-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
AutoStart 9805 Macintosh Worm Virus
July 6, 1998 16:00 GMT Number I-067
______________________________________________________________________________
PROBLEM: CIAC has become aware of several instances world-wide where a
Autostart 9805 worm virus is spreading itself among PowerPC
systems running MacOS or later versions. The virus Autostart
9805 spreads itself through HFS or HFS+ volumes. Autostart 9805
overwrites some data files and produces denial of service
charactertics.
PLATFORM: Machintosh PowerPC running MacOS or later.
DAMAGE: Adds invisible files to all disk partitions, causes excessive
network traffic, causes excessive disk access activity,
overwrites some data files.
SOLUTION: Purchase or upgrade to the most current anti-virus software or
follow the instructions in the Removal and Recovery section.
______________________________________________________________________________
VULNERABILITY The Autostart 9805 worm virus has infected hosts in numerous
ASSESSMENT: locations throughout the world.
______________________________________________________________________________
The Macintosh world has been largely free of new Mac-specific viruses
and their kin over the past few years. The last real virus to emerge
was in April of 1994, when the INIT-29-B virus appeared. In 1995, we
saw the Hypercard HC-9507 virus appear, and the first Microsoft Word
macro virus. Thereafter, except for residual infections of old
viruses, the only worrisome Macintosh-specific malware for almost 3
years have been macro viruses of Microsoft software. (Contrast this
with as many as ten thousand new viruses for that other PC platform in
the same time period.)
Our respite has ended for the time-being.
New Macintosh Worm Discovered (Autostart 9805)
4 May 1998
Virus: Autostart 9805
Damage: Adds invisible files to every disk partition and periodically
causes extensive disk activity (and network activity if
network disks are mounted). Will overwrite some data files
with random data.
Spread: PowerPC systems running the MacOS or later
and with mounted HFS or HFS+ volumes. Initial infection
usually requires QuickTime 2.0 or above installed.
====
Autostart-9805 is technically a worm program. It does not change any
existing program or file to spread itself. Instead, it copies itself
to other disk partitions so that it becomes active on other systems.
The first reported appearances of this software were in Hong Kong, and
it has spread very rapidly among the desktop publishing (DTP)
community there.
The worm can be transmitted via almost any HFS or HFS+ disk volume,
including floppy disks, most removable cartridges drives, MO disks,
CD-WORM disks, hard disks and even disk images. The code requires a
PowerPC-based system running MacOS -- a 68K-based system will fail to
run the code. The worm will also spread across networks to any
mounted network file partition.
Infected disks contain an invisible application file named "DB" (type
'APPL', creator '????', with the "invisible" attribute set) in the
root directory, with autostart set. When the infected disk is mounted
on a PowerPC MacOS system running QuickTime 2.0 or later, the "DB"
application is launched automatically if the AutoStart feature is
enabled in QuickTime. It then copies itself to the Extensions folder
of the active System. It changes the name of the copy to "Desktop
Print Spooler" and the type to 'appe' (do NOT confuse this file with
the visible and legitimate "Desktop Printer Spooler" extension); the
worm file is also invisible, and when running is not shown in the
applications menu. It then restarts the computer system.
The worm, in the form of the invisible application in the extension
folder, is automatically launched whenever the computer system starts
up. About every thirty minutes, it examines the mounted volumes. If
any are not already infected, it attempts to infect them by copying
itself to the root directory (renamed back to "DB" and type 'APPL')
and setting up the AutoStart field in the boot block. Most writable
volumes are successfully infected. The notable exception is server
volumes, which do not have the necessary boot block fields for
AutoStart. The worm file is copied to writable server volumes, but it
does not get launched when the volume is mounted.
Note that once the extension version of the worm is in place, turning
off QuickTime makes no difference -- the virus will continue to load
and spread as a result of being activated at system boot time.
Damage
After checking the mounted volumes for infection, the worm begins
searching for certain files on each disk. Files ending with "data",
"cod", and "csa" (case insensitive) are targeted if the data fork is
larger than 100 bytes. Files ending with "dat" are targeted if they are
larger than about 2 Mbytes (resource + data forks). When a targeted file
is found, it is damaged by overwriting the data fork (up to approximately
the first 1 Mbyte) with garbage. The first byte is always set to zero,
and this serves as a flag to bypass the file on subsequent passes.
Symptoms
The worm has numerous symptoms that make it reasonably easy to
identify:
1) The system unexpectedly restarts after mounting a diskette or other
volume. This will only happen when the initial infection occurs.
2) The "DB" application name flashes briefly in the menu bar when a disk
is mounted.
3) The presence of an invisible application file named "DB" on the root
of disk volumes, or the invisible "Desktop Print Spooler" file in the
extensions folder. Any file or disk utility program (such as ResEdit)
that shows invisible files in its file selection dialogs can be used to
check for the files. Be sure not to confuse the legitimate "Desktop
Printer Spooler" file with the worm.
4) A process named "Desktop Print Spooler" is found (use Process Watcher
or Macsbug).
5) Extensive, unexplained disk activity every 30 minutes.
Prevention
The risk of infection can be effectively eliminated by manually disabling
the AutoStart option in the QuickTime Settings Control Panel. This will
not help if the system is already infected. It will also not prevent
an infected Mac from creating the invisible "DB" files on any
partitions you share with them on a network.
Versions of QuickTime prior to 2.5 do not seem to have a way to
disable autoplay. You should disable QuickTime or upgrade to a
recent version if you have an old release.
Note: recent versions of QuickTime also have an "Enable Audio CD
AutoPlay" option. This option can be left on. Note that disabling
the autostart feature does not have any affect on the normal operation
of QuickTime, and can be safely turned off.
Removal & Recovery
Most of the major anti-virus developers have prepared updates to their
software. The remaining vendors will undoubtedly have updates soon.
Users are *strongly* encouraged to run current, up-to-date anti-virus
software, and to regularly incorporate vendor-supplied updates.
In the absence of such software, you can remove the virus using the
following steps. However, you will need to restore damaged data files
from backups (you *do* make regular backups, don't you?).
1) Reboot your system with extensions off. (Reboot while pressing the
shift key.)
2) Start the Apple "Find File" utility. Use it to search all volumes
for files whose name is exactly "DB" and which are invisible. (To
select for visibility, hold down the option key when clicking on the
"Name" pop-up menu; use "more choices" to select both search
criteria.) Drag found files from the Find window to the trash.
3) Search again, for the "Desktop Print Spooler" file. Delete it
also. (Be sure to NOT delete the legitimate "Desktop Printer
Spooler"!!).
4) Empty the trash.
5) Open the "QuickTime Settings" control panel and disable autostart
unless there is some significant reason you need it.
6) Restart.
Commercial Updates
Tool: Disinfectant
Status: Freeware (courtesy of John Norstad and Northwestern Univ.)
Revision to be released: undecided
When available: undecided -- to be determined
Where to find: usual archives. Online at
Comments: Disinfectant does not scan for macro viruses, so it is
wise to obtain and use a commercial anti-virus tool. An
update may not be produced -- an announcement one way or the
other will be made soon.
Tool: Dr. Solomon's Anti-virus Toolkit
Status: Commercial
When available: unknown
Where to find: via the AVTK WWW page:
Tool: Network Associates VirusScan for the Mac
Status: Commercial
When available: unknown
Tool: SAM (Symmantic Anti-virus for the Mac)
Status: Commercial
When available: soon
Where to find: via
Comments: Symantec is working on a solution and will be providing
one as soon as possible.
Tool: Virex
Status: Commerical
Version: 05_02_98 and later
When available: immediately
Where to find: via
Comments: All Virex Protection Service subscribers will
automatically receive updates.
Other info
One comprehensive and useful WWW page of anti-virus information can be
found at . A list of WWW-based anti-virus
resources may be found at
.
====
If you discover what you believe to be a virus on your Macintosh
system, please report it to the vendor/author of your anti-virus
software package for analysis. Such reports make early, informed
warnings like this one possible for the rest of the Mac community. If
you are otherwise unsure of who to contact, you may send e-mail to
as an initial point of contact.
Also, be aware that writing and releasing computer viruses or worms is
more than a rude and damaging act of vandalism -- it is also a
violation of many state and Federal laws in the US, and illegal in
several other countries. If you have information concerning the
author of this or any other damaging software, please contact your
anti-virus software vendor or your national law enforcement agency.
Several Mac virus authors have been apprehended thanks to the efforts
of the Mac user community, and some have received criminal convictions
for their actions. This is yet one more way to help protect your
computers.
______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Gene Spafford for the
information contained in this bulletin.
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin
You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.
If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
I-057: FreeBSD NFS Kernel Code Error
I-058: SunOS rpc.nisd Vulnerability
I-059: SUN ftpd Vulnerability
I-060: SGI IRIX OSF/DCE Denial of Service Vulnerability
I-061: SGI IRIX mediad(1M) Vulnerability
I-062: SGI IRIX BIND DNS named(1M) Vulnerability
I-063: RSI BSDI rlogind Vulnerability
I-064: SGI IRIX mail(1), rmail(1M), sendmail(1M) Vulnerabilities
I-065: SunOS ufsrestore Buller Overflow Vulnerability
I-066: Vulnerability in Some Implementations of PKCS#1
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBNaD+c7nzJzdsy3QZAQFptQP+PW3T/LoN6TEfLiO5cAoXf7tXtIE9r9qy
OzR7iezXNlRcwcfCeHGpszmgpc7yBNwXh+Cl0tbgA3Bripa8zYpCD8XAWevGs53U
zc51LOvQjybyyrQfkG3JR7osWx3FT11Eq2+M5Zqrsp43/GTjVKR5H3nFxMF/Cd0L
UduT7U/3v7M=
=1N2c
-----END PGP SIGNATURE-----