USERGOLD@UALTAMTS.BITNET (Peter Johnston) (02/02/90)
We have detected a new (to us) Macintosh trojan at the University of Alberta. Two different strains have been identified. Both are dangerous. The first strain is imbedded in a program called 'Mosaic', type=APPL and Creator=????. When launched, it immediately destroys the directories of all available physically unlocked hard and floppy disks, including the one it resides on. The attacked disks are renamed 'Gotcha!'. Unmounted but available SCSI hard disks are mounted and destroyed by the trojan. The files of hard disks are usually recoverable with one of the available commercial file utility programs, but often the data file names are lost. Files on floppy diskettes usually lose their Type and Creator codes as well, making recovery a non-trivial procedure. The second strain was detected in a Public Domain program called 'FontFinder', Type=APPL and Creator=BNBW. It has a trigger date of 10 Feb 90. Before that date, the application simply displays a list of the fonts and point sizes in the System file. On or after the trigger date, the trojan is invoked and disks are attacked as for the first strain. The trojan can be triggered by setting forward the Mac system clock. Because the second strain has a latency period during which it is non- destructive, it is much more likely to be widespread. Both trojans were originally downloaded from a local Macintosh BBS here in Edmonton. The second version was part of a StuffIt! archive named 'FontFinder.sit' that also contained documentation and the source code for the FontFinder application. This source code does NOT contain the source code for the trojan. A quick-and-dirty search string for VirusDetective (v/3.0.1 or later) has been developed that appears to detect the trojan engine in both strains. It is: Resource CODE & ID = 1 & Data 44656174685472616B Note that this will detect the currently known versions, but may or may not detect mutated versions of this trojan. There is some evidence that these trojans are related based on preliminary investigation of the code. It has been speculated that the second is an 'improved' version of the first (more sophisticated), or that the two versions were developed by two individual perpetrators working with the same trojan engine. There easily could be more versions either circulating or being developed. This appears to be the first deliberately destructive malicious code that targets on the Macintosh. There is some suspicion that one or both have been developed locally. There is also the possibility that one or both were uploaded from a BBS in the Seattle, Washington area. Our investigation is far from complete, but is continuing. Please warn your Mac users to make proper back-ups on a regular basis, be suspicious of all software not received from a trusted source until tested, and generally, to practice 'safe computing'. Any additional information on these two trojans or similar malicious code would be appreciated. As and when our investigation turns up more details, they will be posted... Peter Johnston, P. Eng. Senior Analyst, University Computing Systems, 352 - GenSvcBldg, The University of Alberta Edmonton, Alberta CANADA T6G 2H1 Phone: 403/492-2462 FAX: 403/492-7219 EMAIL: usergold@ualtamts.bitnet
2wsa067@GC.BITNET (02/07/90)
One real quick question about this new Mac virus. Do any other programs detect it (i.e.Virus Rx, Interferon, etc.)? And what versions if any are you using to detect it? Thanks, Ed Vasko