A new worm that infects Power Macintosh computers has been discovered. This worm has been called AutoStart 9805, Hong Kong, and Desktop Print Spooler as far as I know. From what I've seen, it can be removed with ResEdit, Resourcerer and the like. I threw together this little program to test our systems and mounted volumes here at the school district. If an infection is discovered, the program will remove the infection, but DOES NOT determine which, if any, files were trashed by the worm (see below).
Since WormFood 1.0 was released, there have been at least two mutations of this worm. For this reason, I have decided to stop creating the protection files as they will only create a false sense of security. My recommendation is to turn off the "CD-ROM AutoPlay" option in the QuickTime Settings control panel to prevent reinfection.
NOTE: As of version 1.2, WormFood no longer creates protection files.
Symptoms
When a machine becomes infected, it may appear to lock up for a little while, then continue normal operation. If you experience this phenomenon, your system may be infected by this worm. Upon initial infection, your machine may reboot right after an infected volume (floppy, hard disk, CD-ROM, etc.) is mounted.
What the worm does
Currently, this worm only infects machines that meet (or met) the following criteria at the time of infection:
* Power Macintosh systems
* MacOS 7 and higher
* QuickTime 2.5 or above installed
* QuickTime's CD-ROM AutoPlay option enabled (this is the default).
How the worm attacks
The worm is a "faceless background application" that takes advantage of the AutoPlay feature in QuickTime 2.5 and higher to install itself. Whenever a disk (floppy, MO, etc.) is mounted, QuickTime (with AutoPlay CD-ROMs turned on) will run the worm, thus infecting the system and all other mounted volumes.
In addition to replicating itself, all current mutations of the worm have been reported to overwrite parts of certain files with garbage data. While these files are not infected, they cannot be repaired and must be restored from a backup. Reported behavior includes:
The worm attempts to find
* overwriting with garbage data parts of files
1) whose names have endings "data", "cod", and "csa"
2) whose names end with "dat" if the entire file is larger than about 2 Mbytes
The original worm's replicator lives in the "Desktop Print Spooler" file in the Extensions folder of your active System Folder. However, this is not always the case with the mutations. The original worm lives in an invisible file called "DB" on the root of all infected volumes. Again, this file has a different name for different mutations.
WormFood usage
To achieve the best results, reboot your machine with extensions OFF (hold down the SHIFT key at startup until the Finder loads and you can see the desktop with your hard disk and trash can). This keeps the worm from loading into RAM.
Locate the WormFood application and double click on this application to launch the program and perform a check of the machine.
WormFood will report its progress and what it finds in the log window. If you examine the log file, you may see lines of the form:
Making sure <FileName> is visible
This is a normal part of WormFood's operation. It looks for any file that could be one of the worm files and makes sure that file is visible so you know that it is there. If any of those files matches currently known worm files, you will see
POTENTIALLY DANGEROUS, ADDING TO LIST --> <FilePath>
And the file will be added to the deletion list. If there are any files on the deletion list at the end of the scan, WormFood will alert you and present a list of possible worm files. You may pick a file from the list and click "OK" to delete that file. When you are finished, click "Cancel" and WormFood will finish and you will be asked if you want to Quit or View the Log file. If you choose to view the log file, you must choose "Quit" from the "File" menu or press Command-Q to quit WormFood.
Dealing with removable volumes
Since the worm infects your system whenever a disk is inserted and it restarts the computer right after infecting it, it is rather difficult to remove it from all removable disks at once. If you believe a removable disk to be infected, restart with extensions off and insert the disks one by one running WormFood with each disk in the drive to check and clean them.
Version History
05/28/98 - v 1.2.2
* updated documentation to accurately describe new scan functionality
* updated code to display the 'all clear' dialog and enter into the log
* minor bugs squashed
05/22/98 - v 1.2.1
* fixed a bug in the file list routine
* re-added SetVisible XCMD to make all possible worm files visible
* corrected misinformation regarding AutoStart 9805 worm in documentation
* abstracted the search to handle potential mutations without a new release
* removed option to create protection files
* now presents user with a list of potentially dangerous files with option to delete
05/19/98 - v 1.1
* added LocatePath XFCN to locate Extensions folder (international compatibility)
* added SetVisible XCMD to make protection files invisible and reduce clutter
* added checks for AUTOSTART 9805 B mutation
* added protection for AUTOSTART 9805 B mutation (now creates invisible "BD" files)
05/13/98 - v1.0
* initial release
Copyrights
This software is provided as freeware to the community as a service. You may distribute it freely as long as this documentation is included and no modifications are made.
WormFood was written in MacPerl 5.2.0r4 (17April98) by Matthias Neeracher.
Standard Disclaimer
This software is provided as freeware. Neither Doug Baer nor Catalina Foothills School District warrants any of its functionality nor bears any liabilities whatsoever of its use. You are totally responsible for using this software.
