Today's malware threats are many, but thankfully they aren't typically directed against the Mac OS, or against Mac OS X. This section includes a commented table of the majority of the most interesting worm, virus, and Trojan software that has been known to hit either the Macintosh or Unix platforms, for as far back as we can find reliable information. Table 6.1 shows these, many of which are no longer threats unless you install antiquated versions of the operating system or of various services software. It is the self-assumed (and we thank them for it!) responsibility of the antivirus vendors to officially name these. As you might guess, the various vendors have their various naming conventions, and we include a sampling of some of the different naming conventions for you. You can think of the aliases, when listed, as cross-references ” names used by various vendors .
Key: | |||
Macintosh | Mac OS 9 or previous | ||
L | Linux | ||
RH | Red Hat | ||
Su | SuSE | ||
Sl | Slackware | ||
Man | Mandrake | ||
Deb | Debian | ||
Sol | Solaris | ||
FreeBSD | FreeBSD | ||
Name | Type | OS | Discovery Date |
MacOS/nVIR | virus | Macintosh | January 1987 |
This source for this virus was widely available, enabling it to be used to create numerous variants. When an infected application is run, it infects the System file. After the computer is infected, the virus becomes memory-resident every time the computer starts and infects any applications it comes in contact with. In some variants, after a certain number of reboots or application relaunches, the virus causes the system to beep. In one variant, the MacinTalk sound driver is used to speak the words "Don't panic." Another deletes system files. Variants : AIDS, f__k, Hpat, Jude, MEV#, CLAP, MODM, nCAM, nFLU, kOOL_HIT, prod, F*** Aliases : nVIR | |||
Frankie | virus | Macintosh emulator | December 1987 |
This virus affects Atari and Amiga computers running Macintosh emulators. Frankie-infected files can be run on Macintoshes without spreading. The virus was distributed in a document transfer utility by Aladdin producer Proficomp, to attack pirated versions of the Aladdin emulator, but it infects all Macintosh emulators on Atari and Amiga. When triggered, the virus draws a bomb icon and displays this message: Frankie says: No more piracy! The computer then crashes. The virus infects applications, including the Finder, and can spread only under System 6. Infected applications do not need to be run to spread the virus. Aliases : MacOS/Frankie | |||
MacMag | virus | Macintosh | December 1987 |
This virus infects System files only. Infection is spread either via a HyperCard stack called New Apple Products, or from contact with an infected system. A universal message of peace with an American symbol is displayed on March 2, 1988, and then the virus destroys itself. Infected systems, however, can display a variety of problems. Aliases : MacOS/Peace, Aldus, Brandow, DREW, Peace, Drew | |||
Scores | virus | Macintosh | June 1988 |
When an infected application is run, the virus is duplicated and attaches to the System, Notepad and Scrapbook. In the System folder it makes two invisible files, Scores and Desktop. Two days after infection the virus becomes active and begins to infect all applications when they are opened. Four to seven days after infection frequent system error messages appear. Aliases : Eric, Vult, ERIC, NASA, San Jose Flu, Mac/Scores, NASA VULT | |||
MacOS/INIT29 | virus | Macintosh | June 1988 |
This virus affects the system, application, and data files. Infection occurs when an infected application is run. An application does not have to be running to be infected. Only the system and applications can spread the infection, and things can be infected multiple times. The virus overwrites existing INIT 29 resource. This causes printing problems, memory problems, and other odd behavior. Variants : INIT 29A, INIT 29B Aliases : Mac/INIT-29, INIT-29, INIT 29 | |||
Mac/ANTI-A | virus | Macintosh | February 1989 |
This virus can spread and cause damage under System 6. Under System 7 it can infect one file, but can't spread. It infects applications and application-like files. It generally is not destructive, but some applications cannot be completely repaired. Variants : ANTI-A, ANTI-B, ANTI-ANGE | |||
MacOS/WDEF | virus | Macintosh | December 1989 |
This virus family infects the desktop items on machines running System 4.1 and higher, but not System 7 and higher. A machine becomes infected when an infected disk is inserted. The virus copies itself to the Desktop files on all connected volumes . The machine experiences beeping, corruption, incorrect display of fonts, and crashing. Variants : WDEF A, WDEF B Aliases : Mac/WDEF, WDEF | |||
Mac/ZUC | virus | Macintosh | March 1990 |
This virus family infects Macintoshes with 512K or smaller ROMs, running System 4.1 or later. It infects applications, including the Finder. Whenever an infected application is run, it looks for another application ”which does not have to be running ”to infect. After a certain time period of infection, dependent on the variant, the virus is triggered. The virus can cause erratic cursor motion, such as moving diagonally across the screen when the mouse button is held down, a change in Desktop patterns, and long delays and heavy disk activity. If the Finder becomes infected, the machine becomes unusable. Variants : ZUC-A, ZUC-B, ZUC-C Aliases : ZUC, MacOS/ZUC | |||
MDEF | virus | Macintosh | May 1990 |
This virus family infects Macintoshes running System 4.1 and higher. There are four variants: A, B, C and D. A, B, and C infect the System file and applications whenever any infected file is run. D can infect only applications. Applications infected with MDEF tend to have garbled pull-down menus . The virus can also cause system crashes and other odd behavior. Variants : MDEF-A (Garfield), MDEF- B (Top Cat, TopCat), MDEF-C, MDEF-D | |||
Mac/CDEF | virus | Macintosh | August 1990 |
This virus can spread under System 6 and 7, but causes damage only under System 6. It infects by adding a CDEF resource to the invisible desktop file. It can infect the desktop file of a System 6 drive immediately upon inserting, or can mount an infected volume, and it copies itself to the desktop files on the first three connected volumes. The virus spreads via shared infected floppy disks. The virus can cause system crashes, printing problems, and other odd behavior. Aliases : CDEF | |||
MacHC/ThreeTunes | virus | Macintosh | March 1991 |
This is a HyperCard virus whose damage occurs in systems using a German calendar between November 11 “30 or December 11 “31 in any year from 1991 to 1999. 17 seconds after activating an infected stack, a message that says Hey what you doing? appears. After 2 minutes, "Muss I denn" is played and repeated every 4 minutes. After 4 minutes, "Behind the Blue Mountains" is played and the system may shut down afterward. If not, 1 minute later the virus displays HyperCard's pop-up menus Tools and Patterns. If you close those, they are opened every minute. After 15 minutes, a message that says Don't panic appears. Aliases : HC virus, 2 Tunes, Two Tunes | |||
MacHC/Merryxmas | virus | Macintosh | October 1991 |
This is a HyperCard virus family with many variants. The virus appends code to the end of the stack script. When an infected stack is run, it first infects the HyperCard Home stack. Stacks that are then run receive the infection from the Home stack. It can cause unexpected Home stack behavior. The virus contains an XCMD that can shut the system down without saving open files, but it does not contain any code that executes it. It displays messages and plays sounds. Aliases : Crudshot, Lopez, Merry2Xmas | |||
MacOS/MBDF | virus | Macintosh | February 1992 |
This virus family infects applications as well as system files under System 6, System 7, and Mac OS 8. It uses the MBDF resource to infect files. All Macintosh models except the Plus and SE models are affected. After an infected application is run, it infects the System file. However, it takes such a long time to write to the System file that users may think that their Macintosh has hung and reboot the machine. Rebooting the machine during this process leaves the System file damaged. The computer experiences crashes and seems unstable after this, or is not bootable. When the virus successfully completes writing to the System file, the computer also experiences crashes and seems unstable. The virus was originally distributed in versions of the games Obnoxious Tetris and Ten Tile Puzzle, as well as a Trojan game called Tetricycle. Variants : MBDF-A, MBDF-B Aliases : Tetricycle, Mac/MBDF-A, MBDF | |||
INIT-1984 | virus | Macintosh | March 1992 |
This virus affects System 4.1 and higher. It infects system extensions when a machine is booted on Friday the 13th. The virus randomly renames files and changes file types and creator codes. Additionally, creation and modification dates are changed to January 1, 1904. Files that can't be renamed are deleted. Older Macs experience a crash at startup. Aliases : MacOS/INIT1984, Mac/INIT-1984 | |||
CODE-252 | virus | Macintosh | April 1992 |
This virus affects System 6 and System 7. In System 6 with MultiFinder, only the System and MultiFinder are infected. In System 6 without MultiFinder, it can also spread to other applications. In System 7, it can infect only the System file. Between January 1 and June 5, the virus infects applications and the System. Between June 6 and December 31, it displays this message whenever an infected application is run or an infected system is booted: You have a virus. Ha Ha Ha Ha Ha Ha Ha Ha Now erasing all disks... Ha Ha Ha Ha Ha Ha Ha Ha P.S. Have a nice day Ha Ha Ha Ha Ha Ha Ha Ha (Click to continue) The virus can cause crashes. Aliases : D-Day, Mac/CODE-252 | |||
Mac/T4 | virus | Macintosh | June 1992 |
This virus infects applications and the Finder or System files, depending on the variant. When it infects the System file, extensions may not load. The virus can cause some machines running System 7.0.1 to be unbootable. After an infected application has infected 10 other applications, it displays the message: Application is infected with the T4 virus and also displays a virus icon. The virus attempts to disguise its presence by renaming an application Disinfectant. If the application Disinfectant, an antivirus package, is actually present on the system, it is renamed Dis. A couple of the variants were distributed in the Trojan games GoMoku 2.0 and GoMoku 2.1. Variants : T4-A, T4-B, T4-C, T4- D Aliases : T4, MacOS/T4 | |||
INIT-M | virus | Macintosh | April 1993 |
This virus infects applications, the System file, and Preferences files in System 7 or higher. The virus creates a file in the Preferences folder called FSV Prefs. The virus is triggered on Friday the 13th, when it renames files and folders, changes creation and modification dates to January 1, 1904, and deletes files that can't be renamed. Sometimes a folder or file may be renamed to Virus MindCrime. Aliases : INIT M, Mac/INIT-M, MindCrime, MacOS/INIT-M | |||
INIT 17 | virus | Macintosh | April 1993 |
This virus infects System and application files. The virus resides in INIT 17 resource. It is triggered when a machine is rebooted the first time after 6:06:06 PM on October 31, 1993. The first time an infected machine is rebooted after the trigger date, this message is displayed: From the Depths of CyberSpace . Errors in the virus code can cause file damage and crashes, especially in older Macintoshes. Aliases : MacOS/INIT17 | |||
CODE-1 | virus | Macintosh | November 1993 |
This virus is triggered if a user boots a machine on October 31. It renames the hard drive to Trent Saburo. Applications are infected as they run, and they try to infect the system. The virus can cause system crashes. Aliases : Mac/CODE-1, Mac/CODE1 | |||
INIT-9403 | virus | Macintosh | March 1994 |
This virus affects applications and the Finder on Italian versions of System 6 and 7. When an infected application is run, an invisible file called Preferenze is created and placed in the Extensions folder in System 7 or the System folder in System 6. When the machine is rebooted, the invisible file is executed and infects the Finder. Upon the next reboot, the infected Finder removes the invisible extension and starts to infect applications. After a time determined from the number of infections and the system time, the virus overwrites the startup volume and the disk information of attached drives over 16MB in size . Aliases : SysX, MacOS/INIT9403, Mac/INIT-9403 | |||
WU- FTPD | Trojan | Unix | April 1994 |
Source code for version 2.2 and 2.1f, and possibly earlier versions of the software contain a Trojan that allows an intruder to gain root access to the host running the Trojan software. Recommended solution was to disable the current FTP server, and replace with the last version, 2.4, after verifying the integrity of the source. | |||
MacOS/NVP | Trojan | Macintosh | December 1994 |
This Trojan disguises itself as a program called New Look, a program for modifying the display. If the Trojan is run, it modifies the System file. Under System 7, upon reboot, the user can no longer type vowels (a, e, i, o, u). Under System 6, the System file is modified, but this does not affect the keyboard input. Aliases : NVP | |||
Antibody | virus | Macintosh | October 1997 |
This is a HyperCard virus that goes from stack to stack, checking for the MerryXmas virus. If the MerryXmas virus is found, Antibody installs an inoculating script to remove the virus. It spreads only to open stacks and/or the Home stack, but not to stacks in use. Unexpected behavior could occur. | |||
CODE-9811 | virus | Macintosh | January 1998 |
This virus spreads from application to application. Before infecting an application, it copies it, gives it a random name, and makes it invisible. Then it infects the original application. If the application is run on a Monday or August 22, there is a 25% chance of triggering damage. The virus draws worms with yellow heads and black tails over the screen. Next a large red pi sign appears in the middle of the screen, and then this message appears in changing colors: p You have been hacked by the Praetorians! p The virus also tries to delete any antivirus software. Aliases : Mac/CODE-9811, CODE 9811 | |||
ADMw0rm | worm | L RH 4.0-5.2 | May 1998 |
Linux-specific worm that exploits a buffer overflow bug in old versions of BIND. An infected host has a w0rm user with a null password. /etc/ hosts .deny is deleted, and /bin/sh is copied to /tmp/.w0rm with the setuid bit set. /var/log is empty or the log files are small with large time gaps, and index.html files are replaced with The ADM Inet w0rm is here! The infected host then scans for other vulnerable hosts. | |||
AutoStart 9805 | worm | Macintosh | May 1998 |
This is a PowerPC-specific worm that takes advantage of the CD AutoPlay feature in QuickTime 2.5 and later, if it is enabled. The worm copies itself to any mounted volumes and to an invisible background application in the Extensions folder. Variants : There are six variants. Variants A, B, E, and F destroy data, with the type of data changing with the variant. The data is overwritten with garbage and can be recovered only from backups . Variants C and D are intended to remove the destructive variants. Both delete themselves when they are done, except for the running copy. Aliases : Autostart Worm, MacOS/AutoStart.worm, Hong Kong Virus | |||
Mac/SevenDust | virus | Macintosh | June 1998 |
This virus infects Macintosh applications by modifying or adding MDEF resources. It adds an extension called 666, preceded by an invisible character. Some variants add a new INIT resource to the System. Generally there is no damaging payload with this virus. The most common variant, Graphics Accelerator, deletes all nonapplication files started during the sixth hour of the 6th or 12th day of any month. Variant B deletes all nonapplication files every 6 months. Variants on the virus are A-J. Graphics Accelerator is variant F. Variant C was the first polymorphic virus for the Macintosh. The D variant is polymorphic and encrypted. It is the first variant of this virus to modify the contents of the WIND resource. Aliases : 666, Graphics Accelerator, Mac/SevenD, Mac/Sevendust, MDEF 666, MDEF 9806, MDEF E, Mac/SevenDust | |||
TCP Wrappers 7.6 | Trojan | Unix | January 1999 |
On January 21, 1999 a Trojan horse TCP Wrappers was distributed on FTP servers. The Trojan horse version provides root access to remote users connecting on port 421 and sends email to an external address providing information on the site and the user who compiled the program. The solution was to download a replacement copy and verify the integrity of the new sources. | |||
Linux/Ramen.worm | worm | L RH 6.2, 7 | January 2001 |
The worm attempts to exploit remote vulnerabilities in wu-ftpd , lpd , and rpc.statd . The worm contacts a randomly generated IP address and checks the FTP banner to determine which version of Red Hat is running so that it can determine which vulnerabilities to try. After it has access to the machine, it downloads a .tgz copy of itself that is extracted to /usr/src/.poop/ , and it appends a line to /etc/rc.d/rc.sysinit . The worm replaces index.html with a file containing the text Hackers looooooooooooooooove noodles . It edits /etc/inetd.conf or overwrites /etc/xinetd.conf as part of the process that ensures its propagation. Additionally, the worm scans for more vulnerable hosts, and sends a message to anonymous Yahoo! and Hotmail accounts specifying the IP address of the infected host. Aliases : Linux/Ramen, Linux.Ramen, Linux.Ramen.Worm, Worm.Linux.Ramen, Elf_Ramen | |||
Linux.Lion.Worm | worm | L | March 2001 |
It infects machines vulnerable to a root access vulnerability in bind . It attacks the remote host and downloads and installs a package from coollion.51.net , which contains the worm and the rootkit t0rnkit . The rootkit replaces many system binaries, such as ps , ifconfig , du , top , ls , and find , with Trojanized versions, and this helps disguise the worm's presence. The worm stays active through reboots because it adds lines to /etc/rc.d/rc.sysinit . It deletes /etc/hosts.deny and adds lines to /etc/inetd.conf to allow root shell access. The worm also sends /etc/passwd , /etc/shadow , and output from ifconfig “a to 1i0nsniffer@china.com. Aliases : Linux/Lion, Linux/Lion.worm, 1i0n, Lion worm | |||
Linux/Adore | worm | L | April 2001 |
Targets vulnerabilities found in default installations of Linux. Exploits vulnerabilities in wu-ftpd , lpd , bind , and rpc.statd to gain root access and execute itself. The worm replaces ps , adds a cron job to help carry out its activities, adds users ftp and anonymous to /etc/ftpusers , and replaces klogd with a backdoor program that allows root shell access. The worm sends a message to two of four addresses in China with information including the compromised host's IP address, process list, history, hosts file, and shadow password file. Then it searches for other hosts to infect. Aliases : Linux.Red.Worm, Linux/Red, Linux.Adore.Worm | |||
SadMind | worm | Sol thru Sol 7 Microsoft IIS | May 2001 |
SadMind exploits an old buffer overflow vulnerability in the Solstice sadmind program from 1999 to infect Solaris machines. It installs software that then exploits a vulnerability in Microsoft IIS 4 and 5 from 2000 to attack Microsoft IIS Web servers. On the IIS machines, it replaces the front page with a page that profanes the U.S. government and PoizonBOx and says to contact sysadmcn@yahoo.com.cn Additionally, it automatically propagates to other Solaris machines. It also adds ++ to root 's .rhosts file. After compromising 2000 IIS systems, it also modifies index.html on the Solaris machine to have the same message as the IIS machines. Aliases : Backdoor, Sadmind, BoxPoison, Sadmind.worm, sadmind/IIS, Unix/AdmWorm, Unix/SadMind | |||
Linux.Cheese.Worm | worm | L | May 2001 |
This worm attempts to be good. It searches for systems infected with Linus.Lion.Worm and attempts to fix the security hole that allowed replication. It blanks any lines in /etc/inetd.conf that contain /bin/sh and scans for other systems infected by Linux.Lion.Worm. Aliases : Linux/Cheese, Cheese | |||
MacOS/Simpsons@MM | worm | Macintosh | June 2001 |
This is an AppleScript worm designed to spread with Mac OS 9.0 and higher and Microsoft Outlook Express 5.0.2 or Entourage. It arrives as an email attachment to a message with the subject Secret Simpsons Episodes! Running the attachment causes Internet Explorer 5 to go to http://www.snpp.com/episodeguide.html, and causes the script to copy itself to the StartupItems folder. This infects the local machine. The worm spreads by sending itself via email to contacts listed in the infected user's address book. Aliases : Mac.Simpson, Mac/Simpsons@mm, Mac.Simpsons, AplS/Simpsons | |||
Linux/Rst-A | virus | L | February 2002 |
This virus attempts to infect all ELF executables in the current working directory and in /bin/ . The virus also attempts to open a UDP socket on port 5503 or higher to wait for a certain packet from the attacker, and then opens a TCP connection with the attacker and starts up a shell for the attacker to use. | |||
Linux/Osf | virus | L | March 2002 |
This virus attempts to infect 200 ELF binaries in the current working directory and in /bin/ . The size of infected binaries is increased by 8759 bytes. If the virus is executed by a privileged user, it attempts to open a backdoor server by opening a socket on port 3049 or higher and waiting for specially configured packets that contain the backdoor program. Aliases : Linux/OSF-A, Linux.Jac.8759 | |||
BSD/Scalper.worm | worm | FreeBSD | June 2002 |
BSD/Scalper.worm affects FreeBSD 4.5 running Apache 1.3.20-1.3.24, although it is recommended that all Apache users upgrade to the latest version. It exploits the transfer- chunk encoding vulnerability in Apache to infect a machine. The worm scans for vulnerable hosts, transfers itself in uuencoded form to /tmp/.uua , decodes itself to /tmp/.a , and then executes the decoded file. Each worm keeps a list of all the IPSs infected from it. It includes backdoor functionality that allows a remote attacker to launch denial of service attacks. Additionally, a remote attacker can execute arbitrary commands, scan files for email addresses, send mail, access Web pages, and open connections on other ports. Aliases : ELF/Scalper-A, Linux.Scapler.Worm, Linux/Echapa.worm, Scalper-A, Scalper.worm, Echapa.worm, ELF/Scalper-A, FreeApworm, FreeBSD.Scalper.Worm, ELF_SCALPER_A | |||
OpenSSH 3.4.p1 | Trojan | Unix | July 2002 |
Trojan horse versions of OpenSSH 3.4p1 were distributed from the FTP server that hosts ftp.openssh.com from approximately July 30 or 31 until August 1. The Trojan version contains malicious code in the makefile that at compile time opens a channel on port 6667 to a specific host and also opens a shell as the user who compiled OpenSSH. The solution is to verify the integrity of your sources and download again or to just download the sources again. | |||
Linux.Slapper.Worm | worm | L: RH, Deb, Su, Man, Sl | September 2002 |
This worm uses an OpenSSL buffer overflow vulnerability to run a remote shell to attack specific Linux distributions. It sends an initial HTTP request on port 80 and examines the server header response. It spreads over Apache with mod_ssl installed. The worm uploads itself as a uuencoded source file, decodes itself, and compiles itself into an ELF binary, which executes with the IP address of the attacking computer as a parameter. This is used to create a peer-to-peer network, which can then be used to launch a denial of service attack. All worm files are stored in /tmp . Variants : Slapper-A, Slapper-B, Slapper-C, Slapper.C2 Aliases : Linux/Slapper-A, Apache/mod_ssl worm , ELF_SLAPPER_A, Worm/Linux.Slapper, Linux/Slapper, Linux.Slapper.a.worm, Slapper.source, Slapper-A | |||
sendmail8.12.6 | Trojan | Unix | September 2002 |
Trojanized versions of sendmail8.12.6 were distributed on FTP servers between September 28 and October 6, 2002. Versions distributed via HTTP do not appear to be Trojanized. However, it is recommended that if you obtained the sendmail8.12.6 distribution during that time, it is best to get another copy of the sendmail distribution. See Unix/Backdoor-ADM for details on the malicious code that is executed. | |||
Unix/Backdoor-ADM | Trojan | Unix | September 2002 |
Backdoor code that is executed when the Trojanized sendmail8.12.6 is compiled. The code forks a process that connects to 66.37.138.99 on port 6667. It allows an attacker to open a shell with the privileges of the user who compiled sendmail. The process is not persistent with a reboot, but is reestablished if sendmail is recompiled. Aliases : Unix/sendmail-ADM | |||
Linux/Devnull.A | worm | L: RH, Deb, Su, Man, Sl | September 2002 |
This uses the same exploit as the Slapper worm and its variants. It sends an invalid GET request to identify a vulnerable Apache system. The worm consists of four files: shell.sh , sslx.c , devnull , and k . The first three are used to spread the worm, and k is a backdoor Trojan IRC server that can be used to launch a denial of service attack. Aliases : Linux/Slapper.E, Linux.Kaiten.Worm, Worm.Linux.Mighty, Linux/Slapper.worm.d, Linux.Devnull | |||
Linux.Millen.Worm | worm | L | November 2002 |
This worm attempts to exploit buffer overflows in some versions of bind , popper , imap4 , and mountd to gain access to a system. If it succeeds, it downloads and uncompresses mworm.tgz to /tmp/..../ and sends a message to trax31337@hotmail.com. The worm has 46 files. When it has infected a machine, it begins to attack a random IP address. Additionally, the worm opens a backdoor remote shell on TCP/1338 for the attacker. Aliases : Linux/Millen | |||
tcpdump 3.6.2 tcpdump 3.7.1 libpcap 0.7.1 | Trojan | Unix | November 2002 |
From November 11 “13 Trojan horse versions of tcpdump and libpcap were distributed. The Trojan horse tcpdump contains malicious code that is executed at compile time. The malicious code connects to a specific host on port 80 and downloads a file called services . This file generates a c file that is compiled and run. The resulting binary makes a connection to a specific host on port 1963 and reads a single byte. The action taken can be one of three things. If it reads A, the Trojan horse exits; D, the Trojan forks itself, creates a shell, and redirects the shell to the connected host; M, the Trojan closes the connection and sleeps for 3600 seconds. To disguise the activity, a Trojan libpcap (libpcap is the underlying library for tcpdump) ignores all traffic on port 1963. The solution is to download new sources and verify their integrity. | |||
Trojan.Linux.JBellz | Trojan | L Su 8.0 Sl .8.0 | January 2003 |
This Trojan is a malformed .mp3 file. When played with a specific version of mpg123 player, it recursively deletes all files in the current user's home directory. Aliases : Exploit-JBellz, JBellz, TROJ_JBELLZ.A |
This table includes every Macintosh, or Macintosh- related virus, (excluding MS Word macroviruses) know by Symantec and McAfee, two of the foremost antivirus software vendors. In it are 26 Mac viruses. There are roughly 600 Microsoft Word macroviruses that are not covered, the vast majority (530 or so) of which are functional on the Mac.
By way of comparison, depending on who you ask, there are anywhere between 50,000 and 62,000 viruses in total, with the predominantly affected platform being Windows machines, and the overwhelming majority being directed at Microsoft Office products such as Outlook, Internet Explorer, Word, Excel, and PowerPoint. As I type this, CNN has yet another story of a Microsoft product run amok, with the SQL Slammer worm, mentioned earlier in this chapter, taking down ATMs, and banking and airport scheduling networks around the planet. Coincidentally, CNN's also running an article quoting Bill G. as saying that "security risks have emerged on a scale that few in our industry fully anticipated" (http://www.cnn.com/2003/TECH/biztech/01/25/microsoft.security.ap/index.html). One has to give him credit for noting, in the email he's being quoted from, that passwords are "the weak link," but I think it's rather disingenuous of him to call every computing professional outside Microsoft "few in our industry."
Top |