AUSCERT External Security Bulletin Redistribution
                    ESB-98.108 -- CIAC Bulletin I-067
                   AutoStart 9805 Macintosh Worm Virus
                               9 July 1998


The U.S. Department of Energy Computer Incident Advisory Capability has
released the following advisory concerning the spread of the Autostart
9805 worm virus among PowerPC systems running MacOS or later versions.
Autostart 9805 spreads itself through HFS or HFS+ volumes.  The virus
overwrites some data files and produces denial of service charactertics.

The following security bulletin is provided as a service to AusCERT's
members.  As AusCERT did not write this document, AusCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It will
not be updated when the original bulletin is.  If downloading at a later
date, it is recommended that the bulletin is retrieved from the original
authors to ensure that the information is still current.

Contact information for CIAC is included in the Security Bulletin below.
If you have any questions or need further information, please contact them

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

- --------------------------BEGIN INCLUDED TEXT--------------------



                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_   /
                          \___  __|__  /     \___

                             INFORMATION BULLETIN

                      AutoStart 9805 Macintosh Worm Virus

July 6, 1998 16:00 GMT                                            Number I-067
PROBLEM:       CIAC has become aware of several instances world-wide where a
               Autostart 9805 worm virus is spreading itself among PowerPC
               systems running MacOS or later versions. The virus Autostart
               9805 spreads itself through HFS or HFS+ volumes. Autostart 9805
               overwrites some data files and produces denial of service
PLATFORM:      Machintosh PowerPC running MacOS or later.
DAMAGE:        Adds invisible files to all disk partitions, causes excessive
               network traffic, causes excessive disk access activity,
               overwrites some data files.
SOLUTION:      Purchase or upgrade to the most current anti-virus software or
               follow the instructions in the Removal and Recovery section.
VULNERABILITY  The Autostart 9805 worm virus has infected hosts in numerous
ASSESSMENT:    locations throughout the world.

The Macintosh world has been largely free of new Mac-specific viruses
and their kin over the past few years.  The last real virus to emerge
was in April of 1994, when the INIT-29-B virus appeared.  In 1995, we
saw the Hypercard HC-9507 virus appear, and the first Microsoft Word
macro virus.  Thereafter, except for residual infections of old
viruses, the only worrisome Macintosh-specific malware for almost 3
years have been macro viruses of Microsoft software.  (Contrast this
with as many as ten thousand new viruses for that other PC platform in
the same time period.)

Our respite has ended for the time-being.

              New Macintosh Worm Discovered (Autostart 9805)
                             4 May 1998

Virus: Autostart 9805
Damage: Adds invisible files to every disk partition and periodically
        causes extensive disk activity (and network activity if
        network disks are mounted).  Will overwrite some data files
        with random data.
Spread: PowerPC systems running the MacOS or later
        and with mounted HFS or HFS+ volumes.  Initial infection
        usually requires QuickTime 2.0 or above installed.

Autostart-9805 is technically a worm program.  It does not change any
existing program or file to spread itself.  Instead, it copies itself
to other disk partitions so that it becomes active on other systems.

The first reported appearances of this software were in Hong Kong, and
it has spread very rapidly among the desktop publishing (DTP)
community there.

The worm can be transmitted via almost any HFS or HFS+ disk volume,
including floppy disks, most removable cartridges drives, MO disks,
CD-WORM disks, hard disks and even disk images.  The code requires a
PowerPC-based system running MacOS -- a 68K-based system will fail to
run the code.  The worm will also spread across networks to any
mounted network file partition.

Infected disks contain an invisible application file named "DB" (type
'APPL', creator '????', with the "invisible" attribute set) in the
root directory, with autostart set. When the infected disk is mounted
on a PowerPC MacOS system running QuickTime 2.0 or later, the "DB"
application is launched automatically if the AutoStart feature is
enabled in QuickTime.  It then copies itself to the Extensions folder
of the active System. It changes the name of the copy to "Desktop
Print Spooler" and the type to 'appe' (do NOT confuse this file with
the visible and legitimate "Desktop Printer Spooler" extension); the
worm file is also invisible, and when running is not shown in the
applications menu.  It then restarts the computer system.

The worm, in the form of the invisible application in the extension
folder, is automatically launched whenever the computer system starts
up. About every thirty minutes, it examines the mounted volumes. If
any are not already infected, it attempts to infect them by copying
itself to the root directory (renamed back to "DB" and type 'APPL')
and setting up the AutoStart field in the boot block. Most writable
volumes are successfully infected. The notable exception is server
volumes, which do not have the necessary boot block fields for
AutoStart. The worm file is copied to writable server volumes, but it
does not get launched when the volume is mounted.

Note that once the extension version of the worm is in place, turning
off QuickTime makes no difference -- the virus will continue to load
and spread as a result of being activated at system boot time.


After checking the mounted volumes for infection, the worm begins
searching for certain files on each disk. Files ending with "data",
"cod", and "csa" (case insensitive) are targeted if the data fork is
larger than 100 bytes. Files ending with "dat" are targeted if they are
larger than about 2 Mbytes (resource + data forks). When a targeted file
is found, it is damaged by overwriting the data fork (up to approximately
the first 1 Mbyte) with garbage. The first byte is always set to zero,
and this serves as a flag to bypass the file on subsequent passes.


The worm has numerous symptoms that make it reasonably easy to

1) The system unexpectedly restarts after mounting a diskette or other
volume. This will only happen when the initial infection occurs.

2) The "DB" application name flashes briefly in the menu bar when a disk
is mounted.

3) The presence of an invisible application file named "DB" on the root
of disk volumes, or the invisible "Desktop Print Spooler" file in the
extensions folder. Any file or disk utility program (such as ResEdit)
that shows invisible files in its file selection dialogs can be used to
check for the files. Be sure not to confuse the legitimate "Desktop
Printer Spooler" file with the worm.

4) A process named "Desktop Print Spooler" is found (use Process Watcher
or Macsbug).

5) Extensive, unexplained disk activity every 30 minutes.


The risk of infection can be effectively eliminated by manually disabling
the AutoStart option in the QuickTime Settings Control Panel. This will
not help if the system is already infected.  It will also not prevent
an infected Mac from creating the invisible "DB" files on any
partitions you share with them on a network.

Versions of QuickTime prior to 2.5 do not seem to have a way to
disable autoplay.   You should disable QuickTime or upgrade to a
recent version if you have an old release.

Note: recent versions of QuickTime also have an "Enable Audio CD
AutoPlay" option.  This option can be left on.  Note that disabling
the autostart feature does not have any affect on the normal operation
of QuickTime, and can be safely turned off.

Removal & Recovery

Most of the major anti-virus developers have prepared updates to their
software.  The remaining vendors will undoubtedly have updates soon.
Users are *strongly* encouraged to run current, up-to-date anti-virus
software, and to regularly incorporate vendor-supplied updates.

In the absence of such software, you can remove the virus using the
following steps.  However, you will need to restore damaged data files
from backups (you *do* make regular backups, don't you?).

1) Reboot your system with extensions off.  (Reboot while pressing the
shift key.)

2) Start the Apple "Find File" utility.  Use it to search all volumes
for files whose name is exactly "DB" and which are invisible.  (To
select for visibility, hold down the option key when clicking on the
"Name" pop-up menu; use "more choices" to select both search
criteria.)  Drag found files from the Find window to the trash.

3) Search again, for the "Desktop Print Spooler" file.  Delete it
also.  (Be sure to NOT delete the legitimate "Desktop Printer

4) Empty the trash.

5) Open the "QuickTime Settings" control panel and disable autostart
unless there is some significant reason you need it.

6) Restart.

Commercial Updates

  Tool: Disinfectant
  Status: Freeware (courtesy of John Norstad and Northwestern Univ.)
  Revision to be released: undecided
  When available: undecided -- to be determined
  Where to find: usual archives. Online at
  Comments:  Disinfectant does not scan for macro viruses, so it is
        wise to obtain and use a commercial anti-virus tool.  An
        update may not be produced -- an announcement one way or the
        other will be made soon.

  Tool: Dr. Solomon's Anti-virus Toolkit
  Status: Commercial
  When available: unknown
  Where to find: via the AVTK WWW page:

  Tool: Network Associates VirusScan for the Mac
  Status: Commercial
  When available: unknown

  Tool: SAM (Symmantic Anti-virus for the Mac)
  Status: Commercial
  When available: soon
  Where to find: via <http://www.symantec.com/sam/>
  Comments: Symantec is working on a solution and will be providing
        one as soon as possible.

  Tool: Virex
  Status: Commerical
  Version: 05_02_98 and later
  When available: immediately
  Where to find: via <http://www.drsolomon.com/products/virex/>
  Comments:  All Virex Protection Service subscribers will
        automatically receive updates.

Other info

One comprehensive and useful WWW page of anti-virus information can be
found at <http://www.macvirus.com>.  A list of WWW-based anti-virus
resources may be found at

If you discover what you believe to be a virus on your Macintosh
system, please report it to the vendor/author of your anti-virus
software package for analysis.  Such reports make early, informed
warnings like this one possible for the rest of the Mac community.  If
you are otherwise unsure of who to contact, you may send e-mail to
<spaf@cs.purdue.edu> as an initial point of contact.

Also, be aware that writing and releasing computer viruses or worms is
more than a rude and damaging act of vandalism -- it is also a
violation of many state and Federal laws in the US, and illegal in
several other countries.  If you have information concerning the
author of this or any other damaging software, please contact your
anti-virus software vendor or your national law enforcement agency.
Several Mac virus authors have been apprehended thanks to the efforts
of the Mac user community, and some have received criminal convictions
for their actions.  This is yet one more way to help protect your

CIAC wishes to acknowledge the contributions of Gene Spafford for the
information contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to       ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
        subscribe list-name
  e.g., subscribe ciac-bulletin

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

I-057: FreeBSD NFS Kernel Code Error
I-058: SunOS rpc.nisd Vulnerability
I-059: SUN ftpd Vulnerability
I-060: SGI IRIX OSF/DCE Denial of Service Vulnerability
I-061: SGI IRIX  mediad(1M) Vulnerability
I-062: SGI IRIX BIND DNS named(1M) Vulnerability
I-063: RSI BSDI rlogind Vulnerability
I-064: SGI IRIX  mail(1), rmail(1M), sendmail(1M) Vulnerabilities
I-065:  SunOS ufsrestore Buller Overflow Vulnerability
I-066: Vulnerability in Some Implementations of PKCS#1

Version: 4.0 Business Edition


- --------------------------END INCLUDED TEXT--------------------

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key