Malware Threats

Key:

Macintosh

Mac OS 9 or previous

L

Linux

RH

Red Hat

Su

SuSE

Sl

Slackware

Man

Mandrake

Deb

Debian

Sol

Solaris

FreeBSD

FreeBSD

Name

Type

OS

Discovery Date

MacOS/nVIR

virus

Macintosh

January 1987

This source for this virus was widely available, enabling it to be used to create numerous variants. When an infected application is run, it infects the System file. After the computer is infected, the virus becomes memory-resident every time the computer starts and infects any applications it comes in contact with. In some variants, after a certain number of reboots or application relaunches, the virus causes the system to beep. In one variant, the MacinTalk sound driver is used to speak the words "Don't panic." Another deletes system files.

Variants : AIDS, f__k, Hpat, Jude, MEV#, CLAP, MODM, nCAM, nFLU, kOOL_HIT, prod, F***

Aliases : nVIR

Frankie

virus

Macintosh emulator

December 1987

This virus affects Atari and Amiga computers running Macintosh emulators. Frankie-infected files can be run on Macintoshes without spreading. The virus was distributed in a document transfer utility by Aladdin producer Proficomp, to attack pirated versions of the Aladdin emulator, but it infects all Macintosh emulators on Atari and Amiga. When triggered, the virus draws a bomb icon and displays this message: Frankie says: No more piracy! The computer then crashes. The virus infects applications, including the Finder, and can spread only under System 6. Infected applications do not need to be run to spread the virus.

Aliases : MacOS/Frankie

MacMag

virus

Macintosh

December 1987

This virus infects System files only. Infection is spread either via a HyperCard stack called New Apple Products, or from contact with an infected system. A universal message of peace with an American symbol is displayed on March 2, 1988, and then the virus destroys itself. Infected systems, however, can display a variety of problems.

Aliases : MacOS/Peace, Aldus, Brandow, DREW, Peace, Drew

Scores

virus

Macintosh

June 1988

When an infected application is run, the virus is duplicated and attaches to the System, Notepad and Scrapbook. In the System folder it makes two invisible files, Scores and Desktop. Two days after infection the virus becomes active and begins to infect all applications when they are opened. Four to seven days after infection frequent system error messages appear.

Aliases : Eric, Vult, ERIC, NASA, San Jose Flu, Mac/Scores, NASA VULT

MacOS/INIT29

virus

Macintosh

June 1988

This virus affects the system, application, and data files. Infection occurs when an infected application is run. An application does not have to be running to be infected. Only the system and applications can spread the infection, and things can be infected multiple times. The virus overwrites existing INIT 29 resource. This causes printing problems, memory problems, and other odd behavior.

Variants : INIT 29A, INIT 29B

Aliases : Mac/INIT-29, INIT-29, INIT 29

Mac/ANTI-A

virus

Macintosh

February 1989

This virus can spread and cause damage under System 6. Under System 7 it can infect one file, but can't spread. It infects applications and application-like files. It generally is not destructive, but some applications cannot be completely repaired.

Variants : ANTI-A, ANTI-B, ANTI-ANGE

MacOS/WDEF

virus

Macintosh

December 1989

This virus family infects the desktop items on machines running System 4.1 and higher, but not System 7 and higher. A machine becomes infected when an infected disk is inserted. The virus copies itself to the Desktop files on all connected volumes . The machine experiences beeping, corruption, incorrect display of fonts, and crashing.

Variants : WDEF A, WDEF B

Aliases : Mac/WDEF, WDEF

Mac/ZUC

virus

Macintosh

March 1990

This virus family infects Macintoshes with 512K or smaller ROMs, running System 4.1 or later. It infects applications, including the Finder. Whenever an infected application is run, it looks for another application ”which does not have to be running ”to infect. After a certain time period of infection, dependent on the variant, the virus is triggered. The virus can cause erratic cursor motion, such as moving diagonally across the screen when the mouse button is held down, a change in Desktop patterns, and long delays and heavy disk activity. If the Finder becomes infected, the machine becomes unusable.

Variants : ZUC-A, ZUC-B, ZUC-C

Aliases : ZUC, MacOS/ZUC

MDEF

virus

Macintosh

May 1990

This virus family infects Macintoshes running System 4.1 and higher. There are four variants: A, B, C and D. A, B, and C infect the System file and applications whenever any infected file is run. D can infect only applications. Applications infected with MDEF tend to have garbled pull-down menus . The virus can also cause system crashes and other odd behavior.

Variants : MDEF-A (Garfield), MDEF- B (Top Cat, TopCat), MDEF-C, MDEF-D

Mac/CDEF

virus

Macintosh

August 1990

This virus can spread under System 6 and 7, but causes damage only under System 6. It infects by adding a CDEF resource to the invisible desktop file. It can infect the desktop file of a System 6 drive immediately upon inserting, or can mount an infected volume, and it copies itself to the desktop files on the first three connected volumes. The virus spreads via shared infected floppy disks. The virus can cause system crashes, printing problems, and other odd behavior.

Aliases : CDEF

MacHC/ThreeTunes

virus

Macintosh

March 1991

This is a HyperCard virus whose damage occurs in systems using a German calendar between November 11 “30 or December 11 “31 in any year from 1991 to 1999. 17 seconds after activating an infected stack, a message that says Hey what you doing? appears. After 2 minutes, "Muss I denn" is played and repeated every 4 minutes. After 4 minutes, "Behind the Blue Mountains" is played and the system may shut down afterward. If not, 1 minute later the virus displays HyperCard's pop-up menus Tools and Patterns. If you close those, they are opened every minute. After 15 minutes, a message that says Don't panic appears.

Aliases : HC virus, 2 Tunes, Two Tunes

MacHC/Merryxmas

virus

Macintosh

October 1991

This is a HyperCard virus family with many variants. The virus appends code to the end of the stack script. When an infected stack is run, it first infects the HyperCard Home stack. Stacks that are then run receive the infection from the Home stack. It can cause unexpected Home stack behavior. The virus contains an XCMD that can shut the system down without saving open files, but it does not contain any code that executes it. It displays messages and plays sounds.

Aliases : Crudshot, Lopez, Merry2Xmas

MacOS/MBDF

virus

Macintosh

February 1992

This virus family infects applications as well as system files under System 6, System 7, and Mac OS 8. It uses the MBDF resource to infect files. All Macintosh models except the Plus and SE models are affected. After an infected application is run, it infects the System file. However, it takes such a long time to write to the System file that users may think that their Macintosh has hung and reboot the machine. Rebooting the machine during this process leaves the System file damaged. The computer experiences crashes and seems unstable after this, or is not bootable. When the virus successfully completes writing to the System file, the computer also experiences crashes and seems unstable.

The virus was originally distributed in versions of the games Obnoxious Tetris and Ten Tile Puzzle, as well as a Trojan game called Tetricycle.

Variants : MBDF-A, MBDF-B

Aliases : Tetricycle, Mac/MBDF-A, MBDF

INIT-1984

virus

Macintosh

March 1992

This virus affects System 4.1 and higher. It infects system extensions when a machine is booted on Friday the 13th. The virus randomly renames files and changes file types and creator codes. Additionally, creation and modification dates are changed to January 1, 1904. Files that can't be renamed are deleted. Older Macs experience a crash at startup.

Aliases : MacOS/INIT1984, Mac/INIT-1984

CODE-252

virus

Macintosh

April 1992

This virus affects System 6 and System 7. In System 6 with MultiFinder, only the System and MultiFinder are infected. In System 6 without MultiFinder, it can also spread to other applications. In System 7, it can infect only the System file. Between January 1 and June 5, the virus infects applications and the System. Between June 6 and December 31, it displays this message whenever an infected application is run or an infected system is booted:

 You have a virus. Ha Ha Ha Ha Ha Ha Ha Ha Now erasing all disks... Ha Ha Ha Ha Ha Ha Ha Ha P.S. Have a nice day Ha Ha Ha Ha Ha Ha Ha Ha (Click to continue) 

The virus can cause crashes.

Aliases : D-Day, Mac/CODE-252

Mac/T4

virus

Macintosh

June 1992

This virus infects applications and the Finder or System files, depending on the variant. When it infects the System file, extensions may not load. The virus can cause some machines running System 7.0.1 to be unbootable. After an infected application has infected 10 other applications, it displays the message: Application is infected with the T4 virus and also displays a virus icon. The virus attempts to disguise its presence by renaming an application Disinfectant. If the application Disinfectant, an antivirus package, is actually present on the system, it is renamed Dis. A couple of the variants were distributed in the Trojan games GoMoku 2.0 and GoMoku 2.1.

Variants : T4-A, T4-B, T4-C, T4- D

Aliases : T4, MacOS/T4

INIT-M

virus

Macintosh

April 1993

This virus infects applications, the System file, and Preferences files in System 7 or higher. The virus creates a file in the Preferences folder called FSV Prefs. The virus is triggered on Friday the 13th, when it renames files and folders, changes creation and modification dates to January 1, 1904, and deletes files that can't be renamed. Sometimes a folder or file may be renamed to Virus MindCrime.

Aliases : INIT M, Mac/INIT-M, MindCrime, MacOS/INIT-M

INIT 17

virus

Macintosh

April 1993

This virus infects System and application files. The virus resides in INIT 17 resource. It is triggered when a machine is rebooted the first time after 6:06:06 PM on October 31, 1993. The first time an infected machine is rebooted after the trigger date, this message is displayed: From the Depths of CyberSpace . Errors in the virus code can cause file damage and crashes, especially in older Macintoshes.

Aliases : MacOS/INIT17

CODE-1

virus

Macintosh

November 1993

This virus is triggered if a user boots a machine on October 31. It renames the hard drive to Trent Saburo. Applications are infected as they run, and they try to infect the system. The virus can cause system crashes.

Aliases : Mac/CODE-1, Mac/CODE1

INIT-9403

virus

Macintosh

March 1994

This virus affects applications and the Finder on Italian versions of System 6 and 7. When an infected application is run, an invisible file called Preferenze is created and placed in the Extensions folder in System 7 or the System folder in System 6. When the machine is rebooted, the invisible file is executed and infects the Finder. Upon the next reboot, the infected Finder removes the invisible extension and starts to infect applications. After a time determined from the number of infections and the system time, the virus overwrites the startup volume and the disk information of attached drives over 16MB in size .

Aliases : SysX, MacOS/INIT9403, Mac/INIT-9403

WU- FTPD

Trojan

Unix

April 1994

Source code for version 2.2 and 2.1f, and possibly earlier versions of the software contain a Trojan that allows an intruder to gain root access to the host running the Trojan software. Recommended solution was to disable the current FTP server, and replace with the last version, 2.4, after verifying the integrity of the source.

MacOS/NVP

Trojan

Macintosh

December 1994

This Trojan disguises itself as a program called New Look, a program for modifying the display. If the Trojan is run, it modifies the System file. Under System 7, upon reboot, the user can no longer type vowels (a, e, i, o, u). Under System 6, the System file is modified, but this does not affect the keyboard input.

Aliases : NVP

Antibody

virus

Macintosh

October 1997

This is a HyperCard virus that goes from stack to stack, checking for the MerryXmas virus. If the MerryXmas virus is found, Antibody installs an inoculating script to remove the virus. It spreads only to open stacks and/or the Home stack, but not to stacks in use. Unexpected behavior could occur.

CODE-9811

virus

Macintosh

January 1998

This virus spreads from application to application. Before infecting an application, it copies it, gives it a random name, and makes it invisible. Then it infects the original application. If the application is run on a Monday or August 22, there is a 25% chance of triggering damage. The virus draws worms with yellow heads and black tails over the screen. Next a large red pi sign appears in the middle of the screen, and then this message appears in changing colors: p You have been hacked by the Praetorians! p The virus also tries to delete any antivirus software.

Aliases : Mac/CODE-9811, CODE 9811

ADMw0rm

worm

L RH 4.0-5.2

May 1998

Linux-specific worm that exploits a buffer overflow bug in old versions of BIND. An infected host has a w0rm user with a null password. /etc/ hosts .deny is deleted, and /bin/sh is copied to /tmp/.w0rm with the setuid bit set. /var/log is empty or the log files are small with large time gaps, and index.html files are replaced with The ADM Inet w0rm is here! The infected host then scans for other vulnerable hosts.

AutoStart 9805

worm

Macintosh

May 1998

This is a PowerPC-specific worm that takes advantage of the CD AutoPlay feature in QuickTime 2.5 and later, if it is enabled. The worm copies itself to any mounted volumes and to an invisible background application in the Extensions folder.

Variants : There are six variants. Variants A, B, E, and F destroy data, with the type of data changing with the variant. The data is overwritten with garbage and can be recovered only from backups . Variants C and D are intended to remove the destructive variants. Both delete themselves when they are done, except for the running copy.

Aliases : Autostart Worm, MacOS/AutoStart.worm, Hong Kong Virus

Mac/SevenDust

virus

Macintosh

June 1998

This virus infects Macintosh applications by modifying or adding MDEF resources. It adds an extension called 666, preceded by an invisible character. Some variants add a new INIT resource to the System. Generally there is no damaging payload with this virus. The most common variant, Graphics Accelerator, deletes all nonapplication files started during the sixth hour of the 6th or 12th day of any month. Variant B deletes all nonapplication files every 6 months.

Variants on the virus are A-J. Graphics Accelerator is variant F. Variant C was the first polymorphic virus for the Macintosh. The D variant is polymorphic and encrypted. It is the first variant of this virus to modify the contents of the WIND resource.

Aliases : 666, Graphics Accelerator, Mac/SevenD, Mac/Sevendust, MDEF 666, MDEF 9806, MDEF E, Mac/SevenDust

TCP Wrappers 7.6

Trojan

Unix

January 1999

On January 21, 1999 a Trojan horse TCP Wrappers was distributed on FTP servers. The Trojan horse version provides root access to remote users connecting on port 421 and sends email to an external address providing information on the site and the user who compiled the program. The solution was to download a replacement copy and verify the integrity of the new sources.

Linux/Ramen.worm

worm

L RH 6.2, 7

January 2001

The worm attempts to exploit remote vulnerabilities in wu-ftpd , lpd , and rpc.statd . The worm contacts a randomly generated IP address and checks the FTP banner to determine which version of Red Hat is running so that it can determine which vulnerabilities to try. After it has access to the machine, it downloads a .tgz copy of itself that is extracted to /usr/src/.poop/ , and it appends a line to /etc/rc.d/rc.sysinit . The worm replaces index.html with a file containing the text Hackers looooooooooooooooove noodles . It edits /etc/inetd.conf or overwrites /etc/xinetd.conf as part of the process that ensures its propagation. Additionally, the worm scans for more vulnerable hosts, and sends a message to anonymous Yahoo! and Hotmail accounts specifying the IP address of the infected host.

Aliases : Linux/Ramen, Linux.Ramen, Linux.Ramen.Worm, Worm.Linux.Ramen, Elf_Ramen

Linux.Lion.Worm

worm

L

March 2001

It infects machines vulnerable to a root access vulnerability in bind . It attacks the remote host and downloads and installs a package from coollion.51.net , which contains the worm and the rootkit t0rnkit . The rootkit replaces many system binaries, such as ps , ifconfig , du , top , ls , and find , with Trojanized versions, and this helps disguise the worm's presence. The worm stays active through reboots because it adds lines to /etc/rc.d/rc.sysinit . It deletes /etc/hosts.deny and adds lines to /etc/inetd.conf to allow root shell access. The worm also sends /etc/passwd , /etc/shadow , and output from ifconfig “a to 1i0nsniffer@china.com.

Aliases : Linux/Lion, Linux/Lion.worm, 1i0n, Lion worm

Linux/Adore

worm

L

April 2001

Targets vulnerabilities found in default installations of Linux. Exploits vulnerabilities in wu-ftpd , lpd , bind , and rpc.statd to gain root access and execute itself.

The worm replaces ps , adds a cron job to help carry out its activities, adds users ftp and anonymous to /etc/ftpusers , and replaces klogd with a backdoor program that allows root shell access. The worm sends a message to two of four addresses in China with information including the compromised host's IP address, process list, history, hosts file, and shadow password file. Then it searches for other hosts to infect.

Aliases : Linux.Red.Worm, Linux/Red, Linux.Adore.Worm

SadMind

worm

Sol thru Sol 7 Microsoft IIS

May 2001

SadMind exploits an old buffer overflow vulnerability in the Solstice sadmind program from 1999 to infect Solaris machines. It installs software that then exploits a vulnerability in Microsoft IIS 4 and 5 from 2000 to attack Microsoft IIS Web servers. On the IIS machines, it replaces the front page with a page that profanes the U.S. government and PoizonBOx and says to contact sysadmcn@yahoo.com.cn

Additionally, it automatically propagates to other Solaris machines. It also adds ++ to root 's .rhosts file. After compromising 2000 IIS systems, it also modifies index.html on the Solaris machine to have the same message as the IIS machines.

Aliases : Backdoor, Sadmind, BoxPoison, Sadmind.worm, sadmind/IIS, Unix/AdmWorm, Unix/SadMind

Linux.Cheese.Worm

worm

L

May 2001

This worm attempts to be good. It searches for systems infected with Linus.Lion.Worm and attempts to fix the security hole that allowed replication. It blanks any lines in /etc/inetd.conf that contain /bin/sh and scans for other systems infected by Linux.Lion.Worm.

Aliases : Linux/Cheese, Cheese

MacOS/Simpsons@MM

worm

Macintosh

June 2001

This is an AppleScript worm designed to spread with Mac OS 9.0 and higher and Microsoft Outlook Express 5.0.2 or Entourage. It arrives as an email attachment to a message with the subject Secret Simpsons Episodes! Running the attachment causes Internet Explorer 5 to go to http://www.snpp.com/episodeguide.html, and causes the script to copy itself to the StartupItems folder. This infects the local machine. The worm spreads by sending itself via email to contacts listed in the infected user's address book.

Aliases : Mac.Simpson, Mac/Simpsons@mm, Mac.Simpsons, AplS/Simpsons

Linux/Rst-A

virus

L

February 2002

This virus attempts to infect all ELF executables in the current working directory and in /bin/ . The virus also attempts to open a UDP socket on port 5503 or higher to wait for a certain packet from the attacker, and then opens a TCP connection with the attacker and starts up a shell for the attacker to use.

Linux/Osf

virus

L

March 2002

This virus attempts to infect 200 ELF binaries in the current working directory and in /bin/ . The size of infected binaries is increased by 8759 bytes. If the virus is executed by a privileged user, it attempts to open a backdoor server by opening a socket on port 3049 or higher and waiting for specially configured packets that contain the backdoor program.

Aliases : Linux/OSF-A, Linux.Jac.8759

BSD/Scalper.worm

worm

FreeBSD

June 2002

BSD/Scalper.worm affects FreeBSD 4.5 running Apache 1.3.20-1.3.24, although it is recommended that all Apache users upgrade to the latest version. It exploits the transfer- chunk encoding vulnerability in Apache to infect a machine. The worm scans for vulnerable hosts, transfers itself in uuencoded form to /tmp/.uua , decodes itself to /tmp/.a , and then executes the decoded file. Each worm keeps a list of all the IPSs infected from it.

It includes backdoor functionality that allows a remote attacker to launch denial of service attacks. Additionally, a remote attacker can execute arbitrary commands, scan files for email addresses, send mail, access Web pages, and open connections on other ports.

Aliases : ELF/Scalper-A, Linux.Scapler.Worm, Linux/Echapa.worm, Scalper-A, Scalper.worm, Echapa.worm, ELF/Scalper-A, FreeApworm, FreeBSD.Scalper.Worm, ELF_SCALPER_A

OpenSSH 3.4.p1

Trojan

Unix

July 2002

Trojan horse versions of OpenSSH 3.4p1 were distributed from the FTP server that hosts ftp.openssh.com from approximately July 30 or 31 until August 1. The Trojan version contains malicious code in the makefile that at compile time opens a channel on port 6667 to a specific host and also opens a shell as the user who compiled OpenSSH. The solution is to verify the integrity of your sources and download again or to just download the sources again.

Linux.Slapper.Worm

worm

L: RH, Deb, Su, Man, Sl

September 2002

This worm uses an OpenSSL buffer overflow vulnerability to run a remote shell to attack specific Linux distributions. It sends an initial HTTP request on port 80 and examines the server header response. It spreads over Apache with mod_ssl installed.

The worm uploads itself as a uuencoded source file, decodes itself, and compiles itself into an ELF binary, which executes with the IP address of the attacking computer as a parameter. This is used to create a peer-to-peer network, which can then be used to launch a denial of service attack. All worm files are stored in /tmp .

Variants : Slapper-A, Slapper-B, Slapper-C, Slapper.C2

Aliases : Linux/Slapper-A, Apache/mod_ssl worm , ELF_SLAPPER_A, Worm/Linux.Slapper, Linux/Slapper, Linux.Slapper.a.worm, Slapper.source, Slapper-A

sendmail8.12.6

Trojan

Unix

September 2002

Trojanized versions of sendmail8.12.6 were distributed on FTP servers between September 28 and October 6, 2002. Versions distributed via HTTP do not appear to be Trojanized. However, it is recommended that if you obtained the sendmail8.12.6 distribution during that time, it is best to get another copy of the sendmail distribution. See Unix/Backdoor-ADM for details on the malicious code that is executed.

Unix/Backdoor-ADM

Trojan

Unix

September 2002

Backdoor code that is executed when the Trojanized sendmail8.12.6 is compiled. The code forks a process that connects to 66.37.138.99 on port 6667. It allows an attacker to open a shell with the privileges of the user who compiled sendmail. The process is not persistent with a reboot, but is reestablished if sendmail is recompiled.

Aliases : Unix/sendmail-ADM

Linux/Devnull.A

worm

L: RH, Deb, Su, Man, Sl

September 2002

This uses the same exploit as the Slapper worm and its variants. It sends an invalid GET request to identify a vulnerable Apache system.

The worm consists of four files: shell.sh , sslx.c , devnull , and k . The first three are used to spread the worm, and k is a backdoor Trojan IRC server that can be used to launch a denial of service attack.

Aliases : Linux/Slapper.E, Linux.Kaiten.Worm, Worm.Linux.Mighty, Linux/Slapper.worm.d, Linux.Devnull

Linux.Millen.Worm

worm

L

November 2002

This worm attempts to exploit buffer overflows in some versions of bind , popper , imap4 , and mountd to gain access to a system. If it succeeds, it downloads and uncompresses mworm.tgz to /tmp/..../ and sends a message to trax31337@hotmail.com. The worm has 46 files. When it has infected a machine, it begins to attack a random IP address. Additionally, the worm opens a backdoor remote shell on TCP/1338 for the attacker.

Aliases : Linux/Millen

tcpdump 3.6.2

tcpdump 3.7.1

libpcap 0.7.1

Trojan

Unix

November 2002

From November 11 “13 Trojan horse versions of tcpdump and libpcap were distributed. The Trojan horse tcpdump contains malicious code that is executed at compile time. The malicious code connects to a specific host on port 80 and downloads a file called services . This file generates a c file that is compiled and run. The resulting binary makes a connection to a specific host on port 1963 and reads a single byte. The action taken can be one of three things. If it reads A, the Trojan horse exits; D, the Trojan forks itself, creates a shell, and redirects the shell to the connected host; M, the Trojan closes the connection and sleeps for 3600 seconds. To disguise the activity, a Trojan libpcap (libpcap is the underlying library for tcpdump) ignores all traffic on port 1963. The solution is to download new sources and verify their integrity.

Trojan.Linux.JBellz

Trojan

L Su 8.0 Sl .8.0

January 2003

This Trojan is a malformed .mp3 file. When played with a specific version of mpg123 player, it recursively deletes all files in the current user's home directory.

Aliases : Exploit-JBellz, JBellz, TROJ_JBELLZ.A