SevenDust E

Details

Well, for most of the time it is pretty harmless. It is mostly poorly written (the author seems to think the 'Time' lowmem is in ticks instead of seconds), and it does a whole lot of ... well... generally stupid things.
However, if anyone clicks on a menu of or launches an infected application, between 6:00am and 6:59am, on the 6th or the 12th of the month (either, and any month), it would deliver its payload. And its payload is.... recursively deleting every non-application on that app's disk! This will occur if an infected application is running even if it has been prevented from spreading further by, say, putting a folder with the same name as the extension in the extensions folder.

The virus manifests itself in two forms - one as INIT 33 in the extension '\001Graphics Accelerator' in the extensions folder, and the other as an MDEF resource of ID 1 to 255 in infected applications.

It identifies itself in both cases with the string 'JS' as the 8th and 9th bytes.

When it is called as an INIT, it patches InitMenus, and records the location of the 'AddResource' trap (it uses this to infect applications when this has been patched by a later extension)

When the InitMenus patch is called, it first determines whether the calling application is infected. The target MENU is the first one in the file. It then makes a copy of itself, with the target MENU resource inserted near the start of its code. It replaces every byte in the MENU resource with an 'f'. Then it obfuscates the copy (including the saved resource) by xoring with a random byte. It also changes the registers used by the de-obfuscation code to random values. (Presumably to defeat pattern-matching anti-virus programs, but it doesn't encrypt its data, which has the string 'Graphics Accelerator' in it twice!). It then finds an MDEF ID unused in the current file and saves the copy to that. Then it finds a suitable MENU resource to redirect to itself (suitable = uses std MDEF and has lowest rsrc ID). It sets the MDEF field of this resource to be the ID it has put itself at.

When it is called as an MDEF, it first replaces the resource with all 'f''s with what it should be, then if the time is right, executes its payload. If the time is not right, it makes sure that the extension is in the extensions folder (i.e. that there is an INIT ID 33 in the file 'Graphics Accelerator' ... but if it can't open the file it just aborts)

Well, that pretty much covers it. But there's an interesting story behind why there is no system stuff infected (on my system at least):
InitMenus is called 5 times during startup for me, once before extensions load, to actually initialize menus, twice by the Appearance Extension, and twice by the Finder.

It is called twice by both of these because InitWindows (which they call first) actually calls InitMenus internally.

The Appearance extension contains MDEFs but not any MENUs ... however, it is in a complicated arangement with the system file whereby 'Get1Resource' from it can actually get them from the system file. So MENU resources from the system are actually loaded and modified. The MDEF it tries to add to 'Appearance Extension' fails because it is opened as read-only. And the changes to the system are usually never written out (unless you move sounds around or something) because UpdateResFile/CloseResFile is never called on it (not even when you restart/shutdown)

The Finder (in 8.1 anyway) is also immune, but for a different reason - it can't find a menu to redirect to itself, because all of the Finder MENUs use non-standard MDEFs, and it only redirects those using the std (i.e. 0) MDEF. This may however be different with earlier Finders (not those using FMNUs 'though).


Story

29/9/98:
Late Morning: Read an email from a friend about a trojan horse which I should not download. He points me to MacCentral where I read all about it and decide it's fairly harmless.
Midday: Decide to d/l it anyway and check it out - it's not every day a new Mac virus comes along.
30/9/98:
Very Early Morning: Upload Antigax program and web pages

(hmmm ... not much of a story. Most of the real story is above under 'Details')


Other Freeware

Graphics Innoculator

First on the scene was Joe Laffey with Graphics Innoculator, which creates a folder inside the extensions folder with the same name as the virus.

This stops the virus spreading further if you are already infected, and prevents it from installing itself if you are not. It will not however stop infected applications from deleting your files.

The docs include a good technical summary by Peter Creath, which first showed most people that this virus was more than just an annoyance (it also has pointer to my site which is especially good ;-). It is also easy to use and can be installed over a network

Graphics Innoculator is currently at version 1.2

GAx Defender is not compatible with Graphics Innoculator - see my readme for more information

Germanium Remover

Michael Juarez and Beldon Wolson have created a program called Germanium Removerto remove the extension form of the virus safely. It appears to scan for the virus extension in places other than the Extensions Folder (it certainly brings up a progress bar) but I'm not 100% sure.

I had some problems with downloading this file earlier but they've been fixed up now.

Angel Warrior

On 1st October, Tom Harris released Angel Warrior. That was 1.0a4 - but I didn't find out about it till the 5th, when it was at 1.0a6.

Angel Warrior is an extension which loads before the virus, and prevents it from loading. It also prevents infected applications from launching - it terminates them.

How it works: It patches two traps, SetToolTrapAddress - which the extension version of the virus uses to infect applications, and InitMenus - which infected applications use (unknowingly) to install the extension, and to delete your files.

Before I go on it's time for a little history: The Graphics Accelerator virus looks very much like 4 other similar viruses which appeared in Jan 1998 and were added to major antivirus program definitions in July. These previous versions were called MDEF-9806, strains A to D. (According to MacVirus and others). So Tom calls this virus MDEF-9806-E, with considerable justification. (The previous strains together had all the elements of Graphics Accelerator, but not in the same strain)

So back to Angel Warrior: Instead of just looking for the extension by name, like 'Defender does, Angel Warrior looks for extensions patching the trap that the MDEF-9806-E virus does. It then looks at the code which the patch is being pointed to in an attempt to determine whether or not it is a virus - specifically, it checks that the patch will make a Count1Resources('MDEF') call at a certain spot, and that the virus's 2-byte signature (at a certain backwards offset from the patch) is present. These chekcs appear to be designed to catch renamed versions of the virus (done by people, not programs or the virus itself). GAx Defender doesn't check for this at all. When it detects the virus it stops it from patching InitMenus, so applications will not be infected.

The InitMenus patch Angel Warrior installs checks to see if the application is infected and if so quits it, notifying you afterwards (this would be bad if the Finder was infected - but fortunately I don't think it happens).

The current version is 1.0a7. The icon is really cool, and the extension is v small (1K vs 'Defender at 5K - but who's counting?), however, it doesn't actually repair apps or remove the extension. It will 'tho keep your files safe - nothing would get a chance to delete them.

The docs in 1.0a7 are quite good, including good info and recent (to me) insights. Tom says applications can sometimes get infected twice ('tho I have not seen it) and that the System can be infected when using old-style Desk Accessories. He also notes that applets (e.g. AppleScripts) can appear infected, but the infection is not permanent. Tom writes that Angel Warrior is in alpha and thus untested and incomplete, but it looks pretty good to me (for what it says it does) ... The docs also include a good bit about possible confusion with real Graphics Accelerators (which I should have had long ago :)

Angel Warrior is currently at v1.0a10


Back to SevenDust info
Back to Agax home page

Last updated 24/2/1999