Mac Virus/Trojan Horse Alert

"DB-Desktop Print Spooler" Virus Preliminary Study

Introduction
Recently in Hong Kong, a new unknown Mac virus/Trojan horse evolved throughout nearly all output centres, advertising agencies, publishing houses, printers, computer vendors and some other Macintosh users. Most of the users were not aware of being infected and continuously spreading the virus to others. It was because most of the infected Mac reported periodic slow down in performance and some errors in opening some common utilities like FWB Hard Disk Toolkit. It was once considered to be some kind of system-related problems and being ignored by most of the users or technical people. At the same time, since more and more people began to use Mac OS 8.0 (more PowerMac G3 were sold and OS 8.0 is the minimum required system) and 8.1 (a recent major update of this new OS, thought to be more stable than 8.0), some of the users blamed that this new exciting OS was the main cause of the problems. This happened for about 3 to 4 weeks until someone reported mysterious files were found in the hard disk of the problematic computers. It was then considered to be caused by a virus or Trojan horse, which only infects Apple Macintosh computers. As there was no way to detect the infection of the virus, a panic soon evolved throughout the entire Hong Kong Mac users.


This document is NOT to be treated as a formal report of this incident. It is only a guideline to provide a clear understanding of the course of infection of this virus. More importantly, to help curing all infected computers. As a result, to resume the good will of Macintosh computers and public trust on using new Mac OS.


Some Findings

At first, the virus was considered to be very powerful and could not be easily detected or erased. After consolidating the information from infected users and technical people, some preliminary conclusions can be made:

  1. The virus is generally NON-DESTRUCTIVE i.e. it will not cause serious damages to most of the data and application files. In many reported situations, the virus will modify only "DEVICE DATA" file in FWB Hard disk Toolkit Folder (version 2.0.x and above) and makes HDT fail to load.

  2. The virus will infect ANY Power Mac with ANY Mac OS and with QuickTime 2.5 or 3.0 installed and CD-ROM Auto-Play enabled.

  3. The virus will NOT infect :

    - NON-POWER MAC (68K) computers (Mac II series, LC series, Centris, Quadra, etc.

    - Power Mac without QuickTime installed or disabled, or with QuickTime version 2.1 or below installed.

  4. The virus only decreases the productivity of the computers. It slows down the performance of the computers periodically by searching the entire mounted volumes of a standalone Mac or networked Macs for a particular target to infect. It makes the users annoying and technical people scratching their heads for handling unknown support calls.

  5. The virus spreads very quietly and quickly in Hong Kong (may be elsewhere in the world). The designer of this virus is FAMILIAR WITH THE WORKFLOW OF DTP INDUSTRY. He/she chooses to infect the STORAGE MEDIA and not application/data files!!! The course of infection is very simple but effective.

  6. Commonly use virus detectors like Dr. Solomon’s VIREX (5.8.1 with April 98 update), Symantec Anti-Virus for Mac (SAM 4.5 with latest definition update), shareware like Disinfectant 3.7.1 CANNOT detect the presence of this virus or cure it.


Course Of Infection

After testing the virus for two whole days with standalone and networked Mac/PowerMacs, the course of infection was clearer and outlined as follows:

  1. The virus designer first seeded the virus to a Macintosh formatted floppy, MO or other removable media or even network mounted volumes. The SEED is now known as a file called "DB", which is a HIDDEN, APPLICATION PROGRAM file and has AUTO-PLAY characteristic. It is located in the "root" of the mounted volume. (See diagram)


    The hidden application "DB" has proved to be Power Mac Native; i.e. it will not run on 68K Macintosh, such as Mac II series, LC series, Centris, Quadras, etc.)

      

  2. When the first seed media is being mounted on the desktop of a clean PowerMac with QuickTime 2.5 or 3.0 installed (either by Mac OS 7.6.x/8.x installers or user self installation) and activated (by-default settings), it will start its program routine AUTOMATICALLY with the help of QuickTime’s new Auto-Play feature. If the volume is not infected before, the DB program routine will suddenly quit all running applications (including a fade out of music from a listening Audio CD) and RESTART the computer once.

  3. After the first restart, "DB" will eventually transform itself to another stage, a SYSTEM EXTENSIONS file called "Desktop Print Spooler", which is also HIDDEN inside the folder "Extensions" in startup System folder. (See Diagram below)


     

    4. The Desktop Print Spooler extension (DPS for simplicity) is the CAUSE of periodic slow down of performance in PowerMacs. Since the source codes of these two virus files are not anatomized in details, a possible virus routine is suggested. In a period of about half an hour, DPS will search the ENTIRE mounted volumes of its host PowerMac, like floppy disk, hard disk, MO, ZIP, JAZ, or any network mounted volumes via AppleShare, etc, for a EXTENSIONS FOLDER to propagate its presence. This explains why there is periodic media scratching sound and flashing light from hard disk/MO/ZIP and DOUBLE ARROWS on UPPER LEFT-HAND CORNER of FINDER, in case there is a mounted drive within a network. The searching time will highly depends on CPU speeds, access time of devices and network traffic.


    TWO SUBROUTINES are then evolved:

  1. If there is NO EXTENSIONS folder in System Folder on other MOUNTED VOLUME(s), the virus will change and exist in the form of application program file "DB" again. It will remain dormant until it was ejected or put away from desktop and being mounted on other CPUs. Then cycle (1.) repeats.
  2. If there is any EXTENSIONS folder in System Folder detected on other MOUNTED volumes, DPS will reproduce itself and put into the ALL Extensions folders inside System Folders. For example, if you have TWO COMPLETE SYSTEM FOLDERS in a mounted volume such as an external hard disk, you will find TWO DPS extensions! It is difficult to search hidden files using Find function by Mac OS. A shareware like "File Buddy" will definitely help in this way. Active DPS (in Startup Volume) will count a certain period of time (some says half an hour) and send instructions to search the entire mounted volumes again. Therefore, the more Macs in a network are being infected by this virus, the slower the performance of these Macs. You may have the experience of faster response time during the freeze if you disconnected removable and network drives.


Procedures For Killing The Virus

After a basic understanding of what course of infection the virus takes, as time is money, a proposed procedures FOR "killing" the virus is as follows:

    1. STOPS THE PAIN:

    1. First and the MOST IMPORTANT STEP of all, turn OFF "Enable CD-ROM AutoPlay" in AutoPlay session in "QuickTime&trade Settings" Control Panel item and quit. This will PREVENT "DB" from auto-launching and releasing DPS! Your PowerMac is now free from suffering by periodic freezes.

(Diagram for System with QuickTime 2.5, similar for QuickTime 3.0)

2. ERASE THE VIRUS EXTENSIONS (DPS):

    • Then RESTART infected computer with EXTENSIONS OFF (by pressing Shift during startup). This action stops non-Apple extensions (DPS!)
    • Use ResEdit or Norton Disk Editor (in Norton Utilities) to change the HIDDEN attributes of Desktop Print Spooler to VISIBLE (DISSECTED Check Box "Invisible"):

Remarks : Be careful! Don’t modify files other than the name "DB" and "Desktop Print Spooler"

    • SAVE ALL CHANGES. Now you are able to locate the Desktop Print Spooler file in startup Extensions folder. Move the file to TRASH and empty it.

3. DELETE DB FILE

    • Locate all hidden "DB" files on the root of your mounted volume(s), other than startup disk. Apply the same method as above (from 2.1 to 2.3) to make the files visible and trash them.
    • Finally restart your computer. Sit backs and relaxes. Your PowerMac is now free from this virus!

Conclusions
Up to now (0200 hr. on 2 May, 1998 HKT), there is no virus detectors that can check or prevent this virus, manual checking for DB and DPS files is still necessary for immunity. Please help spreading this document ASAP to all PowerMac users and stopping the propagation of this nuisance.

Since this document was prepared in a great hurry, please point out any mistakes I made. Please send your suggestions and comments to rocheng@inet.com.hk.

This report is prepared and revised by Roger Cheng, published by FrostyPlace.com with author's permission. (c) 1998 All Rights Reserved.

 
<<Back To FrostyPlace.Com>>