tcora@PICA.ARMY.MIL (Tom Coradeschi) (06/06/90)
This was posted today to Info-Mac.
tom c
= Every Day is Earth Day =
ARPA: tcora@pica.army.mil BITNET: Tcora@DACTH01.BITNET
UUCP: ...!{uunet,rutgers}!pica.army.mil!tcora
- ----- Forwarded message # 1:
Date: Tue, 5 Jun 90 15:07:26 -0700
From: William Lipa <wlipa@hqpyr1.oracle.com>
Subject: Steriod Trojan -- WARNING!
Steroid Trojan Horse
There is a Trojan Horse called "Steroid". It is an INIT that claims to speed
up QuickDraw on Macintosh computers with 9" screens. The INIT contains code
that checks for the date being greater than June 6,1990. If it is, it will
ERASE all mounted drives.
I have performed some tests on a Macintosh SE. Having Comm Toolbox installed
seemed to interfere with the INIT and keep the erase from happening. The SE
simply crashed.
I then installed the INIT on a floppy disk and booted the SE. The floppy and
hard disk were promply erased. NOTE: I had set the date to 7/7/90.
So far, we know that the code does the following:
OPERATIONS AT RESTART:
DATE & TIME CHECK (Loop)
SYSENVIRONS CHECK
GETS VOLUME INFORMATION (probably checking for HFS)
GETS SOME ADRESSES (Toolbox traps)
DOES SOME HFS DISPATCH OPERATIONS
VOLUME IS REINITIALIZED to "Untitled"
INFORMATION:
- ------------
TYPE: INIT
CREATOR: qdac
CODE SIZE: 1080
DATA SIZE: 267
ID: 148
Name: QuickDraw Accelorator
File Name: " Steroid" (First 2 characters are ASCII 1)
WHAT TO DO:
- -----------
If your disk becomes erased, you can use SUM II Disk Clinic to recover the
deleted files. We have tried this and it seems to work. If you read this
today, before June 6 1990, REMOVE the Steroid INIT from all disks IMMEDIATELY.
POSTED BY:
Thomas Scott
Desktop Services
AppleLink: MICRO.SUPT
Thanks to Larry Nedry, Lee Neuse, & Gary Giusti for information
- ----- End of forwarded messages