D1660@GARP.MIT.EDU (03/01/90)
A new Trojan horse on the Macintosh has been discovered. This one poses as a program designed to give out Virus information. The copy I saw was called 'Virus Info'. It starts by displaying a terse warning about being more careful about what you run on your Macintosh. Then it does the following damage. It first attempts to delete the Finder on the current system disk. If the delete succeeds, the Trojan continues by attempting to zero the first 50 sectors of the system disk (thus destroying the volume info, bitmap, directory, etc.). If the Finder delete fails (this will fail if you are running MultiFinder), the Trojan puts up an error alert and exits. SO, the Trojan seems to do NO damage if you are using MultiFinder (I don't guarantee this, but it never seemed to damage anything when I was using MultiFinder). I did not do a complete examination of the program, so it's possible the Trojan is also doing something else which I didn't notice. I also did not check to see whether the Trojan attempted to damage volumes other than the current system volume. For SAM users: If you are using SAM in advanced mode, then you will be alerted to this Trojan's attempts to overwrite the volume info and directories. Denying these attempts prevents damage to the volume and directory info. (Note: If you have a very small system disk, such as a floppy, then it is possible that the desktop file or some other file might be damaged by this Trojan.) Paul Cozza