"Robert H. Baucom" wrote:
>
> Has anyone heard anything about the new Seven Dust Virus?
>
> It was mentioned on the AppleWorks List site.
>
>
> Here's a Norton site addressing the problem.
>
goto: http://www.symantec.com/avcenter/venc/data/mac-sevendust.html
> RHB
>
It is a Mac virus!
RHB
SevenDust
There are 6 variants of this virus, including 4 polymorphic, encrypted
ones. The differences are described below. What they have in common is
that they all infect applications by modifying MDEF and MENU resources,
and they can create a System Extension (with an invisible character at
the beginning of the name so it loads early) or add an INIT resource to
the System file. The existence of the extension is the easiest way of
identifying its presence without using NAV.
Also Known As: MDEF 9806, MDEF 666, Graphics Accelerator
Type: Virus
Infection Length: Depends upon variant. See Short Description.
Wild:
Number of infections: 0 - 49
Number of sites: 0 - 2
Geographical distribution: Low
Threat containment: Easy
Removal: Easy
Threat Metrics
Wild: Low
Damage:Low
Distribution:
Low Damage
Payload Trigger: Malignant forms (B, E, F) delete files periodically
Payload: Modifies files: Applications (MDEF, MENU, WIND resources); adds
extension (INIT)
Distribution
Target of infection: Macintosh, PowerMac
SevenDust A: this variant spreads only, it does not cause any damage.
Extension name: "666". Size: 850 bytes.
SevenDust B: this variant has a payload which activates every six months
and deletes all non-application files.
Extension name: "666". Size: 1342 bytes.
SevenDust C: this one is polymorphic and encrypted, no payload.
Extension name: "666". Size: 1576 bytes.
SevenDust D: polymorphic, encrypted and symbiotic, no payload. The
symbiotic portion alters a 'WIND' resource from the host application and
stores its contents within the viral code. Extension name: "666". Size:
2036 bytes.
SevenDust E: polymorphic, encrypted and symbiotic with payload. If
launched between 6 and 7 AM on the 6th or 12th of the month it will
delete non-application files on the default volume. The symbiotic
portion alters a 'MENU' resource from the host application and stores
its contents within the viral code.
Extension name: "Graphics Accelerator". Size: 2352 bytes plus the size
of the symbiotic 'MENU' resource.
SevenDust F: polymorphic, encrypted and symbiotic with payload. If
launched between 6 and 7 PM on the 6th of the month it will delete
non-application files on the default volume. A Trojan Horse application
(named "ExtensionConflict") can initiate one of five sub-strains which
infect applications, Control Panels, and/or the System file. Each
sub-strain uses a 'MENU' or 'WIND' resource for symbiosis. Some
sub-strains will also create an infected System Extension with one of
the following names:
Graphics Accelerator
CD-ROM Driver
VideoSync
Monitors Plug-In
Open Transport
PPP.Lib
ADSP Tool
Photo Access
Video Picker
ISO 9661 File Access
Serial Port
XMODEM.Lib
TCP/IP.Lib
Text Encodings
Power Enabler
Internet Library
AppleTalk Library
MacLinkPlus
Internet Config
Ethernet Ports
These can be distinguished from legitimate versions by the invisible
character at the start of the name or by the file creator, which is
'ACCE'. The size of the infection varies from 2844 to 3836 bytes plus
the size of the symbiotic resource.
SevenDust G: this strain is similar to SevenDust E with some minor
differences. It is polymorphic, encrypted and symbiotic. It will attempt
to delete non-application files when executed on the 6th of the month
between 6 and 7 PM.
It can infect applications by modifying a 'MENU' resource to use its
infected 'MDEF'. It uses a 'WIND' resource for symbiosis. It can also
create an infected "Graphics Accelerator" extension or alternatively add
an infected 'INIT' to the System file.
Symantec Security Response encourages all users and administrators to
adhere to the following basic security "best practices":
Turn off and remove unneeded services. By default, many operating
systems install auxiliary services that are not critical, such as an FTP
server, telnet, and a Web server. These services are avenues of attack.
If they are removed, blended threats have less avenues of attack and you
have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or
block access to, those services until a patch is applied. Always keep
your patch levels up-to-date, especially on computers that host public
services and are accessible through the firewall, such as HTTP, FTP,
mail, and DNS services.
Enforce a password policy. Complex passwords make it difficult to crack
password files on compromised computers. This helps to prevent or limit
damage when a computer is compromised.
Configure your email server to block or remove email that contains file
attachments that are commonly used to spread viruses, such as .vbs,
.bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your
organization. Perform a forensic analysis and restore the computers
using trusted media.
Train employees not to open attachments unless they are expecting them.
Also, do not execute software that is downloaded from the Internet
unless it has been scanned for viruses. Simply visiting a compromised
Web site can cause infection if certain browser vulnerabilities are not
patched.
If you believe you have been infected, please download the latest virus
definitions via LiveUpdate or from the Symantec Security Response Web site.
********
Go to above URL anh Click here for instructions on using LiveUpdate to
retrieve virus definitions.
Click here to manually download and install virus definitions from the
Symantec Security Response Web site.
RHB
--
Power Computing is sponsored by <http://lowendmac.com/> and...
123Inkjets.com <http://lowendmac.com/ad/123inkjets.html>
Support Low End Mac <http://lowendmac.com/lists/support.html>
Power Computing list info: <http://lowendmac.com/power/list.html>
--> AOL users, remove "mailto:";
Send list messages to: <mailto:[EMAIL PROTECTED]>
To unsubscribe, email: <mailto:[EMAIL PROTECTED]>
For digest mode, email: <mailto:[EMAIL PROTECTED]>
Subscription questions: <mailto:[EMAIL PROTECTED]>
List archive:
<http://www.mail-archive.com/powercomputing%40mail.maclaunch.com/>
Using a Mac? Free email & more at Applelinks! http://www.applelinks.com
