|
Info about a Mac trojan
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
There is a Trojan Horse called "Steroid". It is an INIT that claims to speed up QuickDraw on Macinh SE, Plus and earlier machines. The INIT contains code that checks for the date being greater thnJly 1, 1990. If it is, it will ERASE all mounted drives.
Having the Comm Toolbox installed seems to interfere with the INIT and keep the erasure from happen. The SE then simply crashes.
Installing the INIT on a floppy disk and booting it on an SE with the system date set after July 1,90 causes the floppy and hard disk to be immediately erased.
At this time it is known that the code does the following:
OPERATIONS AT RESTART:
----------------------
DATE & TIME CHECK (Loop)
SYSENVIRONS CHECK
GETS VOLUME INFORMATION (probably checking for HFS)
GETS SOME ADDRESSES (Toolbox traps)
DOES SOME HFS DISPATCH OPERATIONS
VOLUME IS REINITIALIZED to "Untitled"
INFORMATION:
------------
TYPE: INIT
CREATOR: qdac
CODE SIZE: 1080
DATA SIZE: 267
ID: 148
Name: QuickDraw Accelerator
File Name: " Steroid" (First 2 characters are ASCII 1)
The 2 invisible characters are there to make it load before SAM (or
other INITs).
If you have renamed the file so that it runs after SAM (in general, NO unknown INITs should ever belowed to run before SAM), then in advanced or custom modes you will get SAM alerts saying "There i nattempt to bypass the file system" when this Trojan attacks your volumes. Denying these attemptsprvets the Trojan from doing any damage.
You can enter the following virus definition in Virus Clinic to allow both SAM Intercept and Virus nic to detect this Trojan during scans.
Virus Name: Steroid Trojan
Resource Type: INIT
Resource ID: 148
Resource Size: 1080
Search String: ADE9 343C 000A 4EFA FFF2 4A78 (hexadecimal)
String Offset: 96
If you have entered this definition and have renamed the Trojan to run after SAM, then SAM Intercepill also notify you when this INIT is run at startup time.
If your disk becomes erased, you can use SUM II Disk Clinic to recover the deleted files.
NOTE:
This information comes from a number of sources and has been edited by Geoff Hartley for CVIA for cification. X-=-=-=-=-=-=-=-=-=-=-=-=-=-=---=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X
|
|
