The Autostart Worm

Reprinted from TidBITS #428/04-May-98.

"Autostart" Worm Breaks Mac Malware Silence

Mark H. Anbinder

Nearly three years after the last Macintosh-specific virus appeared on the scene, a new piece of Macintosh malware (code designed with malicious intent) has appeared. The worm, which is designed to overwrite data files, has spread rapidly in the desktop publishing community in Hong Kong, where it was first spotted. (Unlike a virus, which must attach itself to other software in order to function, a worm executes by itself.)

The worm, which anti-virus analysts have dubbed Autostart-9805, takes advantage of a feature in QuickTime 2.0 and later that enables CD-ROMs to start a program immediately upon insertion. In QuickTime 2.5 and later, the QuickTime Settings control panel lets the user disable this feature.

Inner Workings

Analysts say the worm can be transmitted via almost any HFS or HFS+ disk volume, including floppy disks, most removable cartridge drives, magneto-optical disks, recordable CD disks, hard disks, and even mountable DiskCopy or ShrinkWrap disk image files. The worm only operates on a PowerPC system running the Mac OS, and will only initially infect a computer that's running QuickTime 2.0 or later with the CD-ROM AutoPlay feature enabled.

Infected disks contain an invisible application file named DB of type AAPL and creator ???? in the root directory, and the AutoPlay attribute is set in the disk's boot blocks. When the infected disk is mounted, the DB application launches and copies itself to the Extensions folder of the active System Folder. The copy, also an invisible file, is named Desktop Print Spooler and its type is appe (don't confuse this file with the visible and legitimate Desktop Printer Spooler extension). The worm then restarts the computer, and reloads into memory via the invisible Desktop Print Spooler, which runs as a faceless background application and doesn't appear in the Application menu.

About every thirty minutes, the worm examines all mounted volumes, and attempts to infect any that aren't infected by copying itself back to the root directory as DB with AutoPlay enabled. It then searches mounted volumes for files whose names end with "data", "cod", or "csa" and whose data forks are larger than 100 bytes, or files ending with "dat" that are larger than about 2 MB. When it finds such a file, the worm overwrites approximately the first 1 MB of the data fork with garbage.

Are You Infected?

So far, anti-virus experts don't believe AutoStart-9805 has spread much beyond the desktop publishing community in Hong Kong, so it should be possible to keep it from spreading much farther. Check with your anti-virus utility publisher for the latest updates, keeping in mind that outdated virus definition files are useless! Visible symptoms you can check for include:

• The system unexpectedly restarts after mounting a volume, which is when the initial infection occurs.
• The application name DB flashes briefly in the menu bar when the application launches.
• A disk volume contains an invisible application file named DB in the root directory, or the invisible Desktop Print Spooler file in the Extensions folder. Use ResEdit, Norton Disk Editor, the Mac OS Find File utility (press Option while clicking on the Name menu to reveal a Visibility item), or a similar tool to search for invisible files.
• A process named Desktop Print Spooler is visible when using tools like Process Watcher or MacsBug.
• Extensive, unexplained disk activity every 30 minutes.

Prevention

The risk of a new infection can be effectively eliminated by disabling the CD-ROM AutoPlay feature in the QuickTime Settings control panel in QuickTime 2.5 or later, though this will not help if the system is already infected. It also will not prevent an infected Mac from creating the invisible DB files on a system whose volumes are shared on a network. Versions of QuickTime prior to 2.5 lack the means to disable the AutoPlay feature, so Apple's QuickTime group recommends upgrading to QuickTime 2.5 if you have an older release. Disabling Audio CD AutoPlay is unnecessary, as ordinary audio CDs cannot carry this worm.

<ftp://ftp.info.apple.com/Apple_Support_Area/Apple_SW_Updates/US/Macintosh/System/QuickTime/Older_QuickTime/>

Utilities

Dr. Solomon's Anti-virus Toolkit and Virex have been updated to handle this worm, and Symantec expects to release an update for SAM. John Norstad's freeware Disinfectant cannot detect this problem, so he recommends using an up-to-date commercial utility that does. He plans to make an announcement soon as to whether Disinfectant will be updated to handle Autostart-9805.

<http://www.drsolomon.com/products/avtk/ps_mac.html>

<http://www.drsolomon.com/products/virex/>

<http://www.symantec.com/sam/>

<ftp://ftp.nwu.edu/pub/disinfectant/>

Apple's QuickTime evangelist Charles Wiltgen expressed the company's delight that "the commercial utility vendors have responded to this as quickly as they have." Wiltgen encourages QuickTime users to disable the CD-ROM AutoPlay feature unless they have a specific need for it, and to obtain and use a current anti-virus utility.

Other Resources

• WormScanner 2.3 available
• Information from Dr. Solomon on MacFixIt.

For information about TidBITS: how to subscribe, where to find back issues, and more, email info@tidbits.com. TidBITS ISSN 1090-7017.

This article copyright © 1998 TidBITS Electronic Publishing. All rights reserved. Reprinted by permission.