Classic Mac OS Viruses

Yes, there were viruses for the Classic Mac operating system. Not a lot, mind you, especially in comparison to the vastly more popular Microsoft Windows platform, but they did exist.

This page lists Macintosh viruses by their date of origin.

1987

  • nVIR A, B (AIDS, F**k, Hpat, Jude, kOOL, MEV#, nCam, nFlu, prod), Dec. 1987: Infects System 4.1 and higher as well as any open applications. It is not designed to cause damage, just to be a nuisance. It is spread by movng an infected program to another Mac by disk or network. After infection, nVIR does a countdown upon reboot. After 1000 restarts, it will beep during 1 of 8 System launches, and infected programs will boot 1 of 4 times they are run. If MacInTalk is installed, the infected computer may occasionally say “Don’t Panic”. Wikipedia states: “The source code to the original nVIR has been made widely available, and so numerous variants have arisen. Each variant causes somewhat different symptoms, such as: application crashes, printing errors on laser printers, slow system response time, or unpredictable system crashes.” Extant versions don’t cause intentional damage. Payload is either beeping or (nVIR A) saying “Don’t panic” if MacInTalk is installed, a reference to Douglas Adams’ Hitchhiker’s Guide to the Galaxy.

Variants

  • CLAP, designed to avoid detection by Disinfectant (Disinfectant 3.6 recognizes it)
  • nCAM
  • nVIR C, July 1991
  • nVIR-f
  • prod
  • zero

Further Reading

1988

  • MacMag (Aldus, Brandow, Drew, Peace), Feb. 1988: First distributed as a HyperCard stack on Compuserve and GEnie, this virus only infected System files and could spread from one bootable disk to another until 1988.03.02. It posted the message “RICHARD BRANDOW, publisher of MacMag, and its entire staff would like to take this opportunity to convey their UNIVERSAL MESSAGE OF PEACE to all Macintosh users around the world.” and then deleted itself on 1988.03.03
  • Scores (Eric, Vult, NASA, San Jose Flu) spring 1988: Infects System 6 and 7; damages System 6.0.4 and later. Creates an invisible file names Scores that runs at startup. It attaches itself to the Scrapbook File and Note Pad File, creating them if they don’t exist. aimed to attack two applications that were never generally released. It also infects the System file and every application run on an infected Mac. It can cause accidental damage – system crashes and problems printing or with MacDraw and Excel. Infects applications, Finder, DA Handler.
  • SevenDust (SevenD, MDEF 9806, MDEF 666, MDEF E, Graphics Accelerator), June 1998: A family of viruses which spread both through ‘MDEF’ resources and a System extension created by that resource. Some of these viruses cause no other damage, but MDEF 9806-B may erase all non-application files on the current volume on the sixth day of the month. The SARC encyclopedia calls MDEF 9806-C, “polymorphic and encrypted, no payload,” and MDEF 9806-D, “encrypting, polymorphic, symbiotic,” and says the symbiotic part, “alters a ‘WIND’ resource from the host application.” SevenDust E, not to be confused with the legitimate ATI driver “Graphics Accelerator”, began as a Trojan  released to Info-Mac and deleted in September 1998. Takes two forms, ‘INIT’ resource ID ’33’ in an extension named “\001Graphics Accelerator” and an ‘MDEF’ resource ID ‘1’ to ‘255’. Between 6:00 a.m. and 7:00 a.m. on the sixth and twelfth day of any month, the virus will try to delete all non-application files on the startup disk. John Dalgliesh describes “Graphics Accelerator” on his Web page for AntiGax, a free anti-SevenDust E utility; any errors here in translation are not his. SevenDust F uses a trojan “ExtensionConflict”, common extensions names, and creator ‘ACCE’.[SL]
  • Init 29 (Init 29 A, B), June 1988: Spreads rapidly. Infects system files, applications (even those that are not running), and document files (document files can’t infect other files, though). May display a message if a locked floppy is accessed on an infected system ‘The disk “xxxxx” needs minor repairs. Do you want to repair it?’. No intentional damage, but can cause several problems – Multiple infections, memory errors, system crashes, printing problems, MultiFinder problems, startup document incompatibilities.
  • Code 9811 desktop (screen shot by Tommy Sandstrom)Code 9811, Aug. 1998: Infects open applications. Temporarily makes them invisible while creating an infected replacement program, then renames original apps with strange names like DPEVLZREEYO and BMQTKECNLI. It also attempts to find and delete antivirus software. The most obvious symptom of the virus is a screen that looks like trails left by 3 little yellow dots crawling around the screen – and red trails when they are in three rectangles that eventually become a red pi. Finally, the virus pops up amessage that reads “π You have been hacked by the Praetorians π”, a reference to the 1995 Sandra Bullock movie, The Net.

1989

  • Anti (Anti-A, Anti-Ange, Anti-B, Anti Variant), Feb. 1989: Only infects 400K and 800K floppies. Can cause damage under System 6.0.x when MultiFinder is not being used. Can only infect a single file with MultiFinder or System 7.x. Can be spread through email attachments. Can damage applications so that they can’t be repaired.
  • WDEF (WDEF A, WDEF B), Dec. 1989: Infects the Desktop file used by the Finder. Does not infect anything else. Not intended to cause harm. Spread through sharing disks, as every Mac disk includes a Desktop file. It is not necessary to run a program to spread this virus; simply mounting the disk is enough for it to infect the Desktop file of every disk mounted on the Mac. WDEF will cause the Mac IIci and Mac Portable to crash and can cause severe degradation of AppleTalk networks as it attempts to infect their Desktop files. Many reports of system crashes when saving if MultiFinder is active. Can damage disks and will make Macs with 8 MB of RAM crash.

1990

  • Zuc (A, B, C), Mar. 1990: Infects applications, doesn’t show itself for two weeks. The cursor moves diagonally and uncontrollably across the screen when the mouse button is held down when an infected application is run. No other intentional damage is done.
  • MDEF (MDEF A/Garfield, MDEF B/Top Cat, C, D), May 1990: This virus infects the MDEF resource of the System file and applications. It can crash the Mac 128K and 512K, although these models cannot spread it. It can also remove system menus. It is spread through system files and applications. Version D does not infect the System file and can damage program files beyond repair.

1991

  • none!

1992

  • MBDF (MBDF A, MBDF B, Tetricycle), Feb. 1992: Infects system files and applications and discovered because Claris programs include integrity checking code and report when they’ve been modified. Discovered infecting three games on many popular Internet sites: 10 Tile Puzzle, Obnoxious Tetris, and Tetricycle (or tetris-rotating). Not malicious, but it can cause accidental damage to the System file if the computer is restarted while it is infecting the System file (as it takes a long time to do this and the Mac appears to hang up duirng the process, this isn’t uncommon). It can also cause problems when choosing commands from menus, particularly in System 7.0.1. A minor variant of MBDF B appeared in summer 1997.
  • Init 1984, March 1992: Malicious. Infects system extensions (INITs). Works under Systems 6 and 7. Triggers on Friday 13th. Damages files by renaming them, changing file TYPE and file CREATOR, creation and modification dates (to 1904.01.01), and by deleting up to 2% of them. Init-M is similar, but only infect System 7.x and may rename a file or folder as “Virus MindCrime”.
  • T4 (A, B, C, D), June 1992: Infects applications, Finder, and tries to modify System so that startup code is altered. Under System 6 and 7.0, INITs and system extensions don’t load. Under 7.0.1, the Mac may be unbootable. Damage to infected files and altered System is not repairable by Disinfectant. The virus masquerades as Disinfectant, so as to spoof behaviour blockers such as Gatekeeper. Originally included in versions 2.0/2.1 of the public domain game GoMoku.

1993

  • Init 17, April 1993: Infects System file and applications and may cause irreparable damage to program files. Displays the message “From the depths of Cyberspace” the first time you restart an infected machine after 1993.10.31 6:06:06 PM. Can make Mac Plus, SE, and Classic crash.

1994

  • Init-9403 (SysX), March 1994: Infects applications and Finder under System 6 and 7. Attempts to overwrite whole startup volume and disk information on all connected hard drives. Only spreads on Macs running the Italian version of the Mac OS.
  • Init 29-B, April 1994

1995

  • First Microsoft Word macro virus

1998

  • Autostart Worm (Autostart 9805, Hong Kong Virus), May 1998. Only infects PowerPC Macs and spreads itself to every writable partition mounted on the infected computer. This includes mounted drives on a computer network. The infection vector is the CD-ROM AutoPlay feature in the QuickTime control panel, so preventing infection is as easy as disabling CD-ROM AutoPlay in that control panel.
  • Code 1: file infector. Renames the hard drive to “Trent Saburo”. Accidental system crashes possible.
  • Code 252: infects application and system files. Triggers when run between June 6th and December 31st. Runs a gotcha message (“You have a virus. Ha Ha Ha Ha Ha Ha Ha Now erasing all disks… [etc.]”), then self-deletes. Despite the message, no intentional damage is done, though shutting down the Mac instead of clicking to continue could cause damage. Can crash System 7 or damage files, but doesn’t spread beyond the System file. Doesn’t spread under System 6 with MultiFinder beyond System and MultiFinder. Can cause various forms of accidental damage.
  • Code 32767: once a month tries to delete documents. This virus is not known to be in circulation.
  • Flag: unrelated to WDEF A and B, but was given the name WDEF-C in some anti-virus software. Not intentionally damaging but when spreading it overwrites any existing ‘WDEF’ resource of ID ‘0’, an action which might damage some files. This virus is not known to be in circulation.

HyperCard Infectors

  • Dukakis – infects the Home stack, then other stacks used subsequently. Displays the message “Dukakis for President”, then deletes itself, so not often seen.
  • HC 9507 – infects the Home stack, then other running stacks and randomly chosen stacks on the startup disk. On triggering, displays visual effects or hangs the system. Overwrites stack resources, so a repaired stack may not run properly.
  • HC 9603 – infects the Home stack, then other running stacks. No intended effects, but may damage the Home stack.
  • HC “Two Tunes” (referred to by some sources as “Three Tunes”) – infects stack scripts. Visual/Audio effects: ‘Hey, what are you doing?’ message; plays the tune “Muss I denn”; plays the tune “Behind the Blue Mountains”; displays HyperCard toolbox and pattern menus; displays ‘Don’t panic!’ fifteen minutes after activation. Even sources which describe this virus as “Three Tunes” seem to describe the symptoms consistently with the description here, but we will, for completeness, attempt to resolve any possible confusion when time allows. This virus has no known with the PC file infector sometimes known as Three Tunes.
  • MerryXmas – appends to stack script. On execution, attempts to infect the Home stack, which then infects other stacks on access. There are several strains, most of which cause system crashes and other anomalies. At least one strain replaces the Home stack script and deletes stacks run subsequently. Variants include Merry2Xmas, Lopez, and the rather destructive Crudshot. [Ken Dunham discovered the merryXmas virus. His program merryxmasWatcher 2.0 was very popular and still can eradicate the most common two strains, merryXmas and merry2Xmas. merryxmasWatcher 2.0 is outdated for the rest this family.]
  • Antibody is a recent virus-hunting virus which propagates between stacks checking for and removing MerryXmas, and inserting an inoculation script.
  • Independance (sic) Day – reported in July, 1997. It attempts to to be destructive, but fortunately is not well enough written to be more than a nuisance. More information at: <http://www.hyperactivesw.com/Virus1.html#IDay>
  • Blink – reported in August, 1998. Nondestructive but spreads; infected stacks blink once per second starting in January, 1999.

Trojans

  • ChinaTalk – system extension – supposed to be sound driver, but actually deletes folders.
  • CPro – supposed to be an update to Compact Pro, but attempts to format currently mounted disks.
  • + ExtensionConflict – supposed to identify Extensions conflicts, but installs one of the six SevenDust a.k.a. 666 viruses.
  • FontFinder – supposed to lists fonts used in a document, but actually deletes folders.
  • MacMag – HyperCard stack (New Apple Products) that was the origin of the MacMag virus. When run, infected the System file, which then infected System files on floppies. Set to trigger and self-destruct on March 2nd, 1988, so rarely found.
  • Mosaic – supposed to display graphics, but actually mangles directory structures.
  • NVP – modifies the System file so that no vowels can be typed. Originally found masquerading as ‘New Look’, which redesigns the display.
  • Steroid – Control Panel – claims to improve QuickDraw speed, but actually mangles the directory structure.
  • Tetracycle – implicated in the original spread of MBDF
  • Virus Info – purported to contain virus information but actually trashed disks. Not to be confused with Virus Reference.
  • Virus Reference 2.1.6 mentions an ‘Unnamed PostScript hack’ which disables PostScript printers and requires replacement of a chip on the printer logic board to repair. A Mac virus guru says:
  • “The PostScript ‘Trojan’ was basically a PostScript job that toggled the printer password to some random string a number of times. Some Apple laser printers have a firmware counter that allows the password to only be changed a set number of times (because of PRAM behavior or licensing – I don’t remember which), so eventually the password would get “stuck” at some random string that the user would not know. I have not heard any reports of anyone suffering from this in many years.”
  • AppleScript Trojans – A demonstration destructive compiled AppleScript was posted to the newsgroups alt.comp.virus, comp.sys.mac.misc, comp.sys.mac.system, it.comp.macintosh, microsoft.public.word.mac, nl.comp.sys.mac, no.mac, and symantec.support.mac.sam.general on 16-Aug-97, apparently in response to a call for help originally posted to alt.comp.virus on 14-Aug-97 and followup on 15-Aug-97. On 03-Sep-97, MacInTouch published Xavier Bury’s finding of a second AppleScript trojan horse, which, like the call for help followup, mentioned Hotline servers. It reportedly sends out private information while running in the background. A note to users from Hotline Communications CEO Adam Hinkley is posted at <http://www.macvirus.com/news/press/970903a.html>. AppleScripts should be downloaded only from known trusted sources. It is nigh impossible for an average person to know what any given compiled script will do.

Virus Resources

This page only covers malware for the Classic Mac OS. For information on viruses for Mac OS X, see Mac OS X Viruses and Antiviruses.

Keywords: #classicmacviruses #classicmacmalware

Short link: http://goo.gl/sSB1Bf

searchlink: classicmacmalware