Reprinted from TidBITS
#428/04-May-98.
"Autostart" Worm Breaks Mac Malware Silence
Mark H. Anbinder
Nearly three years after the last Macintosh-specific virus appeared
on the scene, a new piece of Macintosh malware (code designed with
malicious intent) has appeared. The worm, which is designed to
overwrite data files, has spread rapidly in the desktop publishing
community in Hong Kong, where it was first spotted. (Unlike a virus,
which must attach itself to other software in order to function, a worm
executes by itself.)
The worm, which anti-virus analysts have dubbed
Autostart-9805, takes advantage of a feature in QuickTime 2.0
and later that enables CD-ROMs to start a program immediately upon
insertion. In QuickTime 2.5 and later, the QuickTime Settings control
panel lets the user disable this feature.
Inner Workings
Analysts say the worm can be transmitted via almost any HFS or HFS+
disk volume, including floppy disks, most removable cartridge drives,
magneto-optical disks, recordable CD disks, hard disks, and even
mountable DiskCopy or ShrinkWrap disk image files. The worm only
operates on a PowerPC system running the Mac OS, and will only
initially infect a computer that's running QuickTime 2.0 or later with
the CD-ROM AutoPlay feature enabled.
Infected disks contain an invisible application file named DB of
type AAPL and creator ???? in the root directory, and the AutoPlay
attribute is set in the disk's boot blocks. When the infected disk is
mounted, the DB application launches and copies itself to the
Extensions folder of the active System Folder. The copy, also an
invisible file, is named Desktop Print Spooler and its type is appe
(don't confuse this file with the visible and legitimate Desktop
Printer Spooler extension). The worm then restarts the computer, and
reloads into memory via the invisible Desktop Print Spooler, which runs
as a faceless background application and doesn't appear in the
Application menu.
About every thirty minutes, the worm examines all mounted volumes,
and attempts to infect any that aren't infected by copying itself back
to the root directory as DB with AutoPlay enabled. It then searches
mounted volumes for files whose names end with "data", "cod", or "csa"
and whose data forks are larger than 100 bytes, or files ending with
"dat" that are larger than about 2 MB. When it finds such a file, the
worm overwrites approximately the first 1 MB of the data fork with
garbage.
Are You Infected?
So far, anti-virus experts don't believe AutoStart-9805 has spread
much beyond the desktop publishing community in Hong Kong, so it should
be possible to keep it from spreading much farther. Check with your
anti-virus utility publisher for the latest updates, keeping in mind
that outdated virus definition files are useless! Visible symptoms you
can check for include:
- The system unexpectedly restarts after mounting a volume, which is
when the initial infection occurs.
- The application name DB flashes briefly in the menu bar when the
application launches.
- A disk volume contains an invisible application file named DB in
the root directory, or the invisible Desktop Print Spooler file in the
Extensions folder. Use ResEdit, Norton Disk Editor, the Mac OS Find
File utility (press Option while clicking on the Name menu to reveal a
Visibility item), or a similar tool to search for invisible files.
- A process named Desktop Print Spooler is visible when using tools
like Process Watcher or MacsBug.
- Extensive, unexplained disk activity every 30 minutes.
Prevention
The risk of a new infection can be effectively eliminated by
disabling the CD-ROM AutoPlay feature in the QuickTime Settings control
panel in QuickTime 2.5 or later, though this will not help if the
system is already infected. It also will not prevent an infected Mac
from creating the invisible DB files on a system whose volumes are
shared on a network. Versions of QuickTime prior to 2.5 lack the means
to disable the AutoPlay feature, so Apple's QuickTime group recommends
upgrading to QuickTime 2.5 if you have an older release. Disabling
Audio CD AutoPlay is unnecessary, as ordinary audio CDs cannot carry
this worm.
- <ftp://ftp.info.apple.com/Apple_Support_Area/Apple_SW_Updates/US/Macintosh/System/QuickTime/Older_QuickTime/>
Utilities
Dr. Solomon's Anti-virus Toolkit and Virex have been updated to
handle this worm, and Symantec expects to release an update for SAM.
John Norstad's freeware Disinfectant cannot detect this problem,
so he recommends using an up-to-date commercial utility that does. He
plans to make an announcement soon as to whether Disinfectant will be
updated to handle Autostart-9805.
- <http://www.drsolomon.com/products/avtk/ps_mac.html>
- <http://www.drsolomon.com/products/virex/>
- <http://www.symantec.com/sam/>
- <ftp://ftp.nwu.edu/pub/disinfectant/>
Apple's QuickTime evangelist Charles Wiltgen expressed the company's
delight that "the commercial utility vendors have responded to this as
quickly as they have." Wiltgen encourages QuickTime users to disable
the CD-ROM AutoPlay feature unless they have a specific need for it,
and to obtain and use a current anti-virus utility.
Other Resources
For information about TidBITS: how to subscribe,
where to find back issues, and more, email info@tidbits.com. TidBITS ISSN
1090-7017.
This article copyright © 1998 TidBITS Electronic Publishing.
All rights reserved. Reprinted by permission.
