Mac Virus

As I’m no longer regularly working in the security industry, this page is no longer being maintained. It’s left up here for historical reasons only.

David Harley, 15th April 2020

[Page created August 19, 2012]

This information is extracted with very minor edits from version 2.x of the ‘Viruses and the Macintosh’ FAQ which I haven’t updated in many years (eleven, to be precise), and preceded my work on OS X malware.

Not all variants are listed here. It was originally intended to reference all the major variants at least by name eventually, but since the information is of academic interest at best to most users (and available elsewhere anyway), it’s no longer considered a priority. All this malware is probably effectively extinct at the time of this revision (August 2012).

Mac-specific system and file infectors

• AIDS – infects application and system files. No intentional damage. (nVIR B strain)
• Aladin – close relative of Frankie (see below)
• Anti (Anti-A/Anti-Ange, Anti-B, Anti Variant) – can’t spread under system 7.x, or System 6 under MultiFinder. Can damage applications so that they can’t be 100% repaired.
• CDEF – infects desktop files. No intentional damage, and doesn’t spread under system 7.x.
• CLAP: nVIR variant that spoofs Disinfectant to avoid detection (Disinfectant 3.6 recognizes it).
• Code 1: file infector. Renames the hard drive to “Trent Saburo”. Accidental system crashes possible.
• Code 252: infects application and system files. Triggers when run between June 6th and December 31st. Runs a gotcha message (“You have a virus. Ha Ha Ha Ha Ha Ha Ha Now erasing all disks… [etc.]”), then self-deletes. Despite the message, no intentional damage is done, though Norstad points out that shutting down the Mac instead of clicking to continue could cause damage. Can crash System 7 or damage files, but doesn’t spread beyond the System file. Doesn’t spread under System 6 with MultiFinder beyond System and MultiFinder. Can cause various forms of accidental damage.
• Code 9811: hides applications, replacing them with garbage files named “something like ‘FIDVCXWGJKJWLOI’.” According to Ken Dunham who reported this virus in November, “The most obvious symptom of the virus is a desktop that looks like electronic worms and a message that reads ‘You have been hacked by the Pretorians.'”
• Code 32767: once a month tries to delete documents. This virus is not known to be in circulation.
• Flag: unrelated to WDEF A and B, but was given the name WDEF-C in some anti-virus software. Not intentionally damaging but when spreading it overwrites any existing ‘WDEF’ resource of ID ‘0’, an action which might damage some files. This virus is not known to be in circulation.
• Frankie: only affects the Aladdin emulator on the Atari or Amiga. Doesn’t infect or trigger on real Macs or the Spectre emulator. Infects application files and the Finder. Draws a bomb icon and displays ‘Frankie says: No more piracy!”
• F*ck: (I’m not usually coy about using four-letter words when appropriate, but I notice that sometimes WordPress notices these things…) infects application and System files. No intentional damage. (nVIR B strain)
• Init 17: infects System file and applications. Displays message “From the depths of Cyberspace” the first time it triggers. Accidental damage, especially on 68K machines.
• Init 29 (Init 29 A, B): Spreads rapidly. Infects system files, applications, and document files (document files can’t infect other files, though). May display a message if a locked floppy is accessed on an infected system ‘The disk “xxxxx” needs minor repairs. Do you want to repair it?’ No intentional damage, but can cause several problems – Multiple infections, memory errors, system crashes, printing problems, MultiFinder problems, startup document incompatibilities.
• Init 1984: Infects system extensions (INITs). Works under Systems 6 and 7. Triggers on Friday 13th. Damages files by renaming them, changing file TYPE and file CREATOR, creation and modification dates, and sometimes by deleting them.
• Init-9403 (SysX): Infects applications and Finder under systems 6 and 7. Attempts to overwrite whole startup volume and disk information on all connected hard drives. Only found on Macs running the Italian version of MacOS.
• Init-M: Replicates under System 7 only. Infects INITs and application files. Triggers on Friday 13th. Similar damage mechanisms to INIT-1984. May rename a file or folder to “Virus MindCrime”. Rarely, may delete files.
• MacMag (Aldus, Brandow, Drew, Peace): first distributed as a HyperCard stack Trojan, but only infected System files. Triggered (displayed a peace message and self-deleted) on March 2nd 1988, so very rarely found.
• MBDF (A,B): originated from the Tetracycle, Tetricycle or “tetris-rotating” Trojan. The A strain was also distributed in Obnoxious Tetris and Ten Tile Puzzle. Infect applications and system files including System and Finder. Can cause accidental damage to the System file and menu problems. A minor variant of MBDF B appeared in summer 1997.
• MDEF (MDEF A/Garfield, MDEF B/Top Cat, C, D): infect System file and application files (D doesn’t infect System). No intentional damage, but can cause crashes and damaged files.
• MDEF-E and MDEF-F: described as simple and benign. They infect applications and system files with an ‘MDEF’ resource ID ‘0’, not otherwise causing file damage. These viruses are not known to be in circulation.
• nCAM: nVIR variant
• nVIR (nVIR A, B, C – AIDS, Fuck, Hpat, Jude, MEV#, nFlu): infect System and any opened applications. Extant versions don’t cause intentional damage. Payload is either beeping or (nVIR A) saying “Don’t panic” if MacInTalk is installed.
• nVIR-f: nVIR variant.
• prod: nVIR variant
• Scores (Eric, Vult, NASA, San Jose Flu): aimed to attack two applications that were never generally released. Can cause accidental damage, though – system crashes, problems printing or with MacDraw and Excel. Infects applications, Finder, DA Handler.
• SevenDust-A through G (MDEF 9806-A through D, also known as 666, E was at first called “Graphics Accelerator”): a family of five viruses which spread both through ‘MDEF’ resources and a System extension created by that resource. The first four variants are not known to be in circulation. Two of these viruses cause no other damage. On the sixth day of the month, MDEF 9806-B may erase all non-application files on the current volume. The SARC encyclopedia calls MDEF 9806-C, “polymorphic and encrypted, no payload,” and MDEF 9806-D, “encrypting, polymorphic, symbiotic,” and says the symbiotic part, “alters a ‘WIND’ resource from the host application.” SevenDust E, not to be confused with the legitimate ATI driver “Graphics Accelerator”, began as a trojan horse released to Info-Mac and deleted there on or about September 26, 1998. Takes two forms, ‘INIT’ resource ID ’33’ in an extension named “01Graphics Accelerator” and an ‘MDEF’ resource ID ‘1’ to ‘255’. Between 6:00 a.m. and 7:00 a.m. on the sixth and twelfth day of any month, the virus will try to delete all non-application files on the startup disk. John Dalgliesh describes “Graphics Accelerator” on his Web page for AntiGax, a free anti-SevenDust E utility; any errors here in translation are not his. SevenDust F uses a trojan “ExtensionConflict”, common extensions names, and creator ‘ACCE’.[SL]
• T4 (A, B, C, D): infects applications, Finder, and tries to modify System so that startup code is altered. Under System 6 and 7.0, INITs and system extensions don’t load. Under 7.0.1, the Mac may be unbootable. Damage to infected files and altered System is not repairable by Disinfectant. The virus masquerades as Disinfectant, so as to spoof behaviour blockers such as Gatekeeper. Originally included in versions 2.0/2.1 of the public domain game GoMoku. T4-D spreads from application to application on launch by appending itself to the ‘CODE’ resource. Deletes files other than the System file from the System Folder, and documents, and is termed dangerous. The D strain is not known to be in circulation [SL].
• WDEF (A,B): infects desktop file only. Doesn’t spread under System 7. No intentional damage, but causes beeping, crashes, font corruption and other problems.
• zero: nVIR variant.
• Zuc (A, B, C): infects applications. The cursor moves diagonally and uncontrollably across the screen when the mouse button is held down when an infected application is run. No other intentional damage is done.

HyperCard infectors

• Dukakis – infects the Home stack, then other stacks used subsequently. Displays the message “Dukakis for President”, then deletes itself, so not often seen.
• HC 9507 – infects the Home stack, then other running stacks and randomly chosen stacks on the startup disk. On triggering, displays visual effects or hangs the system. Overwrites stack resources, so a repaired stack may not run properly.
• HC 9603 – infects the Home stack, then other running stacks. No intended effects, but may damage the Home stack.
• HC “Two Tunes” (referred to by some sources as “Three Tunes”) – infects stack scripts. Visual/Audio effects: ‘Hey, what are you doing?’ message; plays the tune “Muss I denn”; plays the tune “Behind the Blue Mountains”; displays HyperCard toolbox and pattern menus; displays ‘Don’t panic!’ fifteen minutes after activation. Even sources which describe this virus as “Three Tunes” seem to describe the symptoms consistently with the description here, but we will, for completeness, attempt to resolve any possible confusion when time allows. This virus has no known with the PC file infector sometimes known as Three Tunes.
• MerryXmas – appends to stack script. On execution, attempts to infect the Home stack, which then infects other stacks on access. There are several strains, most of which cause system crashes and other anomalies. At least one strain replaces the Home stack script and deletes stacks run subsequently. Variants include Merry2Xmas, Lopez, and the rather destructive Crudshot. [Ken Dunham discovered the merryXmas virus. His program merryxmasWatcher 2.0 was very popular and still can eradicate the most common two strains, merryXmas and merry2Xmas. merryxmasWatcher 2.0 is outdated for the rest this family.]
• Antibody is a recent virus-hunting virus which propagates between stacks checking for and removing MerryXmas, and inserting an inoculation script.
• Independance (sic) Day – reported in July, 1997. It attempts to to be destructive, but fortunately is not well enough written to be more than a nuisance. More information at: http://www.hyperactivesw.com/Virus1.html#IDay
• Blink – reported in August, 1998. Nondestructive but spreads; infected stacks blink once per second starting in January, 1999.
• WormCode, a nondestructive HyperCard infector, was reported in February 2000.  More information at: http://www.hyperactivesw.com/Virus1.html

A comprehensive list of HyperCard viruses can still be found at HyperActive Software’s Virus Compendium

Mac Trojan Horses

• ChinaTalk – system extension – supposed to be sound driver, but actually deletes folders.
• CPro – supposed to be an update to Compact Pro, but attempts to format currently mounted disks.
• ExtensionConflict – supposed to identify Extensions conflicts, but installs one of the six SevenDust a.k.a. 666 viruses.
• FontFinder – supposed to lists fonts used in a document, but actually deletes folders.
• MacMag – HyperCard stack (New Apple Products) that was the origin of the MacMag virus. When run, infected the System file, which then infected System files on floppies. Set to trigger and self-destruct on March 2nd, 1988, so rarely found.
• Mosaic – supposed to display graphics, but actually mangles directory structures.
• NVP – modifies the System file so that no vowels can be typed. Originally found masquerading as ‘New Look’, which redesigns the display.
• Steroid – Control Panel – claims to improve QuickDraw speed, but actually mangles the directory structure.
• Tetracycle – implicated in the original spread of MBDF
• Virus Info – purported to contain virus information but actually trashed disks. Not to be confused with Virus Reference.
• Virus Reference 2.1.6 mentions an ‘Unnamed PostScript hack’ which disables PostScript printers and requires replacement of a chip on the printer logic board to repair. A Mac virus guru says:
• “The PostScript ‘Trojan’ was basically a PostScript job that toggled the printer password to some random string a number of times. Some Apple laser printers have a firmware counter that allows the password to only be changed a set number of times (because of PRAM behavior or licensing — I don’t remember which), so eventually the password would get “stuck” at some random string that the user would not know. I have not heard any reports of anyone suffering from this in many years.”
• AppleScript Trojans – A demonstration destructive compiled AppleScript was posted to the newsgroups alt.comp.virus, comp.sys.mac.misc, comp.sys.mac.system, it.comp.macintosh, microsoft.public.word.mac, nl.comp.sys.mac, no.mac, and symantec.support.mac.sam.general on 16-Aug-97, apparently in response to a call for help originally posted to alt.comp.virus on 14-Aug-97 and followup on 15-Aug-97. On 03-Sep-97, MacInTouch published Xavier Bury’s finding of a second AppleScript trojan horse, which, like the call for help followup, mentioned Hotline servers. It reportedly sends out private information while running in the background. A note to users from Hotline Communications CEO Adam Hinkley was formerly posted at Mac Virus. AppleScripts should be downloaded only from known trusted sources. It is nigh impossible for an average person to know what any given compiled script will do.

Macro viruses, trojans, variants

The section on macro malware has been removed for the present, since it contains a great deal of version-specific information that isn’t useful in its present form. It may be reinstated at some point for the benefit of Mac users who may be using obsolete OS and Office app versions.  (Recent versions of Microsoft Office are not susceptible to antique macro malware.)

AutoStart 9805 Worms

AutoStart 9805 was arguably not a virus, but a worm: that is, it replicated by copying itself, but didn’t attach itself parasitically to a host program.

The original took hold rapidly in Hong Kong and Taiwan in April 1998, and was reported on at least four continents. In addition to the original worm, there are five variants. Virus Bulletin, July, 1998, includes a comprehensive analysis of AutoStart and some of its variants.

Symptoms: Perhaps the most noticeable symptom of the worms is that an infected system will lock up and churn with unexplained disk activity every 6, 10, or 30 minutes.

Affected platforms: any PowerMac. Macintoshes and clones driven by Motorola 680×0 series CPUs can’t run the replicative code. It probably worked under any version of Mac OS prior to OS X if QuickTime 2.0 or later is installed and CD-ROM AutoPlay is enabled in the “QuickTime Settings” Control Panel, but I don’t think I specifically tested that with the last versions of OS 9.

Transmission media: HFS or HFS+ volumes (hard disks, diskettes, most types of removable media, even disk images). Audio CDs can’t transmit the virus, and it isn’t necessary to disable “Audio CD AutoPlay”.

Transmission method: infected media contain an invisible application file named “DB” or “BD” or “DELDB” in the root directory (type APPL, creator ????). This is an AutoStart file: i.e. it will run automatically if CD-ROM autoplay is enabled. If the host Mac isn’t already infected, it copies itself to the Extensions folder. The new copy is renamed “Desktop Print Spooler” or “Desktop Printr Spooler”, or “DELDesktop Print Spooler” respectively (type appe, creator ????). Unlike the legitimate Desktop Printer Spooler extension, the worm file has the invisible attribute set, and isn’t listed as a running process by the system software, though it can be seen with Process Watcher or Macsbug.

After copying itself, it reboots the system and is now launched every time the system restarts. At approximately 6, 10, or 30 minute intervals, it examines mounted volumes to see if they’re infected: if not, it writes itself to the root directory and sets up AutoStart (however, AutoStart won’t work on a server volume).

Damage: files with names ending “data”, “cod” or “csa” are targeted if the data fork is larger than 100 bytes. Files with names ending “dat” are targeted if the whole file is c. 2Mb or larger. Targeted files are attacked by overwriting the data fork (up to the 1st Mb) with garbage.

Besides the original, there are usually considered to be five variants: AutoStart 9805-B, which is less noticeable but can cause irreparable damage to files of type ‘JPEG’, ‘TIFF’, and ‘EPSF’; AutoStart 9805-C and AutoStart 9805-D which do not intentionally damage data; AutoStart 9805-E which spreads like B and is most similar to the original; and AutoStart 9805-F which is most similar to A and E.

The last versions of VirusScan for Mac and Disinfectant did not detect AutoStart.

Prevention: uninfected systems can be protected by disabling the AutoStart option in QuickTime settings (QuickTime 2.5 or later only – earlier versions don’t have a disable option). This should also prevent infection by future malware exploiting the same loophole, but will fail if a setup is booted from a volume with an infected Extensions Folder [SL].

The worms could also be removed manually.

• Reboot with extensions disabled (hold down the shift key till an alert box tells you that extensions are off).
• Use Find File to search all volumes for all instances of a file called “DB” or “BD” or “DELDB” with the invisibility attribute set (hold down Option key when clicking on “Name” pop-up menu to select for visibility). Trash ’em.
• Use Find File to find and trash an invisible “Desktop Print Spooler”, “Desktop Printr Spooler”, or “DELDesktop Print Spooler” file (-not- Desktop Printer Spooler, which is a legitimate and usually necessary system file).
• Empty the trash.
• Disable AutoStart in QuickTime Settings Control Panel.
• Restart.

Esperanto.4733

This was a PC file infector that worked with a number of PC executable file formats. When it was first seen, it was reported to be a multiplatform virus capable of executing under some circumstances on Macintoshes. Subsequent reports indicate that this belief resulted from misleading comments on the part of the author (hat tip to Igor Muttik). However, some PC anti-virus vendors may still list it as capable of activating on a Macintosh: they did for a long time.

David Harley CITP FBCS CISSP
Mac Virus/Small Blue-Green World