AutoStart

Summary

Severity  **
Aka  Honk Kong Virus
Additive version  v1.0
Additive author  John Dalgliesh
Download Additive  MacBinary or BinHex


Strains

There are (so far) 6 strains of this worm (A-F), however as I only have access to two (A and D), I have made some reasonable assumptions about the characteristics of the other strains.

As there are so many other information pages on the AutoStart worm (see below), I'm not going to analyze each of them when (if) I receive the other strains, but I have had a close look at strain A:


Characteristics

AutoStart is a worm that travels in the root directory of volumes. It depends on QuickTime 2.5's AutoStart feature to run the worm when a volume is mounted - thus the worm's name. This OS feature was intended to automatically start programs on CDs when they are inserted, but does in fact work on any volume.

The AutoStart worm does not infect applications or documents - that's why it's called a worm and not a virus. It does however install an extension in the Extensions folder. It is a PowerPC-only application (and extension), so 68K Macs are immune.

It executes it payload quite frequently when the extension is active ('A' does its payload twice an hour) which is usually corrupting files with specific endings, as well as making sure all mounted volumes are infected. Some strains however only delete previous strains and don't corrupt any files (so I've heard anyway). Regardless, this process requires some serious disk activity, and would lock up your computer for some time while it did it.


Details

Note: The following details are based solely on my analysis of the A strain. However, given the small difference in file sizes between the strains, it seems reasonable to assume that the others would be quite similar.

When the autostarting application form of the worm is run (e.g. by putting a floppy/zip/tape/whatever in), it attempts to install itself on the first 16 mounted volumes. It will install itself in one of three places, in the following order of preference:

  1. The Extensions folder inside the blessed System Folder (the blessed System Folder is used when the Mac starts up from that disk - it'll have the MacOS or old System icon on it).
  2. Any other folder called 'Extensions' on that volume (it searches the whole volume).
  3. The root directory of that volume as the autostart application.
It will install itself (or reinstall if it already exists) in the first one of these that it can. If it managed to re-install itself into a blessed System Folder of some volume (i.e. the worm was already present), then the application quits quietly; otherwise it restarts the computer (presuming that it has just infected it).

The extension form of the worm is really a faceless background application which is launched at startup. It sits in the background and every so often (30min for strain A) it does exactly what the application form does (without the quitting and restarting 'tho). Immediately after doing this, it gets into the malicious bit of the virus: namely, corrupting files.

It searches all mounted volumes for files to corrupt, and these files have to satisy one of the following critera:

All the above endings are case-insensitive. I'm not sure what 'csa' or 'cod' files are, but these endings are searched for character-by-character (presumably to avoid the prescence of these strings in the data segment), and I can't help noticing that putting them backwards would spell 'asc' and 'doc' - much more likely endings - so that could well be ... unintentional (a bug :)

It keeps a count so it doesn't corrupt them all in one hit, and they are also spared if their first byte is 0. It corrupts a file by writing garbage (uninitialised data) over the first 1MB of the file, and setting the first byte to 0 so it doesn't do it again.


Notes

In strain A at least, the AutoStart worm does some strange things to the boot blocks of infected applications - it overwrites what normally contains '\pClipboard' (the name of the Clipboard file - which I suspect is now unused) with the string '\0jph' followed by '\pDB'. I am not sure if this is something to do with autostarting ('tho I suspect it is), but currently the AutoStart Additive does not restore this.

Also, when doing its corrupting files bit, it bypasses a volume if ',./?' is in bytes 0x1F0 - 0x1F3 of block 0. I have no idea what the meaning of this if - whether it be some (well-known?) volume protection code, or a flag intended for its own use (or the author's!)

This Additive should succeed in removing the extension form of the worm even if it is running, as it quits it if it is before asking if you want to delete it. However this is a feature that I haven't tested on a real infestation.


Story

There's no real story behind this. A fair while ago a kind person gave me a copy of strains A and D (but D is in an image that I have thus far not succeeded in mounting :), and when I got sick of it sitting on my list of things to do, I eventually got around to analysing it. Then I eventually got around to writing the Additive. Then I eventually got around to doing the write-up (always the hardest bit :) and posting it here.

There was hardly a need to rush as there are tons of good programs which can detect, remove, and protect you from it already - but this was the only Mac nasty (yes, yes, excluding macro viruses) that neither Agax nor Disinfectant would detect (and no, I have no immediate intention of rewriting or including protection against the viruses that Disinfectant does. It's only been retired, not withdrawn)

Thanks also go to the Symantec AutoStart page for providing details on the file sizes and names of strains which I don't have.

Update 10/7/1999: I've now got hold of a real D, and found that the Additive would have reported it as an unknown strain, due to a bit of laziness on my part. I've made the additive much more robust, and as it's been released for a long time without any complaints, I've moved it out of beta.


Other Freeware

MacVirus has its own excellent AutoStart page, with lots of information, links, and listings of freeware and shareware utilites. So I won't attempt to duplicate it here, especially as I haven't tried any of those programs myself.


Back to Additive index
Back to Agax home page

Last updated 10/7/1999