bmug@garnet.berkeley.edu (BMUG) (03/19/89)
WARNING: We have discovered the existence of a "Trojan Horse" in a bogus upgrade to Anti-Toxin, a virus-detecting INIT from Mainstay. The INIT, labelled as version 2.0 in the Get Info box, attempts to format your disk and rename it "Scored!". A couple variations of this INIT have been reported. The one we have seen has a size of 2,276 bytes, created Fri, Jan 13, 1989, 3:05PM, and modified Mon, Mar 6,1989, 12:03AM. A quick inspection of the disassembled code of the INIT indicates that it does nothing until the clock time on your mac is after Mar 13, 1989, 5:20PM. The perpetrator obviously wanted the Trojan Horse to lie dormant for a few days, giving it a chance to spread to more users. Although I believe Anti-Toxin is a commercial product, this bogus version has apparently been uploaded to several bulletin boards. Watch out! /\ BMUG ARPA: bmug@garnet.berkeley.EDU A__A 1442A Walnut St., #62 BITNET: bmug@ucbgarnet |()| Berkeley, CA 94709 | | (415) 549-2684 | |
twakeman@hpcea.CE.HP.COM (Teriann Wakeman) (03/23/89)
Yes, AntiToxin is a commercial Virus decontamination & protection application marketed by Mainstay (818)991-6540. AntiToxin comes in two parts. 1. An INIT that mounts first & stops an affected application from loading, & 2. An application that searches anything from individual files to hard disks locating known viruses and removing them from the application. It works on all Macs, + or newer and is network compatable. Version 1.0 protects against & decontaminates applications with: Scores, nVIRA, nVIRB, Hpat and INIT29. Mainstay promises rapid response upgradesfor any newly discovered viral strains. Because of this, people owning AntiToxin will be extreamly vurniable{sp} to this upgrade trojan horse. TeriAnn
anderson@Apple.COM (Clark Anderson) (06/06/90)
Posted on AppleLink today. Thought you all might be interested... --clark FROM: DESKTOP SERVICES Steroid Trojan Horse -------------------- There is a Trojan Horse called "Steroid". It is an INIT that claims to speed up QuickDraw on Macintosh computers with 9" screens. The INIT contains code that checks for the date being greater than June 6,1990. If it is, it will ERASE all mounted drives. I have performed some tests on a Macintosh SE. Having Comm Toolbox installed seemed to interfere with the INIT and keep the erase from happening. The SE simply crashed. I then installed the INIT on a floppy disk and booted the SE. The floppy and hard disk were promply erased. NOTE: I had set the date to 7/7/90. So far, we know that the code does the following: OPERATIONS AT RESTART: ---------------------- DATE & TIME CHECK (Loop) SYSENVIRONS CHECK GETS VOLUME INFORMATION (probably checking for HFS) GETS SOME ADRESSES (Toolbox traps) DOES SOME HFS DISPATCH OPERATIONS VOLUME IS REINITIALIZED to "Untitled" INFORMATION: ------------ TYPE: INIT CREATOR: qdac CODE SIZE: 1080 DATA SIZE: 267 ID: 148 Name: QuickDraw Accelorator File Name: " Steroid" (First 2 characters are ASCII 1) WHAT TO DO: ----------- If your disk becomes erased, you can use SUM II Disk Clinic to recover the deleted files. We have tried this and it seems to work. If you read this today, before June 6 1990, REMOVE the Steroid INIT from all disks IMMEDIATELY. -- ----------------------------------------------------------- Clark Anderson InterNet: anderson@apple.com CPU Engineering AppleLink: C.ANDERSON Apple Computer, Inc BellNet: 408-974-4593 "I speak only for myself, much to my employer's relief..." -------------------------------------------------------------
kazim@Apple.COM (Alex Kazim) (06/06/90)
In article <41653@apple.Apple.COM> anderson@Apple.COM (Clark Anderson) writes: >I have performed some tests on a Macintosh SE. Having Comm Toolbox installed >seemed to interfere with the INIT and keep the erase from happening. The SE Ah, yes, the double-secret-anti-virus-about-box. Yet another reason to use the CommToolbox. :-) ======================================================================== Alex Kazim, Apple Computer Did I state an opinion... ========================================================================