A nasty worm that infects Power Macintosh computers has been discovered. This worm has been called AutoStart 9805, Hong Kong, and Desktop Print Spooler. It can be removed with ResEdit, Resourcerer, or by making it visible and manually trashing it. I threw together this little program to test our systems and mounted volumes here at the school district. If an infection is discovered, the program will remove the infection, but DOES NOT determine which, if any, files were trashed by the worm (see below).
Once you have scanned and cleaned your machine, I recommend that you turn off the "CD-ROM AutoPlay" option in the QuickTime Settings control panel to prevent reinfection.
Symptoms
When a machine becomes infected, it may appear to lock up for a little while, then continue normal operation. If you experience this phenomenon, your system may be infected by this worm. Upon initial infection, your machine may reboot right after an infected volume (floppy, hard disk, CD-ROM, Zip Disk, etc.) is mounted.
What the worm does
Currently, this worm only infects machines that meet (or met) the following criteria at the time of infection:
* Power Macintosh systems
* MacOS 7 and higher
* QuickTime 2.0 or above installed
* QuickTime's CD-ROM AutoPlay option enabled (this is the default).
How the worm attacks
The worm is a "faceless background application" that takes advantage of the AutoPlay feature in QuickTime 2.0 and higher to install itself. Whenever a volume is mounted, QuickTime (with AutoPlay turned on) will run the worm, thus infecting the system and all other mounted volumes.
In addition to replicating itself, all current mutations of the worm have been reported to overwrite parts of certain files with garbage data. While these files are not infected, they cannot be repaired and must be restored from a backup. Reported behavior includes:
* overwriting with garbage data parts of files
1) whose names have endings "data", "cod", and "csa"
2) whose names end with "dat" if the entire file is larger than about 2 Mbytes
The original worm's replicator lives in the "Desktop Print Spooler" file in the Extensions folder of your active System Folder. However, this is not always the case with the mutations. The original worm lives in an invisible file called "DB" on the root of all infected volumes. Again, this file has a different name for different mutations.
WormFood usage
To achieve the best results, reboot your machine with extensions OFF (hold down the SHIFT key at startup until the Finder loads and you can see the desktop with your hard disk and trash can). This keeps the worm from loading into RAM.
Locate the WormFood application and double click on this application to launch the program and perform a check of the machine.
WormFood will report its progress and what it finds in the log window. If you examine the log file, you may see lines of the form:
Making sure <FileName> is not invisible
This is a normal part of WormFood's operation. It looks for any file that could be one of the worm files and makes sure that file is visible so you know that it is there. If a KNOWN strain of the AutoStart worm is found, it will be automatically deleted and WormFood will enter into the log file:
•REMOVED KNOWN WORM --> <FilePath>
If any other files match the profile currently known worm files, you will see
POTENTIALLY DANGEROUS, ADDING TO LIST --> <FilePath>
And the file will be added to the potential worm list. If there are any files on this list at the end of the scan, WormFood will alert you and ask you if you want to see a list of possible worm files. NOTE: Just because a file appears on the list DOES NOT mean that it is infected. You may pick a file from the list and click "OK" to delete that file. When you are finished, click "Cancel" and WormFood will finish. You will then be asked if you want to Quit or View the Log file. If you choose to view the log file, you must choose "Quit" from the "File" menu or press Command-Q to quit WormFood.
Dealing with removable volumes
Since the worm infects your system whenever a disk is inserted and it restarts the computer right after infecting it, it is rather difficult to remove it from all removable disks at once. If you believe a removable disk to be infected, restart with extensions off and insert the disks one by one running WormFood with each disk in the drive to check and clean them.
Version History
07/06/98 - v 1.3
* fixed a bug that appeared when trying to open HUGE files
* automatically deletes known worms, then asks if user wants to list POSSIBLE worm files
* changed my addresses (physical AND email)
* Made sure WormFood handles the new AutoStart-D and AutoStart-E variants
05/28/98 - v 1.2.2
* updated documentation to accurately describe new scan functionality
* updated code to display the 'all clear' dialog and enter into the log
* minor bugs squashed
05/22/98 - v 1.2.1
* fixed a bug in the file list routine
* re-added SetVisible XCMD to make all possible worm files visible
* corrected misinformation regarding AutoStart 9805 worm in documentation
* abstracted the search to handle potential mutations without a new release
* removed option to create protection files
* now presents user with a list of potentially dangerous files with option to delete
05/19/98 - v 1.1
* added LocatePath XFCN to locate Extensions folder (international compatibility)
* added SetVisible XCMD to make protection files invisible and reduce clutter
* added checks for AUTOSTART 9805 B mutation
* added protection for AUTOSTART 9805 B mutation
05/13/98 - v1.0
* initial release
Copyrights
This software is provided as freeware to the community as a service. You may distribute it freely as long as this documentation is included and no modifications are made.
WormFood was written in MacPerl 5.2.0r4 (17April98) by Matthias Neeracher.
Standard Disclaimer
This software is provided as freeware. Doug Baer does not warrant any of its functionality nor does he bear any liabilities whatsoever of its use. You are totally responsible for using this software.
