Section 1 of 3 - Prev - Next All sections - 1 - 2 - 3
Archive-name: computer-virus/macintosh-faq
Posting-Frequency: Fortnightly
Last-modified: Fri, 1 Jan 2000 19:14 GMT
URL: http://www.sherpasoft.org.uk/MacSupporters/macvir.faq
Copyright: Copyright 1996-2000 by David Harley and contributors
Maintainer: David Harley
Viruses and the Macintosh
=========================
by David Harley
Version 1.6b: 7th January 2000
Significant changes from the previous version are flagged with +
symbols in the first two columns at the start of the relevant line
or section. Amendments of minor grammatical or syntactical errors
are not flagged unless they affect factual accuracy or clarity.
Sections tagged with [DH] or [SL] are hangovers from the time when
maintenance of the FAQ was shared between David Harley and Susan Lesch,
and usually denote personal opinions the originator didn't feel the other
maintainer should be held responsible for. Untagged sections using
the first person are usually attributable to David Harley.
This version of the FAQ primarily reflects my involvement in setting
up an information resource at ICSA. This will affect the availability
of the FAQ. The next version will require extensive URL checking,
and will probably introduce major formatting changes.
David Harley
Table of Contents
=================
1.0 Copyright Notice
2.0 Preface
3.0 Availability of this FAQ
4.0 Mission Statement
5.0 Where to get further information
5.1 Computer Virus FAQs
5.2 EICAR
5.3 "Robert Slade's Guide to Computer Viruses"
5.4 Web sites
5.5 Virus Bulletin
5.6 Macro virus information resources
5.7 Other resources
6.0 How many viruses affect the Macintosh?
7.0 What viruses can affect Mac users?
7.1 Mac-specific system and file infectors
7.2 HyperCard Infectors
7.3 Mac Trojan Horses
7.4 Macro viruses, trojans, variants
7.5 Other Operating Systems, emulation on a Mac
7.6 AutoStart 9805 Worms
7.7 Esperanto.4733
8.0 What's the best antivirus package for the Macintosh?
8.1 Microsoft's Protection Tools
8.2 Disinfectant Retired
8.3 Demo Software
8.4 Other freeware/shareware packages
8.5 Commercial Packages
8.6 Contact Details
9.0 Welcome Datacomp
10.0 Hoaxes and myths
10.1 Good Times virus
10.2 Modems and Hardware viruses
10.3 Email viruses
10.4 JPEG/GIF viruses
10.5 Hoaxes Help
11.0 Glossary
12.0 General Reference Section
12.1 Mac Newsgroups
12.2 References and Publications
13.0 Mac Troubleshooting
1.0 Copyright Notice
=====================
Copyright on this document remains with the author(s), and all
rights are reserved. However, it may be freely distributed and
quoted - accurately, and with due credit.
It may not be reproduced for profit or distributed in part or as a
whole with any product for which a charge is made, except with the
prior permission of the copyright holder(s). To obtain such
permission, please contact the maintainer of the FAQ.
Primary author and maintainer of this document is David Harley,
Comments and additional material have been received with gratitude
from Ronnie Sutherland, Henri Delger, Mike Groh and Eugene Spafford.
Thanks to Bruce Burrell, Michael Wright, Peter Gersmann, David Miller,
Ladd Van Tol, Eric Hildum, Jeremy Goldman, Kevin White, Bill
Jackson, Robert Slade, Robin Dover, and John Norstad for their
comments and suggestions. Special thanks to Susan Lesch for her
contributions, editing, and maintenance chores as co-maintainer.
2.0 Preface
============
This document is intended to help individuals with computer
virus-related problems and queries, and clarify the issue
of computer viruses on Macintosh platforms. It should *not* be
regarded as being in any sense authoritative, and has no legal
standing. The authors accept no responsibility for errors or
omissions, or for any ill effects resulting from the use of any
information contained in this document.
Corrections and additional material are welcome, especially if
kept polite.... Contributions will, if incorporated, remain the
copyright of the contributor, and credited accordingly within
the FAQ.
David Harley
3.0 Availability of this FAQ
=============================
++The reference site for this FAQ is now www.icsa.net. However, my own
site at will be the
first place new versions will be posted.
It's also available from Henri Delger's Prodigy Anti-Virus Center
file library, as is the alt.comp.virus FAQ. It will probably be available
shortly from
There are HTML versions at:
I have no control over the content of these sites, and can't guarantee
that they're up-to-date.
4.0 Mission Statement
======================
This document is a little different to the alt.comp.virus FAQ,
which David Harley also co-maintains (at time of writing). It is
concerned with one platform only, and though it deals with the
Macintosh platform at more length than the alt.comp.virus FAQ can
be expected to, it is a great deal shorter. Nor is there the same
degree of urgency about the Mac virus field, though the risk
element may be somewhat underestimated in general, at present. This
FAQ originated from a concern over the spread of macro viruses, a
theme that is taken up below. Since questions about Macs and
viruses tend to appear more often in the Mac groups than
alt.comp.virus or Virus-L, distribution of this FAQ is wider.
5.0 Where to get further information
=====================================
5.1 Computer Virus FAQs
------------------------
Computer Virus FAQ for New Users
A mainly non-Mac virus FAQ posted to news.newusers.questions,
alt.newbie, alt.newbies, alt.answers, and news.answers.
alt.comp.virus FAQ
This is posted to alt.comp.virus approximately fortnightly. It
includes a document that summarizes and gives contact information
for a number of other virus-related FAQs; (not much Mac-specific
material). The latest version is available from:
but the reference version will
eventually be the one at www.eicar.dk (page currently under construction).
VIRUS-L/comp.virus FAQ
The Virus-L/comp.virus FAQ (also fairly low on Mac-specific
information) is regularly posted to the comp.virus newsgroup
(version 2.0 at time of writing). This FAQ is very long and very
thorough. The document is subject to revision, so the file name may
change. The latest version may be found at:
5.2 EICAR
----------
++Dr Solomon's Anti-Virus Toolkit, Virex, and NAV (Norton AntiVirus
for Macintosh) now support the EICAR test. This article by
Paul Ducklin of Sophos explains the EICAR test file:
. [SL]
5.3 "Robert Slade's Guide to Computer Viruses"
-----------------------------------------------
The disk included with the 2nd Edition of this excellent general
resource includes most of the information available at the
University of Hamburg (see 5.5). The book also contains a
reasonable quantity of Mac-friendly information. The disk includes
a copy of Disinfectant 3.6, which is now out-of-date -- 3.7.1 is
the latest and final release. For more information about this book:
[Springer]
++Very few books primarily about computer viruses deal at any length
with Mac viruses (I can't think of one, at present). Some general
books on the Mac touch on the subject, but none I can think of add
anything useful. Some of the "Totally Witless User's Guide
to......." books dealing with security in general include
information on PC -and- Mac viruses. Unfortunately, the quality of
virus-related information in such publications is generally low, and
there are few or no books on computer viruses in general which are
both recent -and- accurate.
5.4 Web sites
--------------
Many major vendors have a virus information database online on
their Web sites. Symantec (www.symantec.com), Network Associates
(www.nai.com), Sophos (www.sophos.com) and Dr. Solomon's
(www.drsolomon.com) include Macintosh virus information.
Precise URLs tend to come and go, but you might like to try the
following:
Symantec Antivirus Research Center
Virus Encyclopedia based on Project VGrep: huge, and now has a
search engine. Probably the most complete [SL]. But not always the
most accurate [DH]. ;-)
Network Associates, formerly McAfee Associates:
Virus Information Library
Macintosh Viruses
Sophos Plc
About.com "Macintosh Virus Desriptions"
Part of work in progress by Ken Dunham
+ (new domain name)
Mac Virus
++[Site closed 5th September 1999]
Dr Solomon's "Mac Viral Zoo"
Starting to go out of date
++Keep watching
5.5 Virus Bulletin
-------------------
The expensive (but, for the professional, essential) periodical
Virus Bulletin includes Mac-specific information from time to time.
However, if you have no interest in PC issues, you probably won't
consider it worth the expense.
Virus Bulletin Ltd
The Pentagon
Abingdon
OX14 3YP
England
+44 1235 555139
The proceedings of the 1997 Virus Bulletin conference contained a
paper by David Harley which significantly expands on many of the
issues addressed in this FAQ. Contact Virus Bulletin for further
information on the annual conference and on obtaining the
proceedings. The paper can also be found (by permission of Virus
Bulletin) at the author's website
and at
5.6 Macro virus information resources
--------------------------------------
++University of Hamburg Virus Test Center Macro Virus List is the
definitive listing. All known macro viruses, some only found in
research labs, some in the wild. Doesn't include information on
individual viruses apart from name and platform, and somewhat
irregularly maintained.
Other Sources:
(under Virus Information)
[The following absolute URLs may change: such is the way of Web
administrators..... If you get an error message, try the first part
of the URL, e.g. and drill down from there.]
Dr Solomon's Software Ltd.
Central Command
Network Associates
Data Fellows
++Richard Martin put together an FAQ on the subject of Word viruses.
It's well out-of-date, though, and was always inaccurate in some
respects.
++N.B.This URL may be out of date. There is a copy of what I believe
to be the last released version at SherpaSoft:
5.7 Other resources
--------------------
There are excellent pages on HyperCard viruses at HyperActive
Software. There is information on HyperCard infectors, a link to
Bill Swagerty's free Vaccine utility for detecting and cleaning
them, a note on false positives reported by commercial software,
inoculation, and a free HyperCard virus detection service.
The CIAC virus database includes entries for PC, Macintosh, and a
number of other platforms. The Macintosh section also includes a
number of joke programs and one or two apparent hoaxes.
Virus Test Center, Hamburg: AntiVirus Catalog/CARObase early work
These links may be out-of-date: if they don't work, try
Last we checked [03-Sep-97], these sites probably need updating,
though some older files do have historical value. Info-Mac mirrors
have Macintosh information, but includes some outdated virus
information and software at this writing; still, always worth a
visit.
Also of interest, again sometimes outdated:
Kevin Harris's Virus Reference was last updated 31-Aug-95. This
HyperCard stack requires HyperCard 2.1 or later.
6.0 How many viruses affect the Macintosh?
===========================================
There are around 40 Mac-specific viruses and related threats.
++Mac users with Word 6 or versions of Word/Excel supporting Visual Basic
for Applications, however, are vulnerable to infection by macro
viruses which are specific to these applications. Indeed, these
viruses can, potentially, infect other files on any hardware
platform supporting these versions of these applications. I don't
know of a macro virus with a Mac-specific payload that actually
works at present, but such a payload is entirely possible.
++Office 98 applications are in principle vulnerable to most of the
threats to which Office 97 applications are vulnerable. I'll return
to this subject when and if time allows. [DH]
Word Mac version 5.1 and below do not support WordBasic, and are
not, therefore, vulnerable to direct infection. Not only do these
versions not only understand embedded macros, but they can't read
the Word 6 file format unaided. There is, however, at least one
freeware utility which allows Word 5.x users to read Word 6 files.
This will not support execution of Word 6 (or WinWord 2) macros in
Word 5.x, so I would not expect either an infection routine or a
payload routine to be able to execute within this application.
However, Word 5.x users may contribute indirectly to the spread of
infected files across platforms and systems, since it is perfectly
possible for a user whose own system is uninfectable to act as a
conduit for the transmission of infected documents, whether or not
s/he reads it personally.
Files infected with a PC-specific file virus (this excludes macro
viruses) can only execute on a Macintosh running DOS or DOS/Windows
emulation, if then. They can, of course, spread across platforms
simply by copying infected files from one system to another.
DOS diskettes infected with a boot sector virus can be read on a
Mac with Apple File Exchange, PC Exchange, DOS Mounter etc. without
(normally) risk to the Mac. However, leaving such an infected disk
in the drive while booting an emulator such as SoftPC can mean that
the virus attempts to infect the logical PC drive with
unpredictable results.
I am aware of at least one instance of a Mac diskette which, when
read on a PC running a utility for reading Mac-formatted disks
after being infected with a boot-sector infector, became unreadable
as a consequence of the boot track infection.
Some Mac viruses may damage files on Sun systems running MAE or
AUFS.
7.0 What viruses can affect Mac users?
=======================================
Not all variants are listed here. It was originally intended to
reference all the major variants at least by name eventually, but
since the information is of academic interest at best to most users
(and available elsewhere anyway), it's no longer considered a
priority. The main problem affecting Mac users nowadays is the
spread of macro viruses, and I can't possibly find time to
catalogue them individually, so they are only considered generally.
Native Mac viruses are rather rarely seen nowadays, and most people
don't need to know about them in detail -- in fact, what they need
most is to know that their favoured antivirus software will deal
with them. Note that I'm not primarily in the business of hands-on
virus analysis, and cannot accept responsibility for descriptive errors
based on third-party information. [DH]
The following varieties are listed below:
7.1 Mac-specific system and file infectors
7.2 HyperCard Infectors
7.3 Mac Trojans
7.4 Macro viruses, trojans, variants
7.5 Other Operating Systems, emulation on a Mac
7.6 AutoStart 9805 Worms
7.7 Esperanto 4733
7.1 Mac-specific system and file infectors
-------------------------------------------
AIDS - infects application and system files. No intentional damage.
(nVIR B strain)
Aladin - close relative of Frankie
Anti (Anti-A/Anti-Ange, Anti-B, Anti Variant) - can't spread under
system 7.x, or System 6 under MultiFinder. Can damage applications
so that they can't be 100% repaired.
CDEF - infects desktop files. No intentional damage, and doesn't
spread under system 7.x.
CLAP: nVIR variant that spoofs Disinfectant to avoid detection
(Disinfectant 3.6 recognizes it).
Code 1: file infector. Renames the hard drive to "Trent Saburo".
Accidental system crashes possible.
Code 252: infects application and system files. Triggers when run
between June 6th and December 31st. Runs a gotcha message ("You
have a virus. Ha Ha Ha Ha Ha Ha Ha Now erasing all disks...
[etc.]"), then self-deletes. Despite the message, no intentional
damage is done, though shutting down the Mac instead of clicking to
continue could cause damage. Can crash System 7 or damage files,
but doesn't spread beyond the System file. Doesn't spread under
System 6 with MultiFinder beyond System and MultiFinder. Can cause
various forms of accidental damage.
Code 9811: hides applications, replacing them with garbage files
named "something like 'FIDVCXWGJKJWLOI'." According to Ken Dunham
who reported this virus in November, "The most obvious symptom of
the virus is a desktop that looks like electronic worms and a
message that reads 'You have been hacked by the Pretorians.'"
Code 32767: once a month tries to delete documents. This virus is
not known to be in circulation.
Flag: unrelated to WDEF A and B, but was given the name WDEF-C in
some anti-virus software. Not intentionally damaging but when
spreading it overwrites any existing 'WDEF' resource of ID '0', an
action which might damage some files. This virus is not known to be
in circulation.
Frankie: only affects the Aladdin emulator on the Atari or Amiga.
Doesn't infect or trigger on real Macs or the Spectre emulator.
Infects application files and the Finder. Draws a bomb icon and
displays 'Frankie says: No more piracy!"
Fuck: infects application and System files. No intentional damage.
(nVIR B strain)
Init 17: infects System file and applications. Displays message
"From the depths of Cyberspace" the first time it triggers.
Accidental damage, especially on 68K machines.
Init 29 (Init 29 A, B): Spreads rapidly. Infects system files,
applications, and document files (document files can't infect other
files, though). May display a message if a locked floppy is
accessed on an infected system 'The disk "xxxxx" needs minor
repairs. Do you want to repair it?'. No intentional damage, but can
cause several problems - Multiple infections, memory errors, system
crashes, printing problems, MultiFinder problems, startup document
incompatibilities.
Init 1984: Infects system extensions (INITs). Works under Systems 6
and 7. Triggers on Friday 13th. Damages files by renaming them,
changing file TYPE and file CREATOR, creation and modification
dates, and sometimes by deleting them.
Init-9403 (SysX): Infects applications and Finder under systems 6
and 7. Attempts to overwrite whole startup volume and disk
information on all connected hard drives. Only found on Macs
running the Italian version of MacOS.
Init-M: Replicates under System 7 only. Infects INITs and
application files. Triggers on Friday 13th. Similar damage
mechanisms to INIT-1984. May rename a file or folder to "Virus
MindCrime". Rarely, may delete files.
MacMag (Aldus, Brandow, Drew, Peace): first distributed as a
HyperCard stack Trojan, but only infected System files. Triggered
(displayed a peace message and self-deleted on March 2nd 1988, so
very rarely found.
MBDF (A,B): originated from the Tetracycle, Tetricycle or
"tetris-rotating" Trojan. The A strain was also distributed in
Obnoxious Tetris and Ten Tile Puzzle. Infect applications and
system files including System and Finder. Can cause accidental
damage to the System file and menu problems. A minor variant of
MBDF B appeared in summer 1997: Disinfectant and Virex have been
updated accordingly.
MDEF (MDEF A/Garfield, MDEF B/Top Cat, C, D): infect System file
and application files (D doesn't infect System). No intentional
damage, but can cause crashes and damaged files.
MDEF-E and MDEF-F: described as simple and benign. They infect
applications and system files with an 'MDEF' resource ID '0', not
otherwise causing file damage. These viruses are not known to be in
circulation.
nCAM: nVIR variant
nVIR (nVIR A, B, C - AIDS, Fuck, Hpat, Jude, MEV#, nFlu): infect
System and any opened applications. Extant versions don't cause
intentional damage. Payload is either beeping or (nVIR A) saying
"Don't panic" if MacInTalk is installed.
nVIR-f: nVIR variant.
prod: nVIR variant
Scores (Eric, Vult, NASA, San Jose Flu): aimed to attack two
applications that were never generally released. Can cause
accidental damage, though - system crashes, problems printing or
with MacDraw and Excel. Infects applications, Finder, DA Handler.
SevenDust-A through G (MDEF 9806-A through D, also known as 666, E
was at first called "Graphics Accelerator"): a family of five
viruses which spread both through 'MDEF' resources and a System
extension created by that resource. The first four variants are not
known to be in circulation. Two of these viruses cause no other
damage. On the sixth day of the month, MDEF 9806-B may erase all
non-application files on the current volume. The SARC encyclopedia
calls MDEF 9806-C, "polymorphic and encrypted, no payload," and
MDEF 9806-D, "encrypting, polymorphic, symbiotic," and says the
symbiotic part, "alters a 'WIND' resource from the host
application." SevenDust E, not to be confused with the legitimate
ATI driver "Graphics Accelerator", began as a trojan horse released
to Info-Mac and deleted there on or about September 26, 1998. Takes
two forms, 'INIT' resource ID '33' in an extension named
"\001Graphics Accelerator" and an 'MDEF' resource ID '1' to '255'.
Between 6:00 a.m. and 7:00 a.m. on the sixth and twelfth day of any
month, the virus will try to delete all non-application files on
the startup disk. John Dalgliesh describes "Graphics Accelerator"
on his Web page for AntiGax, a free anti-SevenDust E utility; any
errors here in translation are not his. SevenDust F uses a trojan
"ExtensionConflict", common extensions names, and creator 'ACCE'.[SL]
T4 (A, B, C, D): infects applications, Finder, and tries to modify
System so that startup code is altered. Under System 6 and 7.0,
INITs and system extensions don't load. Under 7.0.1, the Mac may be
unbootable. Damage to infected files and altered System is not
repairable by Disinfectant. The virus masquerades as Disinfectant,
so as to spoof behaviour blockers such as Gatekeeper. Originally
included in versions 2.0/2.1 of the public domain game GoMoku.
T4-D spreads from application to application on launch by appending
itself to the 'CODE' resource. Deletes files other than the System
file from the System Folder, and documents, and is termed dangerous.
The D strain is not known to be in circulation [SL].
WDEF (A,B): infects desktop file only. Doesn't spread under System
7. No intentional damage, but causes beeping, crashes, font
corruption and other problems.
zero: nVIR variant.
Zuc (A, B, C): infects applications. The cursor moves diagonally
and uncontrollably across the screen when the mouse button is held
down when an infected application is run. No other intentional
damage is done.
7.2 HyperCard infectors
------------------------
These are a somewhat esoteric breed, but a couple have been seen
since Disinfectant was last upgraded in 1995, and most of the
commercial scanners detect them.
Dukakis - infects the Home stack, then other stacks used
subsequently. Displays the message "Dukakis for President", then
deletes itself, so not often seen.
HC 9507 - infects the Home stack, then other running stacks and
randomly chosen stacks on the startup disk. On triggering, displays
visual effects or hangs the system. Overwrites stack resources, so
a repaired stack may not run properly.
HC 9603 - infects the Home stack, then other running stacks. No
intended effects, but may damage the Home stack.
HC "Two Tunes" (referred to by some sources as "Three Tunes") -
infects stack scripts. Visual/Audio effects: 'Hey, what are you
doing?' message; plays the tune "Muss I denn"; plays the tune
"Behind the Blue Mountains"; displays HyperCard toolbox and pattern
menus; displays 'Don't panic!' fifteen minutes after activation.
Even sources which describe this virus as "Three Tunes" seem to
describe the symptoms consistently with the description here, but
we will, for completeness, attempt to resolve any possible
confusion when time allows. This virus has no known with the PC
file infector sometimes known as Three Tunes.
MerryXmas - appends to stack script. On execution, attempts to
infect the Home stack, which then infects other stacks on access.
There are several strains, most of which cause system crashes and
other anomalies. At least one strain replaces the Home stack script
and deletes stacks run subsequently. Variants include Merry2Xmas,
Lopez, and the rather destructive Crudshot. [Ken Dunham discovered
the merryXmas virus. His program merryxmasWatcher 2.0 was very
popular and still can eradicate the most common two strains,
merryXmas and merry2Xmas. merryxmasWatcher 2.0 is outdated for the
rest this family.]
Antibody is a recent virus-hunting virus which propagates between
stacks checking for and removing MerryXmas, and inserting an
inoculation script.
Independance (sic) Day - reported in July, 1997. It attempts to
to be destructive, but fortunately is not well enough written to be
more than a nuisance. More information at:
Blink - reported in August, 1998. Nondestructive but spreads;
infected stacks blink once per second starting in January, 1999.
7.3 Mac Trojan Horses
----------------------
These are often unsubtle and immediate in their effects: while
these effects may be devastating, Trojans are usually very
traceable to their point of entry. The few Mac-specific Trojans are
rarely seen, but of course the commercial scanners generally detect
them.
ChinaTalk - system extension - supposed to be sound driver, but
actually deletes folders.
CPro - supposed to be an update to Compact Pro, but attempts to
format currently mounted disks.
+ ExtensionConflict - supposed to identify Extensions conflicts, but
installs one of the six SevenDust a.k.a. 666 viruses.
FontFinder - supposed to lists fonts used in a document, but
actually deletes folders.
MacMag - HyperCard stack (New Apple Products) that was the origin
of the MacMag virus. When run, infected the System file, which then
infected System files on floppies. Set to trigger and self-destruct
on March 2nd, 1988, so rarely found.
Mosaic - supposed to display graphics, but actually mangles
directory structures.
NVP - modifies the System file so that no vowels can be typed.
Originally found masquerading as 'New Look', which redesigns the
display.
Steroid - Control Panel - claims to improve QuickDraw speed, but
actually mangles the directory structure.
Tetracycle - implicated in the original spread of MBDF
Virus Info - purported to contain virus information but actually
trashed disks. Not to be confused with Virus Reference.
Virus Reference 2.1.6 mentions an 'Unnamed PostScript hack' which
disables PostScript printers and requires replacement of a chip on
the printer logic board to repair. A Mac virus guru says:
"The PostScript 'Trojan' was basically a PostScript job that
toggled the printer password to some random string a number of
times. Some Apple laser printers have a firmware counter that
allows the password to only be changed a set number of times
(because of PRAM behavior or licensing -- I don't remember which),
so eventually the password would get "stuck" at some random string
that the user would not know. I have not heard any reports of
anyone suffering from this in many years."
AppleScript Trojans - A demonstration destructive compiled
Section 1 of 3 - Prev - Next All sections - 1 - 2 - 3
