anderson@Apple.COM (Clark Anderson) (06/06/90)
Posted on AppleLink today. Thought you all might
be interested...
--clark
FROM: DESKTOP SERVICES
Steroid Trojan Horse
--------------------
There is a Trojan Horse called "Steroid". It is an INIT that claims to speed
up QuickDraw on Macintosh computers with 9" screens. The INIT contains code
that checks for the date being greater than June 6,1990. If it is, it will
ERASE all mounted drives.
I have performed some tests on a Macintosh SE. Having Comm Toolbox installed
seemed to interfere with the INIT and keep the erase from happening. The SE
simply crashed.
I then installed the INIT on a floppy disk and booted the SE. The floppy and
hard disk were promply erased. NOTE: I had set the date to 7/7/90.
So far, we know that the code does the following:
OPERATIONS AT RESTART:
----------------------
DATE & TIME CHECK (Loop)
SYSENVIRONS CHECK
GETS VOLUME INFORMATION (probably checking for HFS)
GETS SOME ADRESSES (Toolbox traps)
DOES SOME HFS DISPATCH OPERATIONS
VOLUME IS REINITIALIZED to "Untitled"
INFORMATION:
------------
TYPE: INIT
CREATOR: qdac
CODE SIZE: 1080
DATA SIZE: 267
ID: 148
Name: QuickDraw Accelorator
File Name: " Steroid" (First 2 characters are ASCII 1)
WHAT TO DO:
-----------
If your disk becomes erased, you can use SUM II Disk Clinic to recover the
deleted files. We have tried this and it seems to work. If you read this
today, before June 6 1990, REMOVE the Steroid INIT from all disks IMMEDIATELY.
--
-----------------------------------------------------------
Clark Anderson InterNet: anderson@apple.com
CPU Engineering AppleLink: C.ANDERSON
Apple Computer, Inc BellNet: 408-974-4593
"I speak only for myself, much to my employer's relief..."
-------------------------------------------------------------gillies@m.cs.uiuc.edu (06/06/90)
If my company marketed an anti-virus program and a disk recovery
program, and sales were slumping, what would I do?
Maybe I'd start writing viruses to drum up sales. It's within the
realm of unethical logic. I wonder if anyone out there is really
doing this.....
Don Gillies, Dept. of Computer Science, University of Illinois
1304 W. Springfield, Urbana, Ill 61801
ARPA: gillies@cs.uiuc.edu UUCP: {uunet,harvard}!uiucdcs!gillies