symantecTM

Security Response

ISSN 1444-9994

October 2001 Newsletter

These are the most common Viruses, Trojans and Worms reported to Symantec Security Response during the last month.

Top Global Threats

JS.Exception.Exploit
W95.Hybris.worm
W32.Sircam.Worm@mm
W32.Magistr.39921@mm
W32.Nimda.A@mm
W32.Magistr.24876@mm
VBS.Haptime.A@mm
WScript.KakWorm
JS.Seeker
W32.Annoying.Worm


Asia Pacific
JS.Exception.Exploit
W32.Sircam.Worm@mm
W95.Hybris.worm
W32.Magistr.39921@mm
VBS.Haptime.A@mm
W32.Nimda.A@mm
W95.MTX
W32.HLLW.Bymer
W32.Annoying.Worm
WScript.KakWorm


Europe, Middle East
& Africa

JS.Exception.Exploit
W95.Hybris
W32.Sircam.Worm@mm
W32.Magistr.39921@mm
VBS.Haptime.A@mm
W32.Magistr.24876@mm
W32.Nimda.A@mm
W95.MTX
W32.HLLW.Bymer
JS.Seeker


Japan
W95.Hybris
W32.Nimda.A@mm
JS.Exception.Exploit
W32.Sircam.Worm@mm
W32.HLLW.Bymer
W95.MTX
W32.Magistr.39921@mm
Trojan.VirtualRoot
W32.Magistr.24876@mm
PWSteal.Trojan


The Americas
W95.Hybris
JS.Exception.Exploit
W32.Sircam.Worm@mm
W32.Magistr.39921@mm
W32.Nimda.A@mm
Wscript.KakWorm
W32.Magistr.24876@mm
JS.Seeker
W32.Annoying.Worm
W32.HLLW.Hai



Removal Tools for malicious code are on our web site


A list of Virus Hoaxes
reported to Symantec


A list of Joke Programs
reported to Symantec.


Glossary for definitions of viruses, Trojans and worms and more.




Use this form to unsubscribe

First name:

Last name:

Email address:

Welcome to a special Mac edition of the Newsletter. I get many Apple Macintosh users asking me what types of threats exist for their computers so we are devoting this edition to Mac security issues. I've still included the Top Threats and associated sections in the side bar, as well as some links to the latest Windows PC threats. I have also included a list of viruses and worms for the Mac OS 8 and OS 9 . Incidentally, we have details on the newly discovered Excel and PowerPoint vulnerabilities, which are in fact more serious on the Mac than they are with the Windows versions.

For further information, Mac security advice and products follow these links.

Symantec's Mac Security Web Site
http://www.symantec.com/mac/security/
Mac virus definition download link
http://www.symantec.com/avcenter/download/pages/US-NMC.html
Mac Home Computing
http://www.symantec.com/product/home-mac.html
Mac Small Business
http://www.symantec.com/product/sbho-mac.html
Mac Attack Article
http://www.symantec.com/mac/security/macattack.html

David Banes.
Editor,
securitynews@symantec.com
 
Are Mac's More Secure against Viruses, Hackers and less exploit prone?
Are Macs more secure against viruses and hackers, and less prone to being exploited? It is true that Macs are targeted less than PCs by virus and worm authors. Macro viruses and worms that could run in Microsoft Word under both Mac OS and Windows invariably don't because they use Windows functionality in their implementations. To say Macs are immune, however, is misleading. It's just that the Mac platform is less attractive, arguably more difficult, and probably more costly to authors of malicious code. This could all change with the introduction of Mac OS X.

Mac OS X is based on UNIX, and is really a mix of a highly modified BSD UNIX (called Darwin), the old Mac 9.x GUI style, and a great new interface called Aqua. Mac OS X version 10.1 has a built in firewall, which as a standalone tool is not easy to configure. Norton Personal Firewall runs on Mac OS 8.1, 9.x, and in the native Mac OS X environment using the built in IP firewall. It monitors all Internet connections to your Mac, logging and alerting you to attempted intrusions.

Many hackers or crackers (bad hackers) are familiar with a variety of the old UNIX security exploits. That's why Apple has spent a lot of time and effort making sure OS X is secure out of the box. While OS X has built in networking as well as FTP and Web servers, they are turned off by default. UNIX style root access to the OS is not the default.

UNIX and Mac OS X are very similar when it comes to root access. OS X and UNIX are similar in that you should only log in as root when absolutely necessary. With OS X, Apple has tried to make the security such that novice users can set up and start using the machine without having to perform lots of administrator types of chores. UNIX users normally run as Admin or just a user. Under OS X users may never know that they are admin, or what a root user is because Apple has provided GUI setup aps that guide the user through making an admin password. Most users will probably only know they have a password. They won't know it's an Admin password, nor will the know the difference between Root, Admin and user. You shouldn't change the network or security settings unless you know what you are doing.

In June 2001, Symantec notified Microsoft of a vulnerability in Microsoft Word and PowerPoint that applies to the Windows and Mac versions. This is a good example of a vulnerability at the application level that is OS independent, making Macs just as susceptible as PCs. There is more information about this on the Symantec Web site, and a Microsoft patch is already available. Microsoft is also making available a beta version of Word for OS X that is probably one of the most secure versions of Word. Visual Basic for Applications (VBA) is not included, so macro viruses should not be an issue in this version of Word. The other basic, REALBasic, is also omitted. I'll be running it until it expires in January 2002.

Hindsight tells us that once a hardware/software platform becomes widespread and development costs come down, or the platform becomes substantially simpler, they attract virus authors. We saw this in the move from DOS to Windows 3.x, then to Windows 95, and now to Windows NT/2000.

We've also seen a couple of Palm viruses and Trojan horses, which is to be expected since the Palm OS is the dominant handheld OS. We've seen no threats targeting the PocketPC OS or the various mobile telephone OSs because they aren't that common. This will probably change when connectivity is always on, with wireless networks for example, and the barriers to writing such programs come down.

So in one respect, given the popularity of the Mac platform and the new OS X, we could say that it has yet to have its day in regard to hosting viruses and worms, or even that it never will. The advent of always on cable, ADSL, and wireless networking in the home and home office exposes many Macs to denial of service attacks and worms. It really depends on what becomes popular and grabs the attention of the authors of malicious code. If Macs (and OS X in particular) become more popular, then they will attract hackers, crackers, and virus writers.

David Banes
Symantec Security Response, Asia Pacific
Thanks to John Mitzel(Global Marketing Manager, USA), Frank Borraccino(Platinum Support Analyst, Sydney), Lee Gummerman(Sr. Principal Software Engineer, USA) and Robert Franklin (Sr. Product Specialist, USA) for help with this article.
Viruses, Worms & Trojans
SevenDust

Low [2]

Mac

There are 6 variants of this virus, including 4 polymorphic, encrypted ones. The differences are described below. What they have in common is that they all infect applications by modifying MDEF and MENU resources, and they can create a System Extension (with an invisible character at the beginning of the name so it loads early) or add an INIT resource to the System file. The existence of the extension is the easiest way of identifying its presence without using NAV.
http://www.symantec.com/avcenter/venc/data/mac-sevendust.html

Lee Gummerman
Symantec Security Response, USA
 
 Mac.Simpsons@mm

Low [2]

Mac

Mac.Simpsons@mm is an AppleScript worm that targets the Macintosh platform. It may open Microsoft Outlook Express or Entourage, and send a copy of itself with the original message to everyone in your address book. The name of the script is "Simpsons Episodes." This worm does not appear to be particularly malicious, and is similar to other mass-mailing worms that affect Window's computers such as VBS.LoveLetter. SARC has received very few submissions of this worm.
http://www.symantec.com/avcenter/venc/data/mac.simpsons@mm.html

Symantec Security Response, USA
 
CODE 9811

Low [2]

Mac

This virus spreads from application to application. When an infected application is launched, it searches for another application to infect and copies itself into that application. The contents of the original file are copied to an invisible file in the same folder whose name is composed of arbitrary upper case letters. The infected application also attempts to delete anti-virus software it finds in the default volume's root folder, or in the System, Control Panels, or Extensions folders.

When launched on a Monday, there is a 25% chance that the payload will be triggered. If so, the virus draws "worms" (meandering lines with small round "heads") on the screen. Lighter colored worms toward the center draw the symbol for pi, and the message "You have been hacked by the Praetorians" flashes above the pi symbol. If the user presses the command key, the machine will be shutdown.
http://www.symantec.com/avcenter/venc/data/code.9811.html

Lee Gummerman
Symantec Security Response, USA
 
AutoStart 9805

Low [2]

Mac

AutoStart 9805 is a Macintosh worm which executes only in native PowerPC mode. It was first discovered in Hong Kong in May 1998. It utilizes the CD-ROM AutoPlay feature in QuickTime 2.5 or later. This feature, if enabled, allows the invisible AutoStart 9805 application to automatically launch when an infected volume is mounted. This program will replicate itself to any mounted volumes, as well as to an invisible background application (file type 'appe') in any Extensions folder, which allows it to further replicate upon reboot to other mounted volumes.

Since it does not spread outside of the startup or background applications, SAM and NAV for Mac effectively repair the worm by deleting either of these files wherever they are detected
http://www.symantec.com/avcenter/venc/data/autostart.9805.html

Lee Gummerman
Symantec Security Response, USA
 
MBDF

Low [2]

Mac

MBDF is a virus that first appeared in 1992. The MBDF A strain originated from a trojan horse virus named Tetracycle. Additionally, MBDF A was found to be distributed in versions of Obnoxious Tetris and Ten Tile Puzzle.

In November 1993, a second strain, MBDF B, was discovered. The A and B strains of MBDF infect applications as well as system files and spread rapidly. Both strains cause occasional crashes, particularly if commands are selected from menus when running System 7.0.1
http://www.symantec.com/avcenter/venc/data/mbdf.html
 
Tetracycle

Low [2]

Mac

Tetracycle is a trojan horse virus that secretly installs the MBDF A virus on infected Macintosh computers.
http://www.symantec.com/avcenter/venc/data/tetracycle.html
 
INIT 1984

Low [2]

Mac

INIT 1984 is a destructive virus first discovered in March 1992. INIT 1984 infects system extensions (INITs) when users start up Macintosh computers. When triggered, INIT 1984 renames and changes the type and creator of files, or even deletes them from disks. Although INIT 1984 can actively reproduce at any time, the virus only triggers if the user happens to start up the infected Macintosh computer on Friday the 13th (1991 or later).When the virus is active, files are renamed with random strings, type and creator information can be overwritten with random values, and files on any mounted disks can be deleted.
http://www.symantec.com/avcenter/venc/data/init1984.html
 
nVIR

Low [2]

Mac

nVIR is probably the most prolific and highly infectious of all Macintosh viruses. nVIR has two basic strains, A and B, and nine known variants (clones). It first appeared in Europe in 1987.

When nVIR finds its way into a Macintosh computer through an infected application, it normally infects the System file first. Once the computer is infected, nVIR becomes memory-resident every time the computer starts up, infecting any applications it comes in contact with.

To announce its presence, after every eight to sixteen restarts (or after four to eight infected application launches), nVIR causes the system to beep. At least one known strain of nVIR can utilize the MacIntalk sound driver (MacInTalk is a software-based speech synthesizer) and, instead of beeping, speak the words "Don't panic."
http://www.symantec.com/avcenter/venc/data/nvir.html
 
MacMag

Low [2]

Mac

MacMag is a rare virus that originated in a HyperCard stack. It displays a message of universal peace when triggered. After displaying the message, the virus deletes itself. Discovered in December of 1987 in a HyperCard stack called "New Apple Products," MacMag infects System files only. Although MacMag is apparently not designed to be malicious, infected systems can display a variety of problems. Infection is spread either from the original HyperCard stack ("New Apple Products") or from contact with an infected system.
http://www.symantec.com/avcenter/venc/data/autostart.9805.html
 
T4

Low [2]

Mac

T4 is a virus with three known strains. The T4-A and T4-B strains were first discovered in June 1992 in a public domain application called GoMoku. T4-C was discovered in February of 1993 at the University of Illinois at Champaign-Urbana.

T4 infects applications and the Finder. T4 attempts to modify your System file startup (or boot) code. Modification of this code could interfere with loading system extensions at startup.

The T4-C strain infects applications and System files on an infected startup volume. When activated under System 6, T4-C immediately attempts to alter the resident System file, resulting in damage that causes INIT problems at load time (startup). Modifications of this code could even cause the infected Macintosh computer to crash during startup.
http://www.symantec.com/avcenter/venc/data/t4.html
 
WM.Xenixos - http://www.symantec.com/avcenter/venc/dyn/8122.html

Minimal [1]

Mac

Nuclear - http://www.symantec.com/avcenter/venc/dyn/2592.html

Minimal [1]

Mac

DMV - http://www.symantec.com/avcenter/venc/dyn/2594.html

Minimal [1]

Mac

Concept - http://www.symantec.com/avcenter/venc/dyn/2591.html

Minimal [1]

Mac

Colors - http://www.symantec.com/avcenter/venc/dyn/2593.html

Minimal [1]

Mac

Security News
Microsoft Excel and PowerPoint document macro security vunerability.

High [4]

 Mac/Win32

While investigating an MS Word vunerability in June of this year it was discovered that unauthorised macro files, potentially containing malicious code, can run without warning in MS Excel and MS Powerpoint, successfully bypassing Microsoft's security features. This means an attacker could run arbitrary code with user privileges.

Microsoft Office applications, 2000 versions and later, have three security settings for macros. The "Low" setting allows all macros to run. Setting the security to "Medium" displays a warning window stating the dangers of opening documents containing Macros. This pop-up allows the user to make the decision whether to enable or disable the macro. Under the "High" setting, unsigned macros are disabled automatically. Microsoft Office applications prior to the 2000 version had much simpler macro security models but are still subject to the same vunerability.

We have discovered that by specifically modifying the data stream in a document file containing a macro, the Microsoft Office security settings for macros are completely bypassed in all versions of Microsoft PowerPoint and Excel products.

Microsoft has released a security bulletin, MS01-050, for this issue with links to individual product security patches. Users of individual Microsoft Office products as well as bundled Microsoft Office suites should download and install the appropriate security patches to secure their applications. A more detailed description is available at the following location.

http://www.sarc.com/avcenter/security/Content/2001.10.04.html

Peter Ferrie
Symantec Security Response, Asia Pacific.
 
Enterprise Security News Clips
VISIT THE SYMANTEC ENTERPRISE SECURITY WEB SITE
http://enterprisesecurity.symantec.com/

Recent Enterprise Security News headlines include:

Protecting Your Mac From Nosy E-Snoops;
The Seattle Times
http://enterprisesecurity.symantec.com/content.cfm?articleid=896

'Top 10' List of Net Security Holes Grows to 20;
Newsbytes
http://enterprisesecurity.symantec.com/content.cfm?articleid=886

You Can't Say You Weren't Warned;
The Canberra Times
http://enterprisesecurity.symantec.com/content.cfm?articleid=879

Get the latest Enterprise Security News delivered straight to your inbox.Register for Symantec's free Enterprise Security newsletters. https://enterprisesecurity.symantec.com/Content/Subscribe.cfm
 
Contacts and Subscriptions:
Correspondence by email to: securitynews@symantec.com, no unsubscribe or support emails please. Follow this link to unsubscribe or change your subscription type. Newsletter Archive: http://www.symantec.com/avcenter/sarcnewsletters.html Send virus samples to: avsubmit@symantec.com
This is a Symantec Corporation publication, use of requires permission in advance from Symantec. All information contained in this newsletter is accurate and valid as of the date of issue. Copyright © 1996-2001 Symantec Corporation. All rights reserved.