.
MacMag - HyperCard stack (New Apple Products) that was
the origin of the MacMag virus. When run, infected the
System file, which then infected System files on
floppies. Set to trigger and self-destruct on March 2nd,
1988, so rarely found.
Mosaic - supposed to display graphics, but actually
mangles directory structures.
NVP - modifies the System file so that no vowels can be
typed. Originally found masquerading as 'New Look', which
redesigns the display.
Steroid - Control Panel - claims to improve QuickDraw
speed, but actually mangles the directory structure.
Tetracycle - implicated in the original spread of MBDF
Virus Info - purported to contain virus information but
actually trashed disks. Not to be confused with Virus
Reference.
Virus Reference 2.1.6 mentions an 'Unnamed PostScript
hack' which disables PostScript printers and requires
replacement of a chip on the printer logic board to
repair. A Mac virus guru says:
"The PostScript 'Trojan' was basically a PostScript job
that toggled the printer password to some random string
a number of times. Some Apple laser printers have a
firmware counter that allows the password to only be
changed a set number of times (because of PRAM behavior
or licensing -- I don't remember which), so eventually
the password would get "stuck" at some random string that
the user would not know. I have not heard any reports
of anyone suffering from this in many years."
AppleScript Trojans - A demonstration destructive compiled
AppleScript was posted to the newsgroups alt.comp.virus,
comp.sys.mac.misc, comp.sys.mac.system, it.comp.macintosh,
microsoft.public.word.mac, nl.comp.sys.mac, no.mac, and
symantec.support.mac.sam.general on 16-Aug-97, apparently
in response to a call for help originally posted to
alt.comp.virus on 14-Aug-97 and followup on 15-Aug-97.
On 03-Sep-97, MacInTouch published Xavier Bury's finding of a
second AppleScript trojan horse, which, like the call for help
followup, mentioned Hotline servers. It reportedly sends
out private information while running in the background.
A note to users from Hotline Communications CEO Adam Hinkley
is posted at <http://www.macvirus.com/news/press/970903a.html>.
AppleScripts should be downloaded only from known trusted
sources. It is nigh impossible for an average person to know
what any given compiled script will do.
7.4 Macro viruses/Trojans
At the time of the longstanding second-to-last upgrade of
Disinfectant (version 3.6 in early 1995), there were no known
macro viruses in the wild, apart from HyperCard infectors. In
any case, Disinfectant was always intended to deal with system
viruses, not trojans or macro/script viruses. However, many
users are unaware of these distinctions and still assume
that Disinfectant is a complete solution, even after its
effective demise (in fact, there were people still relying
on Gatekeeper long after its author disowned it....).
++ Unfortunately, the number of known macro viruses is at the time
of writing [23-June-1998] well in excess of 2500, though the
number in the wild is far fewer.
Most macro viruses (if they have a warhead at all) target Intel
platforms and assume FAT-based directory structures, so they
usually have no discernible effect on Macs when they trigger.
Viruses that manipulate text strings within a document may
work just as well on a Macintosh as on a PC.
In any case, the main costs of virus control are not recovery
from virus payloads, but the costs of establishing detection
and protection (or of not establishing them). The costs of
not establishing these measures can be considerable,
irrespective of damage caused on infected machines,
especially in corporate environments. Secondary distribution
of infected documents may result in:
* civil action - for instance, inadvertent
distribution of an infected document to external
organisations may be in breach of contractual obligations
* legal action in terms of breach of data-protection
legislation such as the UK Data Protection Act or the
European Data Protection directive. The eighth principle
of the Data Protection Act, for instance, requires that
security measures are taken to protect against
unauthorised access to, and alteration, disclosure and
destruction of personal data, or its accidental loss.
* damage to reputation - no legitimate organisation wants
to be seen as being riddled with viruses.
Since Word 6.x for Macintosh supports WordBasic macros, it
is as vulnerable as Word 6.x and 7.x on Intel platforms to
being infected by macro viruses, and therefore to generating
other infected documents (or, strictly speaking, templates).
Working Excel viruses are now beginning to appear also, and
any future Macintosh application that supports Visual Basic
for Applications will also be vulnerable. Note also that the
possibility of virus-infected files embedded as objects in
files associated with other applications: this possibility
exists on any platform that supports OLE.
Macro viruses are therefore highly transmissible via
Macintoshes, even if they don't have a destructive effect on
Motorola platforms, if there is an equivalent application
available on the Macintosh. For instance, although Word for
Windows versions before vs. 6 support WordBasic, Word
versions for the Mac up to and including version 5.1 do not.
[Thus Word 5.1 users can not be directly infected, but may,
like anyone, pass on infected documents to vulnerable systems.]
Unless running DOS/Windows emulation, the Green Stripe macro
virus is not normally a danger on Macs, since there is no
AmiPro/WordPro for Macintosh. [This paragraph may well be
removed in the near future, since (1) Green Stripe is old
news and not exactly common (2) I'd rather drop this than
list (for consistency) a number of other viruses, trojans,
intendeds, jokes and generators which will only ever run on
a Mac which is pretending to be a PC.....]
Network Associates, Symantec, and Dr. Solomon's all make
known-virus scanners that detect a range of macro viruses.
Microsoft make available a free 'protection tool' whose
effectiveness is often overestimated. (See below.)
For further information on specific macro viruses, try one of
the information resources given earlier.
7.5 Other Operating Systems (DOS/Windows in Emulation)
Any Mac running any sort of DOS or Windows emulation such as
Virtual PC, SoftPC, SoftWindows, RealPC, or a DOS compatibility
card is a potential target for any PC virus, including Boot Sector
Infectors/Multipartites; (effects will vary). It is highly
recommended that anyone with such a system should run a reputable,
up-to-date PC antivirus program under emulation, as well as a good
Mac antivirus program. [Dr. Solomon's for the Mac detects PC boot
sector infectors as well as Mac viruses, but doesn't detect PC file
viruses (apart from macro viruses), and so is not sufficient
protection for a Mac with DOS emulation.]
Recommendations for defending PC systems or PC emulation
on Macs are slightly out-of-scope for this FAQ. In fact,
I don't know of any formal testing for PC antivirus software
in the context of PC emulation on Macs. I've done some
informal testing (referred to in another paper), but am not
prepared to make vendor-specific recommendations on the
basis of such testing. F-Prot, AVP, and Dr Solomon's are
particularly well-regarded PC antivirus packages, of which
some components on some platforms are available as freeware
or for evaluation, but their efficacy in the context of PC
emulation is not well tested or documented.
To find a commercial or shareware package relevant to PCs,
check through the independent comparative reviews sites:
University of Hamburg Virus Test Center
http://agn-www.informatik.uni-hamburg.de/vtc/naveng.htm
University of Tampere Virus Research Unit
http://www.uta.fi/laitokset/virus/
Secure Computing
http://www.westcoast.com/
Virus Bulletin
http://www.virusbtn.com/
Robert Michael Slade's lists may also be helpful.
http://www.freenet.victoria.bc.ca/techrev/quickref.html
http://www.freenet.victoria.bc.ca/techrev/rms.html
7.6 AutoStart 9805 Worms
AutoStart 9805 is not a virus, but a worm: that is, it
replicates by copying itself, but doesn't attach itself
parasitically to a host program. The original took hold
rapidly in Hong Kong and Taiwan in April 1998, and has been
reported on at least four continents. In addition to the
original worm, there are five variants. Virus Bulletin,
July, 1998, includes a comprehensive analysis of AutoStart
and some of its variants.
++ CIAC Bulletin I-067 is based on Eugene Spafford's information
release on the original AutoStart worm. Unfortunately,this is
now a little out-of-date, particularly as regards the update
status of the antivirus software it mentions. Nor does it
mention any of the subsequently discovered variants.
<http://www.ciac.org/>
++ Symptoms: Perhaps the most noticeable symptom of the worms
is that an infected system will _lock up and churn with
unexplained disk activity_ every 6, 10, or 30 minutes.[SL]
Affected platforms: any PowerMac. Macintoshes and clones
driven by Motorola 680x0 series CPUs can't run the
replicative code. It works under any version of Mac OS, if
QuickTime 2.0 or later is installed and CD-ROM AutoPlay is
enabled in the "QuickTime Settings" Control Panel.
Transmission media: HFS or HFS+ volumes (hard disks,
diskettes, most types of removable media, even disk images).
Audio CDs can't transmit the virus, and it isn't necessary
to disable "Audio CD AutoPlay".
Transmission method: infected media contain an invisible
application file named "DB" or "BD" or "DELDB" in the root
directory (type APPL, creator ????). This is an AutoStart file:
i.e. it will run automatically if CD-ROM autoplay is enabled. If
the host Mac isn't already infected, it copies itself to the
Extensions folder. The new copy is renamed "Desktop Print
Spooler" or "Desktop Printr Spooler", or "DELDesktop Print
Spooler" respectively (type appe, creator ????). Unlike the
legitimate Desktop Printer Spooler extension, the worm file has
the invisible attribute set, and isn't listed as a running
process by the system software, though it can be seen with
Process Watcher or Macsbug. After copying itself, it reboots
the system and is now launched every time the system restarts.
At approximately 6, 10, or 30 minute intervals, it examines
mounted volumes to see if they're infected: if not, it
writes itself to the root directory and sets up AutoStart
(however, AutoStart won't work on a server volume).
Damage: files with names ending "data", "cod" or "csa" are
targeted if the data fork is larger than 100 bytes. Files
with names ending "dat" are targeted if the whole file is c.
2Mb or larger. Targeted files are attacked by overwriting
the data fork (up to the 1st Mb) with garbage.
++ Besides the original, there are five variants: AutoStart 9805-B,
which is less noticeable but can cause irreparable damage to files
of type 'JPEG', 'TIFF', and 'EPSF'; AutoStart 9805-C and AutoStart
9805-D which do not intentionally damage data; AutoStart 9805-E
which spreads like B and is most similar to the original; and
AutoStart 9805-F which is most similar to A and E.
Dr Solomon's, Sophos, and Symantec had descriptions on the Web:
http://www.drsolomon.com/vircen/valerts/mac/
http://www.sophos.com/virusinfo/analyses/autostart9805.html
http://www.symantec.com/avcenter/data/autostart.9805.html
and Mac Virus had short descriptions.
http://www.macvirus.com/reference/autostart.html [SL]
++ Detection: updates to deal with the worms are available for Virex
(http://www.drsolomon.com/products/virex/ -- contact Dr Solomon's
for F variant help, or we are told to expect it in the next Virex
update), for NAV, and for SAM
(http://www.symantec.com/avcenter/download.html). [SL]
Version 7.84 of Dr. Solomon's for Mac deals only with the original
worm, not the variants and there is no interim extra driver. The
current version of Dr. Solomon's is 7.85 at time of writing: how many
variants it detects is unknown at time of writing, and we still have
no relevant information on VirusScan for Mac [DH - 8th July 1998].
Development on Disinfectant was discontinued, and the final version
3.7.1 does not detect the worms.
Prevention: uninfected systems can be protected by disabling
the AutoStart option in QuickTime settings (QuickTime 2.5 or
later only - earlier versions don't have a disable option).
This should also prevent infection by future malware
exploiting the same loophole, but will fail if a setup is booted
++ from a volume with an infected Extensions Folder [SL].
Removal: the easiest and safest method for most people will
be to use the updated version of their favoured anti-virus
software, as it becomes available.
The worms can be also be removed manually.
* Reboot with extensions disabled (hold down the shift key
till an alert box tells you that extensions are off).
* Use Find File to search all volumes for all instances of a
file called "DB" or "BD" or "DELDB" with the invisibility
attribute set (hold down Option key when clicking on "Name"
pop-up menu to select for visibility). Trash 'em.
* Use Find File to find and trash an invisible "Desktop
Print Spooler", "Desktop Printr Spooler", or "DELDesktop
Print Spooler" file (-not- Desktop Printer Spooler, which is
a legitimate and usually necessary system file).
* Empty the trash.
* Disable AutoStart in QuickTime Settings Control Panel.
* Restart.
++7.7 Esperanto 4733
This probably doesn't belong here. It's a PC file infector which
works with a number of PC executable file formats. When it was
first seen, it was reported to be a multiplatform virus capable of
executing under some circumstances on Macintoshes. Subsequent reports
indicate that this belief results from misinformation on the part of
the author. However, at least two reputable PC anti-virus vendors
still list it as capable of activating on a Macintosh, and we will
attempt to get authoritative confirmation either way in due course.
It may be significant, though, that no Mac scanner appears to try
to detect it.
8.0 What's the best anti-virus package for the Macintosh?
-----------------------------------------------------
As ever, we can't give a definitive answer to this. The best
choice depends on subjective criteria and individal needs.
Nonetheless, Here are some thoughts on the main contenders.
8.1 Microsoft's Protection Tools
Microsoft's Macro Virus Protection Tools originally detected
Concept (Nuclear and DMV were also mentioned in the documentation,
but were not identified specifically by the tools). Principally,
they merely warned users that the document they are about to open
contained macros and offered the choice of opening the file without
macros, opening it with macros, or cancelling the File Open.
Later implementations built into the application are better on
identifying a few specific viruses and on integration into
Word itself, but should not be relied on for 100% effective
detection, blocking and disinfection of macro viruses. More
information from Microsoft may be available at the address below.
http://www.microsoft.com/office/antivirus/
MSN: GO MACROVIRUSTOOL
AOL: the Word forum
CompuServe: the Word forum
Microsoft Product Support Services
206-462-9673 (WinWord)
206-635-7200 (Word Mac)
email: word...@microsoft.com
(There is no Excel add-in for Macs.)
NB The Protection Tool traps some File Open operations, but
not all. There are a number of ways of opening a document
which bypass it, some of which are rather commonly used
(e.g. double-clicking or using the Recent Documents list).
The Protection Tool can be used to scan for Concept-infected files,
but there are a number of possible problems with it.
* Earlier versions could only handle a limited size of directory
tree, and ran very slowly if a large number of files required
scanning. Speed is certainly still a problem: I can't say about
the overflow problem.
* Files created in Word for Windows won't be scanned until they've
been opened in Word 6 for Mac (this is a system issue, not a
bug in the code). However, Microsoft suggest that you open the
file in Word for the Macintosh and save it before scanning.
This will do the job, but will also infect your system, if the
file is infected. If it's infected with a virus -other- than
Concept, this could create problems if the Protection Tool is
bypassed on a subsequent file open.
* Infected files embedded in OLE2 files or e-mail files will not
be detected.
* The Microsoft tools are not useful on non-English Windows systems
(which may be run under Virtual PC or Real PC). SCANPROT cannot
handle non-English documents, and will hang during the scanning
process if it encounters a document created with a non-English
version of Word. Microsoft's Excel add-in for the Laroux macro
virus causes multiple file open buttons to appear in non-English
versions of Excel, and so it has worse effects than the macro virus
itself. Again this applies to Windows emulation; however, most
virus protection and detection products are only tested in an
English language environment, and may cause problems on non-English
systems. [Thanks to Eric Hildum for this information.]
Windows 95 users should be aware that SCANPROT is not recommended
for use with MS Word 7.0a for Windows with internal detection
enabled, as these two tools will cancel each other out.
Office 98 moves the goalposts again. This issue will probably
be addressed again here in more depth. In brief, Office 98
does a better job of implementing a primarily generic approach
[i.e. "If it contains macros, it's suspicious: sort it out
yourself...."], but whether this is enough is a question
demanding more space and time than I have to spare right now
[DH].
Microsoft's home page has recommended using an ICSA-certified antivirus
utility and sidesteps any hint of responsibility for any macro virus
or SCANPROT related problems.
(1) not everyone is happy with the current implementation of ICSA (NCSA)
certification
(2) ICSA certification is not at present Mac-aware.
8.2 Disinfectant
[On May 6th 1998, John Norstad, author of this widely-used
freeware package announced that it was to be retired. 3.7.1
is the latest and last version, and it won't be updated to
detect AutoStart 9805 or any subsequent Macintosh malware.
The main reason for this is that he doesn't have the
resources to extend its capabilities to detect macro viruses,
which have become by far the most significant virus problem
for most Macintosh users.
This is probably a wise decision, given the number of people
who still overestimate the effectiveness of the package in
the face of the macro virus threat. However, the entire
Macintosh community owes John Norstad a debt of gratitude for
making it freely available for so long, an act of altruism
which has probably contributed very significantly to the
comparative rarity of native Macintosh viruses.]
Disinfectant was an excellent anti-virus package with
exemplary documentation, and didn't cost a penny: however,
it didn't detect all the forms of malware that a commercial
package usually does, including HyperCard infectors, most
Trojans, jokes or macro viruses. Unlike some commercial
packages, it didn't scan compressed files, either:
compressed files had to be expanded before scanning.
Self-extracting archives were probably best scanned before
unpacking, then again when unpacked.
Disinfectant has been available up to now from the following
sources, but this may not continue to be the case.:
ftp://ftp.acns.nwu.edu/pub/disinfectant/
CompuServe
GEnie
America Online
Calvacom
Delphi
BIX
Info-Mac mirrors in the ../vir/ directory
The Disinfectant README was updated to README-IMPORTANT on 6 May 1998,
with the message, "because of the widespread and dangerous Microsoft
macro virus problem," "...All Disinfectant users should switch..." to
another program.
ftp://ftp.nwu.edu/pub/disinfectant/README-IMPORTANT
There is an updated copy of the retirement announcement on the Web:
http://charlotte.acns.nwu.edu/jln/d-retire.ssi
8.3 Fully-functioning Demo Software
A 30-day evaluation version of VirusScan is available from
Network Associates:
http://www.nai.com/download/eval/eval.asp
++ Disinfector 1.0 is described by its author as shareware.
However, it's strictly speaking a limited-runtime demo
-- it stops functioning after 20 trial runs on one
system. It's described as a beta release, but the author
expects users to register it at a charge of $30 [subsequently
reduced to $15]: in return, they get a version which can be used
an unlimited number of times. It only detects a handful of Mac
system viruses which the author claims that commercial vendors
have not detected, and have not been reported in the wild.
In the early days of virus/antivirus technology, a number of
utilities were made available which addressed only one or a
few viruses, and a proliferation of free AutoStart worm
detectors continues that honourable tradition. However,
charging for this particular utility puts it into the same arena
as the commercial scanners which detect a far wider range of
threats and for which full support is available, an area in
which it cannot at present compete.
Disinfector was briefly available at info-mac, but has since
been removed.
There have also been a number of proposals since John
Norstad announced the retirement of Disinfectant,
suggesting that if the code was made public, it would be
possible to maintain and further develop Disinfectant,
possibly still as a freeware product. This is misguided,
for a number of reasons.
* It misses one of the main points of Norstad's
announcement, which is to acknowledge the dangers of
continuing to develop a scanner which detects only one
class of virus, when so many people have laboured so
long under the misapprehension that it was a complete
solution.
* Disinfectant -has- been developed further. VirusScan is
based on Disinfectant technology (under licence), and
NAI are in a much better position to develop it as
commercial-grade software than a group of well-meaning
individuals without the specialised skills and
resources of a mainstream anti-virus development team.
Indeed, it may be that the terms of that agreement would
prevent Norstad from making the code public even if he
wanted to (I doubt that he does....).
* Making the code public, even to a limited circle, would
increase the chances of its falling into irresponsible
hands. In fact, the online documentation has long
stated that the code for the detection engine is not
available, though some of the interface code was. (I'm
paraphrasing from memory: I may well check out exactly
what it says for the next update of the FAQ.)
* To think that a committee of well-intentioned amateurs
(or a single ambitious amateur can develop Disinfectant
to the same high standard that it achieved through its
lifetime demonstrates a profound underestimation of the
difficulties of maintaining (let alone creating) a
first-class known-virus scanner. [DH]
8.4 Other freeware/shareware packages
For other freeware\shareware mac packages, try
Info-Mac mirrors like:
ftp://ftp.ucs.ubc.ca/pub/mac/info-mac/vir/
The University of Texas holds some older documentation on
Mac viruses.
http://wwwhost.ots.utexas.edu/mac/pub-mac-virus.html
Gatekeeper was not a scanner, but a generic tool. It is no
longer supported by its author, but is still available on
some sites. It is probably not safe to use or rely on modern
systems, and I believe the author recommends that people
don't attempt to use it, though I've been unable to
contact him to get confirmation.
In January 1997 Padgett Peterson, author of the PC utility
DiskSecure, released the first version of his MacroList macro
detection tool, which has been tested by the author on
Macs (System 7.5 on SE/30, IIci and PowerMac) as well as
Windows PCs, using considerably more macro viruses than
Microsoft seem to have heard of..... The MacroList
template is accessed by a button in the standard toolbar.
This is not a virus scanner, but allows disabling of
automacros, listing of any macros found in the current
document etc. Version 1.10 was due for release by the time of
writing (February 1997), and an adaptation for Office97
is in progress. Watch the Web page for further details.
[v1.1 and the Office 97 "late beta" were available
as at 18th March 1997.]
http://www.freivald.org/~padgett/
(under Anti-Virus Hobby) - NB change of URL.
MacroList is freeware, but please be sure to read the
TRIALS link.
The following free programs may remove AutoStart 9805 and its
B, C, D, and E variants and may be useful in the absence of a
commercial application. There are a few reported instances of
failures by some of these programs to identify or remove the
++ AutoStart worms, and it is likely that D might be mis-identified
as C, and E may be mis-identified as the original worm. [SL]
WormScanner 1.0.1 by James W. Walker
http://members.aol.com/jwwalker/pages/worm.html
Innoculator 1.0.1 by MacOffice
http://www.macoffice.com/innoculator.htm
WormFood 1.2.2 by Doug Baer
http://hyperarchive.lcs.mit.edu/cgi-bin/NewSearch?key=WormFood
Eradicator 1.0.3 with update, by Uptown Solutions Ltd.
http://www.uptown.com/ or try HKMUG at http://www.hkmug.org.hk/
As stated above, one-shot solutions to a very small subset of
a particular class of threat have a long and honourable history,
and are very welcome when a new threat catches the antivirus
developers on the hop (it can take some time to incorporate
detection of new threats into the product update cycle). NB The
maintainers do not have the time or resources to do full
detection testing of these products or any other. [DH]
8.5 Commercial packages
Commercial packages include NAVM (Norton AntiVirus for Macintosh)
[NAVM supersedes SAM (Symantec Antivirus for Macintosh)],
Virex for Macintosh, McAfee (Network Associates) VirusScan, Rival,
and Dr. Solomon's Anti-Virus Toolkit for Macintosh.
Norton AntiVirus for Macintosh (NAVM) launched May 18, 1998.
New features include LiveUpdate virus definition updates over the
Internet, enhanced macro virus protection, automatic file repair,
a bootable CD-ROM for emergencies, faster scanning for PPC, and a
universal SafeZone.
VirusScan version 3.0 features a new user interface, enhanced
macro virus scanning, text-to-speech, improved performance, and
system administrator support for email notification, customized
distribution, and Novell NetWare. VirusScan 3.0 is Mac OS 8 and
System 7 compatible. A fully-functional 30-day evaluation copy can
be downloaded from the Network Associates-McAfee Web site. At the
time of writing, current virus definitions were available for the
2.1.8 and 3.0 scanning engines.
VirusScan direct purchase and download:
http://www.mcafeemall.com/mall/mcafee/vsmacxfact.html
NAVM, SAM, and Virex offer checksumming/integrity checking
(detecting possible infection by unknown viruses, by monitoring
changes in infectable files) - the correct checksums or
fingerprints for individual files are kept in a database file.
All three applications check files compressed with StuffIt.
NAVM, formerly SAM, is particularly oriented towards behaviour
blocking: the Intercept tool can be configured to raise an alert
at the slightest whiff of a 'suspicious' operation. Unfortunately,
this can be counterproductive in real life, since an over-stringent
alert policy is apt to result in the facility being turned off
altogether. However, configuration is very flexible.
[SAM Intercept 4.5.x requires a 4.5.3 update to resolve
a compatibility issue with Microsoft Office 98, and Segment
Loader errors when Intercept loads.
http://service.symantec.com/sam/
++ http://service1.symantec.com/SUPPORT/num.nsf/docid/19978714255
SAM application Minimum and Preferred memory allocations must
be increased from their shipping defaults to 5000K or greater.
The (May 1998) SAM definitions files included a Read Me
with instructions. More information may be available from
Symantec SAM support on the Web.]
++ Symantec issued a Norton AntiVirus 5.0.1 patch, resolving the
Mac OS 8.1 disk corruption problem for HFS volumes.
http://www.symantec.com/nav/nmac501.html
Virex offers very fast scanning is easy to update, and
includes checksumming for the detection of unknown viruses.
It's also possible to buy an administration package. The
basic package includes a control panel for scanning on
file or diskette access which can be locked independently
of the administration package. Installation and interface
are easy and efficient. Virex 5.8 scans ZIP archives, has
a contextual menu plug-in module, and interface enhancements.
Dr Solomon's Software acquired Virex and netOctopus from
Datawatch Corporation on 10-Oct-97. http://www.drsolomon.com/
Updates and other services are now provided by Dr Solomon's.
Virex and Virex Administrator have these new home pages:
http://www.drsolomon.com/products/virex/index.cfm
http://www.drsolomon.com/products/vadmin/index.cfm
Dr. Solomon's for Macintosh has the unusual capacity for
detecting (not cleaning) PC boot-sector viruses on DOS
floppies, which could be very useful in a mixed
environment. Also unusually, it now detects the EICAR
test 'virus', though this program (which basically
simulates a simple overwriting virus) can't execute under
Mac OS (except where a PC emulator is in use). For more
information on the EICAR test virus, visit
http://www.eicar.com/
FindVirus for Mac doesn't detect viruses in compressed
files (oddly, since this is one of the strengths of the
DOS/Windows version). Nor does the product include
checksumming. The manual is a bit sloppy, especially the
virus descriptions: for instance, there's no indication
that Frankie doesn't affect real Macs, only emulators.
Terminology is a bit idiosyncratic, too: the frequent
references to 'link' viruses are rather non-standard. The
MacGuard control panel scans on file access, launch of
INITs etc. [NB: my copy of the manual is now rather
elderly, and the criticisms above may not apply with the
current edition. - DH]
Dr. Solomon's for Macintosh and Virex, now also under the
wing of Dr. Solomon's Software, are in the process of
converging towards a single product incorporating the
technology from both original products. At present, the
likelihood is that Dr. Solomon's Toolkit for Macintosh
will eventually be discontinued in favour of a hybridized
version of Virex, but the imminent purchase of Dr.
Solomon's by Network Associates may affect this scenario
in the long term.
Dr. Solomon's, VirusScan, Virex and SAM all address a
full range of threats, including Trojans and macro
viruses, and can do scheduled scanning as well as
on-access (memory-resident) scanning.
MacInTouch mentioned that Rival 3.0 is available from Intego.
http://www.intego.com/
There is an attractive French language evaluation control panel,
"miniRival," (limited demo) untested as yet at time of writing.
An English language version of Rival may soon be released.
Sophos, who supply the Sweep scanner for PCs etc., do not have
a stand-alone Macintosh scanner, but do have a Macintosh client
version of their InterCheck technology. This runs as an extension
and communicates with the InterCheck server when an application
is run on the client machine.
8.6 Contact Details
Network Associates, McAfee (for VirusScan).
Network Associates Corporate Headquarters
2805 Bowers Avenue
Santa Clara, CA 95051
United States
Customer Care:
Voice +1 408 988 3832
Fax +1 408 970 9727
Fax-back automated response system
+1 408 988 3034
BBS +1 408 988 4004
America Online keyword: MCAFEE
CompuServe: GO MCAFEE
sup...@nai.com
ftp://ftp.nai.com/pub/antivirus/mac/
http://www.nai.com/
Dr. Solomon's Software Ltd.
(for Dr. Solomon's AntiVirus ToolKit and Virex)
Alton House
Gatehouse Way
Aylesbury
Buckinghamshire HP19 3XU
United Kingdom
UK Support: sup...@uk.drsolomon.com
US Support: sup...@us.drsolomon.com
UK Tel: +44 (0)1296 318700
USA Tel: +1 781-273-7400, 1-888-DRSOLOMON
CompuServe: GO DRSOLOMON
Web: http://www.drsolomon.com
FTP: ftp://ftp.drsolomon.com
Symantec Corporation (for NAVM and SAM)
10201 Torre Avenue
Cupertino CA 95014
United States
+1 408 725 2762
Fax: +1 408 253 4992
US Support: 541-465-8420
AOL: SYMANTEC
European Support: 31-71-353-111
Australian Support: 61-2-879-6577
http://www.symantec.com/
ftp://ftp.symantec.com/
Intego (for Rival)
10, rue Say
75009 Paris
France
+33 1 49 95 07 80
Fax: +33 1 49 95 07 83
Email: ri...@intego.com
http://www.intego.com/
Sophos plc (for SWEEP)
The Pentagon
Abingdon
Oxon
England OX14 3YP
http://www.sophos.com/
9.0 Welcome Datacomp
----------------
>From time to time there are reports from Mac users that the
message 'Welcome Datacomp' appears in their documents without
having been typed. This is the result of using a Trojanised
3rd-party Mac-compatible keyboard with this 'joke' hard-coded
into the keyboard ROM. It's not a virus - it cannot infect
anything. The only cure is to replace the keyboard (be polite but
firm with the dealer if you were sold this as a new keyboard!).
10.0 Hoaxes and myths
----------------
Some of these are PC-specific, rather than Mac-specific, while
some have no basis in reality on any system. [I look forward to
hearing about the first Turing machine infector....] They are
included here (a) because Mac support staff are accustomed to
being asked about them (b) because anything that -might- work
on a real PC -might- also work with DOS emulation, in principle.
10.1 Good Times virus
There is *no* Good Times virus that trashes your hard
disk and launches your CPU into an nth-complexity binary
loop when you read mail with "Good Times" in the
Subject: field.
You can get a copy of the latest version of Les Jones' FAQ
on the Good Times Hoax on the World Wide Web:
http://www.public.usit.net/lesjones/goodtimes.html
There's a Mini-FAQ available as:
http://www.public.usit.net/lesjones/gtminifaq.html
10.2 Modems and Hardware viruses
There is no modem virus that spreads via an undocumented
subcarrier - whatever that means.... There is no virus
that causes damage to hardware.
10.3 Email viruses
Any file virus can be transmitted as an E-mail attachment.
However, the virus code has to be executed before it
actually infects. Sensibly configured mailers and browsers
don't allow this: check yours. In particular, check that
your Web browser doesn't automatically pass Word documents
to Word 6 to open, since this may result in embedded macros
being launched.
10.4 JPEG/GIF viruses
There is no known way in which a virus could sensibly be
spread by a graphics file such as a JPEG or .GIF file,
which does not contain executable code. Macro viruses work
because the files to which they are attached are not 'pure'
data files.
10.5 Hoaxes Help
If you should receive a virus warning, look at these sites
before forwarding it along (in fact, it's probably
never justified to pass on a virus alert
indiscriminately, and reputable antivirus companies
don't do this. In fact, the information that such and
such a virus exists is not, in itself, useful to the
average computer user, even if it does. A statement
like, "Please forward to everyone!" is one mark of a
hoax.
Computer Virus Myths home page
http://www.kumite.com/myths/
CIAC
http://ciac.llnl.gov/ciac/CIACHoaxes.html
Data Fellows
http://www.datafellows.com/news/hoax.htm
Corporates who haven't sorted out their hoax management
strategy might get some mileage out of my mini-paper on
"Dealing with Internet Hoaxes", though it's getting a
bit long in the tooth. It is, however, one of the few
papers on the subject which deals with it from an
adminstrator's/manager's point of view as well as from
an everyday user/victim's. [DH]
http://webworlds.co.uk/dharley/
11.0 Glossary
--------
* Change Detectors/Checksummers/Integrity Checkers - programs that
keep a database of the characteristics of all executable files on
a system and check for changes which might signify an attack by
an unknown virus.
* Cryptographic Checksummers use an encryption algorithm to lessen
the risk of being fooled by a virus that targets that particular
checksummer.
* Dropper - a program that installs a virus or Trojan, often
covertly.
* Generic - catch-all name for antivirus software that doesn't
know about individual viruses, but attempts to detect viruses
by detecting virus-like code, behaviour, or changes in files
containing executable code.
* Heuristic scanners - scanners that inspect executable files for
code using operations that might denote an unknown virus.
* Monitor/Behaviour Blocker - a TSR that monitors programs while
they are running for behaviour which might denote a virus.
* Scanner (conventional scanner, command-line scanner, on-demand
scanner) - a program that looks for known viruses by checking for
recognisable patterns ('scan strings', 'search strings',
'signatures') or using a more flexible algorithmic approach for
detection of polymorphic viruses, which can't be found by a
search for a simple scan string. These are not usually
associated with the Macintosh platform, but there are
Word Macro viruses which exhibit mutation.
* Trojan (Trojan Horse) - a program intended to perform some covert
and usually malicious act that the victim did not expect or want.
It differs from a destructive virus in that it doesn't reproduce,
(though this distinction is by no means universally accepted).
* Virus - a program (a block of executable code) that attaches
itself to, overwrites or otherwise replaces another program in
order to reproduce itself without the knowledge of the computer
user. Most viruses are comparatively harmless, and may be present
for years with no noticeable effect: some, however, may cause
random damage to data files (sometimes insidiously, over a long
period) or attempt to destroy files and disks. Others cause
unintended damage. Even benign viruses (apparently non-destructive
viruses) cause significant damage by occupying disk space and/or
main memory, by using up CPU processing time, by introducing
the risk of incompatibilities and conflicts, and by the time and
expense wasted in detecting and removing them.
12.0 General Reference Section
-------------------------
12.1 Mac newsgroups and FAQs
comp.sys.mac.apps
comp.sys.mac.comm
comp.sys.mac.misc
comp.sys.mac.system
comp.virus
alt.comp.virus
The focus on these two groups tends to be IBM-compatible,
but Mac issues are certainly aired. Alt.comp.virus is
unmoderated, and the quality of the advice and opinions
aired there is very variable - there are many reputable and
expert posters, and many mischievous and misleading
contributions. Caveat lector....
12.2 References
Sensei Consulting Macintosh WAIS Archives
http://wais.sensei.com.au/searchform.html
"Inside the Apple Macintosh" - Peter Norton & Jim Heid
(Brady) (The 2nd Edition is pre-PowerMac, and I haven't
seen a later one, but there's some surprisingly useful
stuff in there).
"Inside Macintosh" (Addison Wesley).
Essential reading for Mac programmers. (Umpteen volumes of
fairly low-level info. Expensive (in the UK, at any rate),
and whenever you get near some useful info, it refers you
to one of the volumes you haven't got. However, the series
has been re-vamped since I acquired my copies, and this may
be less than just. It's possible to download them in
Acrobat and in some cases other formats from:
http://devworld.apple.com/
where you can also order hardcopy and CD versions.
Lots of other useful files etc.
"Power Macintosh Emergency Handbook" (Apple Computer)
ftp://ftp.info.apple.com/Apple.Support.Area/Manuals/PMac_Emergency_Handbook.pdf
MacFixIt "Troubleshooting for the Macintosh"
http://www.macfixit.com/
"Sad Macs, Bombs and other Disasters"
Ted Landau (Addison Wesley)
http://www.macfixit.com/sadmacs3promo.html
MacInTouch home page (info and services)
http://www.macintouch.com/
MacWEEK.com
http://www.macweek.com/
++ Have run three MacInTouch columns about the AutoStart worms.
Macworld magazine
http://www.macworld.com/
TidBITS
http://www.tidbits.com/
Have done many good articles on Mac/macro virus issues.
13.0 Mac troubleshooting
-------------------
Since the initial release of this document, a number of people
have E-mailed me asking for help with a possibly virus-related
problem. While I'll always help if I can, I should point out
(1) I'm an experienced Mac user and an IT support professional,
but I don't claim to be a Mac expert (2) pressure of work and
other commitments and a huge E-mail turnover means that I can't
promise a quick or in-depth response [DH]. Whether you mail direct or
post to a relevant newsgroup, it's helpful if you can supply a
few details, such as:
* Which model of Macintosh you're using. It may be useful to
know how much RAM it has, the size of the hard disk, and any
peripherals you're using.
* Which version of MacOS you're using.
* Which applications you're using, and which version. If you're
using Word, it may be critical to know whether you're
using version 6 or later, or an earlier version.
* Which, if any, antivirus packages you use, and what version
number. If you're using Disinfectant, for instance, are you
using version 3.7.1?
* List any error messages or alerts that have appeared.
* List any recent changes in configuration, additional hardware
etc.
* List any diagnostic/repair packages you've tried, and the
results.
* List any other steps you've taken towards determining the cause
of the problem and/or trying to fix it, e.g. rebuilding the
desktop, booting without extensions, zapping PRAM etc.
Here are a few steps that it might be appropriate to try if virus
scanning with an up-to-date scanner finds nothing. This section will
be improved when and if I have time.
Rebuilding the desktop is by no means a cure-all, but rarely does
any harm. It may be worth disabling extensions when you do this,
especially if the operation doesn't seem to be completed
successfully.
To disable extensions, restart the machine with the shift key
held down until you see an Extensions Off message. If you're
rebuilding the desktop, release the shift key and hold down
Command (the key with the Apple outline icon) & Options (alt)
until requested to confirm that you want to rebuild.
Disabling extensions is also a good starting point for tracking
down an extensions conflict. If booting without extensions
appears to bypass the problem, try removing extensions with
Extensions Manager (System 7.5) - remove one at a time, and
replace it before removing the next one and booting with that one
removed. Remember that if removing one stops the problem, it's
still worth putting it back and trying all the others to see if
you can find one it's conflicting with. Extensions Manager also
lets you disable control panels. If you don't have Extensions
Manager, try Now Utilities or Conflict Catcher.
Parameter RAM (PRAM) contains system information, notably the
settings for a number of system control panels. 'Zapping' PRAM
returns possibly corrupt PRAM data to default values. A likely
symptom of corrupted PRAM is a problem with date and time (but
could be a symptom of a corrupted system file). With system 7,
hold down Command-Option-P-R at bootup until the Mac beeps and
restarts. You may have restore changes to some control panels
before your system works properly. If the reset values aren't
retained, the battery may need replacing.
--
End "Viruses and the Macintosh" version 1.5g by David Harley