bmug@garnet.berkeley.edu (BMUG) (03/19/89)
WARNING: We have discovered the existence of a "Trojan Horse" in a
bogus upgrade to Anti-Toxin, a virus-detecting INIT from Mainstay.
The INIT, labelled as version 2.0 in the Get Info box, attempts to
format your disk and rename it "Scored!".
A couple variations of this INIT have been reported. The one we have
seen has a size of 2,276 bytes, created Fri, Jan 13, 1989, 3:05PM, and
modified Mon, Mar 6,1989, 12:03AM. A quick inspection of the disassembled
code of the INIT indicates that it does nothing until the clock time
on your mac is after Mar 13, 1989, 5:20PM. The perpetrator obviously
wanted the Trojan Horse to lie dormant for a few days, giving it a
chance to spread to more users.
Although I believe Anti-Toxin is a commercial product, this bogus
version has apparently been uploaded to several bulletin boards.
Watch out!
/\
BMUG ARPA: bmug@garnet.berkeley.EDU A__A
1442A Walnut St., #62 BITNET: bmug@ucbgarnet |()|
Berkeley, CA 94709 | |
(415) 549-2684 | |twakeman@hpcea.CE.HP.COM (Teriann Wakeman) (03/23/89)
Yes, AntiToxin is a commercial Virus decontamination & protection application
marketed by Mainstay (818)991-6540.
AntiToxin comes in two parts.
1. An INIT that mounts first & stops an affected application from loading, &
2. An application that searches anything from individual files to hard disks
locating known viruses and removing them from the application.
It works on all Macs, + or newer and is network compatable.
Version 1.0 protects against & decontaminates applications with: Scores, nVIRA,
nVIRB, Hpat and INIT29.
Mainstay promises rapid response upgradesfor any newly discovered viral
strains.
Because of this, people owning AntiToxin will be extreamly vurniable{sp} to
this upgrade trojan horse.
TeriAnnanderson@Apple.COM (Clark Anderson) (06/06/90)
Posted on AppleLink today. Thought you all might
be interested...
--clark
FROM: DESKTOP SERVICES
Steroid Trojan Horse
--------------------
There is a Trojan Horse called "Steroid". It is an INIT that claims to speed
up QuickDraw on Macintosh computers with 9" screens. The INIT contains code
that checks for the date being greater than June 6,1990. If it is, it will
ERASE all mounted drives.
I have performed some tests on a Macintosh SE. Having Comm Toolbox installed
seemed to interfere with the INIT and keep the erase from happening. The SE
simply crashed.
I then installed the INIT on a floppy disk and booted the SE. The floppy and
hard disk were promply erased. NOTE: I had set the date to 7/7/90.
So far, we know that the code does the following:
OPERATIONS AT RESTART:
----------------------
DATE & TIME CHECK (Loop)
SYSENVIRONS CHECK
GETS VOLUME INFORMATION (probably checking for HFS)
GETS SOME ADRESSES (Toolbox traps)
DOES SOME HFS DISPATCH OPERATIONS
VOLUME IS REINITIALIZED to "Untitled"
INFORMATION:
------------
TYPE: INIT
CREATOR: qdac
CODE SIZE: 1080
DATA SIZE: 267
ID: 148
Name: QuickDraw Accelorator
File Name: " Steroid" (First 2 characters are ASCII 1)
WHAT TO DO:
-----------
If your disk becomes erased, you can use SUM II Disk Clinic to recover the
deleted files. We have tried this and it seems to work. If you read this
today, before June 6 1990, REMOVE the Steroid INIT from all disks IMMEDIATELY.
--
-----------------------------------------------------------
Clark Anderson InterNet: anderson@apple.com
CPU Engineering AppleLink: C.ANDERSON
Apple Computer, Inc BellNet: 408-974-4593
"I speak only for myself, much to my employer's relief..."
-------------------------------------------------------------kazim@Apple.COM (Alex Kazim) (06/06/90)
In article <41653@apple.Apple.COM> anderson@Apple.COM (Clark Anderson) writes: >I have performed some tests on a Macintosh SE. Having Comm Toolbox installed >seemed to interfere with the INIT and keep the erase from happening. The SE Ah, yes, the double-secret-anti-virus-about-box. Yet another reason to use the CommToolbox. :-) ======================================================================== Alex Kazim, Apple Computer Did I state an opinion... ========================================================================