MacOS Viruses List by Matthias Kannengiesser
(Zip
packed)
Alliance
The Alliance macro virus originated in the United States during
the summer of 1996 and infects Microsoft Word documents. Once a system is infected, the
Alliance macro virus replicates within documents and templates.The Alliance virus is
date-sensitive and replicates only on the 2nd, 11th, and 12th of the month. If this virus
is activated, it displays the message "You have been infected with the
Alliance."
ANTI
There are two known strains of the ANTI virus, both discovered
in France. ANTI A was discovered in February 1989, and ANTI B was discovered in September
1990.
Even though ANTI B was not discovered until after ANTI A, it appears that the B strain was
actually written first. The A strain contains special code that neutralizes any copies of
the B strain encountered. It is possible for an application to be infected both by the
neutralized version of ANTI B and by ANTI A.
ANTI does not infect the System file or document files. Instead, it infects applications
and other files that resemble applications. It is possible for an application to become
infected even if it is never run. Due to a technical quirk, ANTI does not spread under
System 7 or under System 6 when MultiFinder is used. It only spreads when Finder is used
under System 6.
Atom
The Atom macro virus, also known as WM.Atom, WM.ATOM,
WordMacro/Atom, Winword/Atom, Macro.Word.Atom, or Word Macro.Atom, was discovered in
February 1996. Atom contains four macros: Atom, FileOpen, FileSaveAs, and AutoOpen. Atom
infects when a Microsoft Word document is opened or a Save As command is performed.
When an infected document is opened on December 13th, the virus deletes all files in the
current directory. When a File/Save command is performed on an infected document, the
virus checks the system time. If the seconds field is equal to 13, the virus password-
protects the document. Once password protected, the user cannot access the document
without the password, which is ATOM#1.
Birthday
The Birthday macro virus was discovered in Germany in August
1996. This virus can only infect and spread in the German version of Microsoft Word. When
activated, the Birthday virus displays the message "Happy Birthday! Herzlichen
Gluckwunsch..." in English and German. Because the source code for this virus was
published in a computer magazine, variants of the Birthday virus are expected.
BOOM
BOOM is a macro virus, discovered in Germany in July 1996. BOOM
can only spread in the German version of Microsoft Word. The BOOM virus is activated on
the 13th of every month from March through December at 13:13 (1:13 P.M.). Upon activation,
this virus changes the menu bar to the following:
File (Datei) - "Mr. Boombastic"
Edit (Bearbeiten) - "and"
View (Ansicht) - "Sir WIXALOT"
Insert (Einfugen) - "are"
Format (Format)- "watching"
Tools (Extras) - "you"
Table (Tabelle) - "!"
After the above payload has been completed, the BOOM:De virus creates a new document that
displays a German political joke.
BUERO
Discovered in Germany in August 1996, the BUERO macro virus only
infects the German version of Microsoft Word. The BUERO virus consists of three macros:
AutoOpen, Bueroneu, and DateiSpeichern. AutoOpen is used for copying the macros to the
global template, NORMAL, and is renamed to Bueroneu. The third macro, DateiSpeichern
(executed in the German version of Microsoft Word when the menu item File/Save is
selected), turns a document into a template and replicates.
BUERO is date-specific; it activates after August 15, 1996. Upon activation, document
files are deleted, and the message box displays "Büro Neu."
CDEF
The CDEF virus was first discovered in Ithaca, New York, in
August 1990. A variant was discovered in February 1993. The author of the virus, a high
school student from Ithaca, also wrote MDEF. CDEF only infects the invisible Desktop files
used by Finder. It does not infect applications, document files, or other system files.
Fortunately, System 7 is immune to the CDEF virus.
CDEF does not intentionally damage your Macintosh system. As with all viruses, however,
the CDEF virus is still dangerous. Many problems have been reported on CDEF-infected
systems, including crashes, printing problems, and unpredictable behavior.
The CDEF virus is named after the type of resource it uses to infect files. CDEF resources
are a normal part of the Macintosh operating system, so you should not become alarmed if
you see them with ResEdit or another tool. Any CDEF resource in a Finder Desktop file,
however, is cause for concern. You can remove a CDEF infection from a disk by rebuilding
the desktop. To rebuild the desktop, restart your Macintosh while holding the Command and
Option keys.
ChinaTalk
ChinaTalk is a Trojan horse and INIT/extension that masquerades
as a MacinTalk sound driver. When you restart your system after ChinaTalk is installed,
the Trojan horse erases the directories of your hard disk drives and floppies.
CODE 1
The CODE 1 virus was discovered at several colleges and
universities on the East coast of the United States in November 1993. The virus infects
both applications and the System file, but it does not infect document files. CODE 1
spreads under both System 6 and System 7. The virus renames the system hard drive to Trent
Saburo when an infected Macintosh is restarted on October 31. Although the virus does not
contain any other intentionally destructive code, it can cause crashes and other problems.
Colors
Colors is a macro virus, which was discovered in Portugal in
October 1995. Colors has four known variants. This small program attaches itself to
Microsoft Word documents and contains nine macros that it uses to infect and spread
throughout the Word environment. This virus propagates if the user performs any of the
following: creates a new file, closes the infected file, saves the file, or lists macros
with the Tools/Macro command. The Colors macro virus is also known as Rainbow,
WordMacro.Colors, and WM.Colors. When the Colors infected macros are activated for the
300th time in the Windows environment, the virus will change the desktop color settings.
On the Macintosh operating system, the desktop colors will not be affected.
Concept
The Concept macro virus, discovered in the United States in
1995, is a small, yet sophisticated program that attaches itself to Microsoft Word
documents. This macro virus can be more annoying than destructive. This virus creates a
change to the Save As function. When attempting to Save As, the user will not be able to
choose the drive or the type of file. Also, the TEMPLATES button will be grayed out, and
the virus will cause the document to behave as a template file. On infection, this virus
searches for the macros Payload and FileSaveAs among the NORMAL templates. If either of
these macros exist, Concept assumes the system is already infected and aborts. If neither
of these macros exist, Concept begins infecting by copying its viral macros to the
template and displays a dialog box that contains a "1." Concept copies itself to
other documents, deletes files, and adds the macros AAAZAO, AAAZFS, Payload, AutoOpen, and
FileSaveAs. If these macros existed already, they will be changed. This macro virus has
seven known variants.
CPro
The CPro Trojan horse is found in a file called CPRO141.SEA and
masquerades as an update to a compression program. Once the application is launched, CPro
will attempt to reformat mounted hard disks and floppy drives. The Trojan horse can only
successfully format floppy drives.
Date
The Date macro virus, also known as AntiDMV, WordMacro.AntiDMV,
or WM.AntiDMV, was discovered in the United States in 1995. It is a modified version of
the DMV macro virus, and it removes the DMV from infected systems. The Date macro virus
uses one macro, AutoClose, and infects the global template, NORMAL. Once this template is
infected, the virus spreads to documents as they are closed. The virus was only designed
to infect and spread prior to June 1, 1996. Once a system is infected, the Date macro will
attempt to delete files from the following directories on the first day of any month:
C:\SHMK (all files)
C:\WINDOWS (all help files)
C:\WINDOWS\SYSTEM (all Control Panel files)
Although the virus is unlikely to be successful in deleting files on Macintosh platforms,
there is a good chance at least some files will be deleted from PCs running DOS, Windows
3.1x, Windows 95, or Windows NT. The virus also can cause unexplained behavior, system
crashes, and other problems.
Doggie
The Doggie macro virus was discovered in 1996 in the United States. Doggie infects
the document and template macros within Microsoft Word. When a system is infected,
"Doggie" is displayed within a text box. The Doggie virus does not corrupt files
or deliver a payload; it has only been known to replicate.
Friendly
Friendly changes ExtrasMakro (ToolsMacro) to display the
following messages:
"Du kannst das nicht tun!" ("You can’t do that!")
"Ich bin sehr angstlich!" (I’m very anxious!")
"Hallo mein Freund!" (Hello my friend!")
After each of the above messages is displayed, the virus prompts you to enter your name
and displays another message in German informing you that you are infected. On DOS
systems, Friendly:De then drops the virus Little Brother using DEBUG.EXE.
Goldfish
Goldfish is a macro virus that originated in the United States and was discovered
in the summer of 1996. The Goldfish virus infects Microsoft Word global template files.
When an infected document is opened, the message "I am the GoldFish, I am hungry,
feed me" may be displayed. To continue, the user must respond with
"fishfood," "worms," "worm," "pryme," or
"core." The Goldfish virus does not corrupt or deliver a payload; it has only
been known to replicate.
Guess
Guess is the first companion Microsoft Word macro virus. When this virus infects a
system, it creates an infected template files wherever there is a document file.
HC 9507
HC 9507 is a HyperCard virus that infects the Home stack and, subsequently, other
stacks as they are opened. The effects of this virus depend upon the time and day of the
week it is executed. The HC 9507 virus causes unpredictable system behavior, crashes,
screen errors, and system lockups. HC 9507 will display the word "pickle" on
some infected systems.
Hot
The Hot macro virus was discovered in Russia in 1995 and is also known as
WorkMacro.Hot or WM.Hot. On Windows operating systems, Hot is triggered to activate 14
days after it infects the Winword6.INI configuration file. Hot uses four macros to infect
and spread throughout the Word environment: AutoOpen, DrawBringInFrOut, InserPBreak, and
ToolsRepaginat. These are the same macros used in the NORMAL template, though they have
been renamed. The Hot macro virus will randomly erase contents of documents when a user
attempt to open a document.
Imposter
The Imposter macro virus mimics the DMV macro virus. When
infected with Imposter, "DMV" is displayed in the message box, giving a false
impression that you are infected with the DMV virus. Imposter infects Microsoft Word
documents that contain the macros DMV and AutoClose, and infects templates that contain
the macros DMV and FileSaveAs. This virus has one known variant, Imposter.b.
INIT-M
The INIT-M virus, discovered at Dartmouth College in April 1993, is a malicious
virus designed to trigger on any Friday the 13th. The virus severely damages a large
number of folders and files. Filenames are changed to random 8-character strings. Folder
names are changed to random 1- to 8-character strings. File creators and types are changed
to random 4-character strings. These changes cause alterations to the icons associated
with the files and destroy the relationship between programs and their documents. File
creation and modification dates are changed to January 1, 1904. In some cases, one file or
folder on a disk may be renamed Virus MindCrime. In rare circumstances, the virus may also
delete a file or files.
The virus only spreads and attacks under System 7.0 or later. It does not spread or attack
under System 6. The virus infects all kinds of files, including extensions, applications,
preference files, and document files. The virus creates a file named FSV Prefs in the
Preferences folder.
Irish
The Irish macro virus was discovered in the United States in the spring of 1996.
The Irish macro virus is only capable of affecting Microsoft Word for Windows and does not
have the ability to modify a Macintosh system. Irish carries multiple codes within its
configuration to change many registry entries in HKEY_USERS\.default\Control Panel\Colors.
The execution of these codes can turn a Windows desktop green and announce "Happy
Saint Patties Day" using the Windows screen saver. The codes must be executed
manually.
MacMag
The MacMag virus, discovered in December 1987, was named after the Montreal offices
of MacMag magazine, from which it originated. This virus is also known as the Drew,
Brandow, Aldus, or Peace virus. Two versions of the virus were developed, with very slight
differences. MacMag originated as a HyperCard stack named "New Apple Products."
The stack contained poorly digitized pictures of the then-new Apple scanner. When the
stack was run, the virus spread to the currently active System file. When other floppy
disks containing system files were inserted in a floppy disk drive, the virus spread to
the system files on the floppies. MacMag only infects system files; it does not infect
applications. As a result, it spreads more slowly than most other viruses.
MacMag was programmed to lie dormant until March 2, 1988, the anniversary of the
introduction of the Mac II, when it was programmed to display a message of peace on the
screen, then delete itself from the System file. Because MacMag was programmed to
self-destruct, it is unlikely that your software is infected with this virus.
MADDOG
The encrypted macro virus, MADDOG, was discovered in Georgia in July 1996. This
virus infects Microsoft Word documents and NORMAL template macro files. When executed,
MADDOG displays the message "MadDog." The MADDOG virus is time-sensitive and
activates at 8 P.M. At this time, the virus replaces all "e" characters with the
character "a."
MBDF
The MBDF virus was first discovered in Wales in February 1992. There are two known
strains of the MBDF virus, MBDF A and MBDF B, and no significant differences between the
two strains. Several popular Internet archive sites contained some infected games, 10 Tile
Puzzle and Obnoxious Tetris. In addition, a third game was distributed named Tetricycle or
Tetris-rotating, which was a Trojan horse that installed the virus.
The MBDF virus infects both applications and the System file. It also usually infects the
Finder and several other system files. The System file is infected as soon as an infected
application is run, and other applications become infected when they are run on an
infected system. The MBDF virus is non-malicious, but it can cause significant damage to
your system. When MBDF first attacks a system, the virus takes a long time to infect the
System file. The delay is so long that people often think that their Macintosh is
non-responsive, so they perform a restart. Restarting the Mac while the virus is in the
process of writing the System file often results in a damaged System file that cannot be
repaired. The only solution in this situation is to reinstall a new System file.The MBDF
virus also can cause problems with the BeHierarchic shareware program and other
menu-related problems.
Merry Xmas
The Merry Xmas HyperCard virus appends viral code to the end of HyperCard stack
script. When the infected stack is run, it attempts to infect the Home stack, which
subsequently infects other stacks as they are run. There are several strains of this
virus, which cause unpredictable behavior on infected systems. In one strain of Merry
Xmas, the virus replaces the Home stack script and deletes any stack that is run after the
Home stack is infected. Other strains cause system crashes and other unexplained behavior.
NF
The NF macro virus was discovered in the United States during the summer of 1996.
This simple virus infects Microsoft Word documents and replicates. Upon infection, a
message box displays "Traced!" The NF virus is activated when an infected
document is opened or closed. The virus also can be activated by any activity that invokes
the viral macros. When activated, the virus copies itself and any other macro it needs,
possibly the NORMAL template macros. After the infected macros are stored in the NORMAL
template, they are available in all open documents.
Nuclear
Nuclear is a destructive macro virus, also known as W.M.Nuclear, which has one
known variant, Nuclear.b. Nuclear contains nine macros and activates through the
FileSaveAs command. Nuclear has three possible payloads. If a user is printing or saving a
document between54 and59 seconds after any minute, the Nuclear virus will attach the text
to the end of the document, "STOP ALL NUCLEAR TESTING IN THE PACIFIC."
On DOS systems, the Nuclear macro drops a virus when you start Microsoft Word, Save a
document, or Open a document between 5:00 P.M. and 6:00 P.M.
The final payload is caused the Payload macro. On April 5th, the COMMAND.COM files can be
deleted.
nVIR
The nVIR virus was first discovered in Europe in 1987 and in the United States in
early 1988. The virus has two basic strains—nVIR A and nVIR B—and at least nine
known derivatives. The nVIR virus family infects the System file and begins spreading to
other applications immediately. Some applications are immune to infection, but the Finder
and DA Handler usually become infected. Document files are neither infected nor modified.
When a System file is first infected, a counter is initialized to 1,000. The counter is
decremented by one each time the system is started up and it is decremented by two each
time an infected application is run.
When the counter reaches zero, nVIR A may either say "Don't panic" (if MacinTalk
is installed in the System folder) or beep. This will happen on system start up, with a
probability of 1/16, or when an infected application is run, with a probability of 15/128.
When an infected application is run, there is a 1/256 probability that nVIR A will say
"Don't panic" twice or beep twice. If you are infected with nVIR B, the computer
may beep when the counter reaches zero. This strain does not call MacinTalk. The beep will
happen on a system start up with a probability of 1/8. A single beep will happen when an
infected application is run with a probability of 7/32. There is a 1/64 probability that
nVIR B will beep twice when an infected application is run. The nVIR virus strains also
frequently cause applications and system files to fail. It is possible for nVIR A and nVIR
B to mate and reproduce, resulting in new viruses combining parts of their parents.
Polite
Polite is a macro virus, possibly an experiment by its creator, which infects
Microsoft Word documents and the NORMAL template. The Polite macro virus asks for
permission to infect any documents on FileClose or FileSaveAs. However, Polite does not
ask before it infects NORMAL template.
Reflex
The Reflex macro virus was written in response to a press release from a security
company challenging hackers to break its new anti-virus measure against macro viruses. On
an infected system the Prompt to Save Normal command will be disabled and the following
message will be displayed: "Now, where's that Jerbil of Bubbly?" (The reward for
this challenge was a bottle of champagne from the security company).
Satanic
The Satanic macro virus was discovered in Germany during August 1996. This virus
infects Microsoft Word templates and documents. When infected, the virus will activate on
October 1st of any year and cause the hard drive to reformat. The Satanic virus displays
the message "You are infected with Satanic, Nightmare Joker :-)" On
IBM-compatible systems, the Satanic virus also drops the DOS virus Dei.8772.
Scores
The Scores virus, discovered in the United States in the spring of 1988, was said
to be written by a disgruntled programmer. It specifically attacks two applications that
were under development at his former company. Fortunately, neither of the two applications
was released to the general public. Scores is also known as the Eric, Vult, NASA, and San
Jose Flu virus.
The Scores virus infects your System, Note Pad, and Scrapbook system files. It also
creates two invisible files in your System folder named Scores and Desktop, which you
cannot see without the aid of a utility program. Scores does not infect or modify document
files. It does, however, often create icons for Note Pad and Scrapbook files that are
unusual in appearance, replacing the distinctive system icons with blank, dog-eared sheets
of paper. Two days after your system becomes infected, Scores begins to spread to each
application you run. The infection occurs between two and three minutes after you begin
the application. For technical reasons, some applications are immune to infection, but the
Finder and DA Handler usually become infected.
Scores is not intentionally malicious, but it frequently causes printing problems, system
crashes, errors when using MacDraw and Excel, and other unexplained behavior.
T4
The T4 virus, discovered in June 1992, was included in versions 2.0 and 2.1 of the
game GoMoku. Copies of this game were posted to the USENET newsgroup comp.binaries.mac and
to a number of popular bulletin boards and anonymous FTP archive sites. The game was
distributed under a false name, which was used in the posting and embedded in the game's
About box. This person's name should not be used in reference to the virus, as the actual
virus author is unknown. There are four known strains of the T4 virus: T4-A (contained in
GoMoku 2.0), T4-B (contained in GoMoku 2.1), T4-C (discovered in February 1993), and
T4-Beta, a version that appears to have been used for testing. The only significant
difference is the trigger date. The trigger date for T4-A is August 15, 1992, while the
trigger date for T4-B is June 26, 1992. These strains do not do anything before their
trigger dates. After the trigger dates, the viruses begin to spread to other files and
attempt to alter the System file. The T4-C virus has no trigger date and begins spreading
immediately. If your system suddenly stops loading INITs and system extensions, it is a
good indication that you have been attacked by T4. When the T4 virus infects an
application, it damages it in such a way that the application cannot be repaired.
Virus Info
Virus Info is a Trojan horse that acts as a utility program claiming to provide
information on viruses, but instead destroys the directory structure of your hard drive
and makes files on the drive inaccessible.
Wazzu
The Wazzu macro virus was discovered in the United States in 1996. This is a common
virus has three known variants that attach to Microsoft Word documents. Once active on a
system, the Wazzu virus infects documents using an AutoOpen macro as the documents are
opened. Infected documents may have the word "wazzu" randomly inserted in the
document and/or up to three words rearranged. Upon infection, Wazzu causes documents
to be saved in the template directory.
WDEF
The WDEF virus was first discovered in December 1989. There are two known strains,
WDEF A and WDEF B. The only significant difference is that WDEF B beeps every time it
infects a new Desktop file, and WDEF A does not beep.
WDEF spreads through the sharing and distribution of disks, not through the sharing of
applications. It does not infect applications, document files, or other system files, but
instead infects the invisible Desktop files used by the System 6 Finder. Fortunately,
System 7 is completely immune to the WDEF virus.
Although WDEF is not malicious, it contains errors that can cause serious problems,
including system crashes, disk damage, and font display problems.
The WDEF virus can spread from a TOPS server to a TOPS client if a published volume's
Desktop file is infected and the client mounts the infected volume. It does not appear,
however, that the virus can spread from a TOPS client to a TOPS server. If you use
ResEdit, VirusDetective, or some other tool to search for WDEF resources, do not be
alarmed if you find them in files other than the Finder Desktop files. WDEF resources are
a normal part of the Macintosh operating system. Any WDEF resource in a Finder Desktop
file, however, is cause for concern. You can remove a WDEF infection from a disk by
rebuilding the desktop on the infected volume. To rebuild the desktop, restart your
Macintosh while holding the Command and Option keys.
Xenixos
Xenixos:De is a macro virus discovered in Germany. This destructive virus encrypts
Microsoft Word documents and creates the fixed password "xenixos." Xenixos:De
also causes DOS systems to reformat upon reboot.
ZUC
There are three known strains of the ZUC virus, all of which were discovered in
Italy between March 1990 and June 1991. The virus is named after the reported discoverer
of the first strain, Don Ernesto Zucchini. ZUC only infects applications; it does not
infect system files or document files. ZUC can spread over a network, and applications do
not have to be run to become infected.
ZUC A and B were timed to activate on March 2, 1990 or two weeks after an application
becomes infected, whichever is later. Approximately 90 seconds after an infected
application is run following the trigger, the cursor begins to behave unusually whenever
the mouse button is held down. The cursor moves diagonally across the screen, changing
direction, and bouncing like a ball whenever it reaches any of the four sides of the
screen. The cursor stops moving when the mouse button is released.
ZUC C is similar to ZUC A and B, except it is programmed to cause the unusual cursor
behavior only during the period between 13 and 26 days after an application becomes
infected, but not earlier than August 13, 1990. ZUC C also causes the cursor to behave
unusually approximately 67 seconds, rather than 90 seconds, after an infected application
is run. ZUC has two noticeable side effects. On some Macintosh systems, the A and B
strains can cause the desktop pattern to change. All three strains can also sometimes
cause long delays and an unusually large amount of disk activity when infected
applications are opened.
|
