USERGOLD@UALTAMTS.BITNET (Peter Johnston) (02/02/90)
We have detected a new (to us) Macintosh trojan at the University of
Alberta. Two different strains have been identified. Both are
dangerous.
The first strain is imbedded in a program called 'Mosaic', type=APPL and
Creator=????. When launched, it immediately destroys the directories
of all available physically unlocked hard and floppy disks, including
the one it resides on. The attacked disks are renamed 'Gotcha!'.
Unmounted but available SCSI hard disks are mounted and destroyed by the
trojan. The files of hard disks are usually recoverable with one of
the available commercial file utility programs, but often the data file
names are lost. Files on floppy diskettes usually lose their Type and
Creator codes as well, making recovery a non-trivial procedure.
The second strain was detected in a Public Domain program called
'FontFinder', Type=APPL and Creator=BNBW. It has a trigger date of 10
Feb 90. Before that date, the application simply displays a list of
the fonts and point sizes in the System file.
On or after the trigger date, the trojan is invoked and disks are
attacked as for the first strain. The trojan can be triggered by
setting forward the Mac system clock.
Because the second strain has a latency period during which it is non-
destructive, it is much more likely to be widespread. Both trojans
were originally downloaded from a local Macintosh BBS here in Edmonton.
The second version was part of a StuffIt! archive named 'FontFinder.sit'
that also contained documentation and the source code for the FontFinder
application. This source code does NOT contain the source code for the
trojan.
A quick-and-dirty search string for VirusDetective (v/3.0.1 or later)
has been developed that appears to detect the trojan engine in both
strains. It is:
Resource CODE & ID = 1 & Data 44656174685472616B
Note that this will detect the currently known versions, but may or may
not detect mutated versions of this trojan.
There is some evidence that these trojans are related based on
preliminary investigation of the code. It has been speculated that the
second is an 'improved' version of the first (more sophisticated), or
that the two versions were developed by two individual perpetrators
working with the same trojan engine. There easily could be more
versions either circulating or being developed.
This appears to be the first deliberately destructive malicious code
that targets on the Macintosh. There is some suspicion that one or
both have been developed locally. There is also the possibility that
one or both were uploaded from a BBS in the Seattle, Washington area.
Our investigation is far from complete, but is continuing.
Please warn your Mac users to make proper back-ups on a regular basis,
be suspicious of all software not received from a trusted source until
tested, and generally, to practice 'safe computing'.
Any additional information on these two trojans or similar malicious
code would be appreciated. As and when our investigation turns up more
details, they will be posted...
Peter Johnston, P. Eng.
Senior Analyst, University Computing Systems,
352 - GenSvcBldg, The University of Alberta
Edmonton, Alberta CANADA T6G 2H1
Phone: 403/492-2462
FAX: 403/492-7219
EMAIL: usergold@ualtamts.bitnet2wsa067@GC.BITNET (02/07/90)
One real quick question about this new Mac virus. Do any other programs detect it (i.e.Virus Rx, Interferon, etc.)? And what versions if any are you using to detect it? Thanks, Ed Vasko