From: Aron Roberts (aron@socrates.berkeley.edu)
Date: Tue Jun 12 2001 - 12:10:24 PDT
Last Friday, the MacInTouch Web site described "Simpsons Episodes,"
a new Macintosh trojan (a program which carries out actions other
than those it claims to perform) and worm (which spreads itself by
copying its file[s]).
This trojan/worm reportedly launches Microsoft Internet Explorer
and connects your browser to "The Simpsons Archive: Episode Guide"
home page at <http://www.snpp.com/episodeguide.html>.
However, as MacInTouch notes in its special report at
<http://www.macintouch.com/simpsonsvirus.html>:
>This AppleScript worm, when launched, [also] opens Outlook Express
>or Entourage [the e-mail client and personal information manager
>included with the "Microsoft Office 2001 for Mac" suite] in the
>background and sends a copy of the original message, and the script,
>entitled "Simpsons Episodes," to everyone in your address book
>(Subject line: "Secret Simpsons Episodes!").
Although the script has not been reported to be intentionally
destructive, one MacInTouch reader observed that "it will delete all
the sent items from the sent items folder. [Presumably this
behavior, perhaps resulting from a crude attempt to cover its tracks,
will occur with both Outlook Express and Entourage, although this was
not stated in the report. - Aron]. They are moved into the deleted
items folder and can be rescued from there."
Both NAI/McAfee (Virex) and Symantec (Norton Anti-Virus) are aware
of this trojan/worm, per the links below, and will likely address it
in their next monthly virus definitions updates, due at or around
July 1, 2001. (If there are any interim updates prior to that date,
we'll be sure to announce them to these lists.)
Protective and, if necessary, removal measures that you can take in
the interim are discussed in the MacInTouch special report, above.
(One can manually remove the script, should this be needed, by
restarting with the Shift key held down, either throughout the
startup process or after extensions have finished loading.
Thereafter, you can remove the script from the Startup Items folder,
which you can find inside the active System Folder on your
Macintosh's startup disk.)
Why is this of significance?
----------------------------
To my knowledge, this is the first widely-reported attack on
Macintosh computers based on an AppleScript script.
All recent versions of the Mac OS, including Mac OS X, support
AppleScript. Most major Macintosh application programs -- as well as
the Finder, the Macintosh's desktop interface -- can be controlled
via AppleScript scripts. Such scripts can (among other things)
delete or rename files, modify the contents of files, or -- if the
appropriate applications and an active network connection are
available -- copy files or selected contents of files to other
computers. AppleScript scripts can be saved as double-clickable
applications, and their creator signatures and/or icons can be
changed so that they can masquerade as a different type of
application.
If a Macintosh user can be induced to run an AppleScript, or if one
can be launched automatically after being downloaded by an e-mail
client, Web browser, or other such program, any of these behaviors
could theoretically occur. (In this regard, "Simpsons Episodes" is a
close cousin to the VBScript worms which have targeted computers
running the Microsoft Windows Scripting Host.)
Until now, however, scripters with mischievous or malicious intent
have mostly stayed away from this avenue of attack. A concern is
that now that the door has been opened, this "Simpsons Episodes"
trojan/worm might lead to copycat attacks.
Aron Roberts
Workstation Software Support Group
--Descriptions of this trojan/worm on the Web sites of the two most prominent Macintosh anti-virus product vendors:
McAfee - AVERT (Virex, site licensed by the campus) http://vil.nai.com/vil/dispVirus.asp?virus_k=99102
Symantec Anti-Virus Research Center (Norton Anti-Virus) http://www.symantec.com/avcenter/venc/data/mac.simpsons@mm.html This page states that "NAV Virus definitions for Mac.Simpsons@mm are pending."
------------------------------------------------------------------------ The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its mailing list, including information on subscribing and unsubscribing, see the MAGNet Web site at <http://mac.berkeley.edu/help/magnet/>.
This archive was generated by hypermail 2b29 : Tue Jun 12 2001 - 12:11:14 PDT