SevenDust

Summary

Severity  ***
Aka  666, MDEF9806, Graphics Accelerator (strain E)
Additive version  v1.4
Additive author  John Dalgliesh
Download Additive  MacBinary or BinHex


Notes

v1.4:
This version adds detection and repair of SevenDust J.

v1.3:
After the discovery of yet another type of executable that Agax didn't check, I've made the Additive check ALL files with resource forks. This also works around a bug in Agax which caused this Additive to suggest that executables with empty resource forks could be infected. The bug will still be fixed in the next version of Agax however.

Despite the two new F's that this protects against, I still haven't found the elusive Symantec F ... which is actually probably a good thing. The new strains are so named because that is where I believe they fit in the sequence of the evolution of the virus.

With this update, the Additive should no longer think that files installed by Joe Laffey's The Exorcist for inoculation are unknown strains of the real virus :)

v1.1:
This Additive replaces the previous 'SevenDust E' v1.0 Additive. You ought to delete the old Additive.


Strains

This virus has many strains, however none of those before 'E' were widespread. Each strain that I've analysed has it's own page, available through the links below. However there is some confusion (in my mind, anyway) about the naming of the strains. Everyone agrees on A-D, which appear to be just trial versions. And everyone agrees on E, better known as the Graphics Accelerator virus, which introduced me to antivirus programming. But from there on it gets a bit complicated.

In the Symantec Virus Encyclopaedia, there is a description of a strain they call 'F'. However, I have a program which is labelled as being infected with the 'F' strain, which is completely different to what Symantec describe - it is much more primitive. I have also recently received a new strain encountered by an Agax user, which is similar to Symantec's one, but slightly differing in too many places for me to put them down as oversights on Symantec's part. I've called this strain 'G', and I've taken the program labelled as 'F' at its word. I do not have a copy of Symantec's 'F'.

So, there's a whole lot of slightly varied strains, and I haven't any idea what I should call them ... but I haven't let that prevent the Additive from detecting them. It should detect all strains from C-G, including my 'F' and Symantec's 'F', and any new as yet unreleased or undiscovered strains, providing they work on the same basic principles as the existing strains.

However, I've only done a detailed analysis of strains 'E' and 'G', and thus these are the only strains which the Additive can repair. If there are people out there with one of the 'F's or completely new strains, then please let me know and I'll see if I can whip up a repair procedure for them too.

These links will take you to the specifics of particular strains:


Characteristics

This section contains the general characteristics of the SevenDust viruses.

Your average SevenDust virus exists in two forms: as an 'MDEF' resource inside (infected) applications, and as an 'INIT' with ID 33 inside some file in the Extensions folder. They all have the payload (except the first few strains) of deleting every non-application from volumes- but the trigger time varies.

All the recent strains have the bulk of their code encrypted (excepting the decryption code, which is slightly polymorphic). Many strains also take a resource from the victim application and store it in the middle of their code (so it's encrypted), and then corrupt the original resource. They restore the resource when they are actived - so the application appears to function normally until the virus is removed. This kind of behaivour is known as symbiotic.

The general method of activation of the MDEF is to hijack one of the menus inside the infected app to use the viral MDEF as their menu-drawing procedure, instead of the system default one. If your system is infected, then every application you launch will also be infected. Some later strains attempt to infect apps in the same folder as their host, even without the system being infected.

If you're using ResEdit, you can tell when you're looking at the virus if the 8th and 9th bytes of the resource are 'J' and 'S' (respectively). However, it's probably better to let Agax detect it, because then it'll be able to identify it further and possibly repair damaged applications (and system files - see note below)

Note: Some strains infect the system file with an 'INIT' instead of creating an extension file for it. Unfortunately, INITs stored in the system file are not disabled when you start up holding down the shift key (although most A/V software is), so the only way to prevent the virus loading is to start up from a clean system (e.g. the System CD-ROM)


Back to Additive index
Back to Agax home page

Last updated 14/6/1999