tga@eleazar.dartmouth.edu (Greg Ames) (02/04/90)
Not having seen anything on the net about the viruses embedded into the
applications Mosiac and FontFinder, I decided to post this message I
received through email. If this is a re-post, well, sorry for wasting
the bandwidth, but this is a fairly important topic and I didn't want
anybody to miss it.
----------------------------------------------------------------------------
From icm Fri Feb 2 19:26:42 1990
Received: by eleazar.dartmouth.edu (5.61D1/4.1)
id AA29070; Fri, 2 Feb 90 19:26:40 -0500
From: icm (Ioannis C. Mangos)
Message-Id: <9002030026.AA29070@eleazar.dartmouth.edu>
Subject: NEW VIRUS!!!! (fwd)
To: tga (Greg Ames)
Date: Fri, 2 Feb 90 19:26:39 EDT
Status: OR
Forwarded message:
>From Christopher.A.Lasell@mac.dartmouth.edu Fri Feb 2 18:51:13 1990
Message-Id: <1044610@mac.Dartmouth.EDU>
Date: 02 Feb 90 18:47:56
From: Christopher.A.Lasell@mac.dartmouth.edu
To: Virus.Info@mac.dartmouth.edu,
consultants@dartvax.dartmouth.edu (Kiewit Consultants),
crc-staff@mac.dartmouth.edu, stu-asst@dartvax.dartmouth.edu
Subject: NEW VIRUS!!!!
--- Forwarded Message from rickc@eleazar.dartmouth.edu (Frederick L. Crabbe)
---
We have detected a new (to us) Macintosh trojan at the University of
Alberta. Two different strains have been identified. Both are
dangerous.
The first strain is imbedded in a program called 'Mosaic', type=APPL and
Creator=????. When launched, it immediately destroys the directories
of all available physically unlocked hard and floppy disks, including
the one it resides on. The attacked disks are renamed 'Gotcha!'.
Unmounted but available SCSI hard disks are mounted and destroyed by the
trojan. The files of hard disks are usually recoverable with one of
the available commercial file utility programs, but often the data file
names are lost. Files on floppy diskettes usually lose their Type and
Creator codes as well, making recovery a non-trivial procedure.
The second strain was detected in a Public Domain program called
'FontFinder', Type=APPL and Creator=BNBW. It has a trigger date of 10
Feb 90. Before that date, the application simply displays a list of
the fonts and point sizes in the System file.
On or after the trigger date, the trojan is invoked and disks are
attacked as for the first strain. The trojan can be triggered by
setting forward the Mac system clock.
Because the second strain has a latency period during which it is non-
destructive, it is much more likely to be widespread. Both trojans
were originally downloaded from a local Macintosh BBS here in Edmonton.
The second version was part of a StuffIt! archive named 'FontFinder.sit'
that also contained documentation and the source code for the FontFinder
application. This source code does NOT contain the source code for the
trojan.
A quick-and-dirty search string for VirusDetective (v/3.0.1 or later)
has been developed that appears to detect the trojan engine in both
strains. It is:
Resource CODE & ID = 1 & Data 44656174685472616B
Note that this will detect the currently known versions, but may or may
not detect mutated versions of this trojan.
There is some evidence that these trojans are related based on
preliminary investigation of the code. It has been speculated that the
second is an 'improved' version of the first (more sophisticated), or
that the two versions were developed by two individual perpetrators
working with the same trojan engine. There easily could be more
versions either circulating or being developed.
This appears to be the first deliberately destructive malicious code
that targets on the Macintosh. There is some suspicion that one or
both have been developed locally. There is also the possibility that
one or both were uploaded from a BBS in the Seattle, Washington area.
Our investigation is far from complete, but is continuing.
Please warn your Mac users to make proper back-ups on a regular basis,
be suspicious of all software not received from a trusted source until
tested, and generally, to practice 'safe computing'.
Any additional information on these two trojans or similar malicious
code would be appreciated. As and when our investigation turns up more
details, they will be posted...
Peter Johnston, P. Eng.
Senior Analyst, University Computing Systems,
352 - GenSvcBldg, The University of Alberta
Edmonton, Alberta CANADA T6G 2H1
Phone: 403/492-2462
FAX: 403/492-7219
EMAIL: usergold@ualtamts.bitnet
----------------------------------------------------------------------------
Sounds like fun, huh?
Greg
--
Greg Ames, '90 | tga@eleazar.Dartmouth.EDU
HB 1362 | ...!{harvard,linus,inhp4,etc}!dartvax!eleazar!tga
Dartmouth College |
Hanover NH, 03755 | { This space available for rent! }
tim@hoptoad.uucp (Tim Maroney) (02/04/90)
Thanks for the information! One nit -- this is not any kind of virus. It's a trojan horse. A virus piggybacks on existing legitimate files to propagate itself as they are propagated and executed. A trojan horse is an inherently illegitimate file which is specifically designed for destructive purposes; it does not piggyback at all, but masquerades as a legitimate file in order to get an unsuspecting user to run it. It's possible to combine a virus and a trojan horse (is there a name for this yet?) -- this would be a non-viral program that existed for the purpose of infecting a system with a virus which would then spread by piggybacking -- but they are not basically the same thing, and these particular trojan horses do not appear to be viral. -- Tim Maroney, Mac Software Consultant, sun!hoptoad!tim, tim@toad.com "The Diabolonian position is new to the London playgoer of today, but not to lovers of serious literature. From Prometheus to the Wagnerian Siegfried, some enemy of the gods, unterrified champion of those oppressed by them, has always towered among the heroes of the loftiest poetry." - Shaw, "On Diabolonian Ethics"
werner@cs.utexas.edu (Werner Uhrig) (02/04/90)
In article <10038@hoptoad.uucp> tim@hoptoad.UUCP (Tim Maroney) writes: >It's possible to combine a virus and a trojan horse (is there a name >for this yet?) call it Pandorra's Box : like a Trojan Horse, it's filled with unknown stuff - and you'll be sorry you opened it !!! and if you don't open it yourself, who says that it won't come open while you are not looking (as Trojan Horses are generally expected to do)? After all, noone ever lived to tell what Pandorra's Box *REALLY* contained (or did I forget that little detail? - well, no matter...)