Here's the Wormfood 1.3 READ ME:
WormFood v1.3
July 6, 1998
©1998 All rights reserved.
Doug Baer
3131 N 70th St #1065
Scottsdale, AZ 85251 USA
<doug@xxxxxxxx>
Purpose
A nasty worm that infects Power Macintosh computers has been discovered. This
worm has been called AutoStart 9805, Hong Kong, and Desktop Print Spooler. It
can be removed with ResEdit, Resourcerer, or by making it visible and manually
trashing it. I threw together this little program to test our systems and
mounted volumes here at the school district. If an infection is discovered,
the program will remove the infection, but DOES NOT determine which, if any,
files were trashed by the worm (see below).
Once you have scanned and cleaned your machine, I recommend that you turn off
the "CD-ROM AutoPlay" option in the QuickTime Settings control panel to
prevent reinfection.
Symptoms
When a machine becomes infected, it may appear to lock up for a little while,
then continue normal operation. If you experience this phenomenon, your system
may be infected by this worm. Upon initial infection, your machine may reboot
right after an infected volume (floppy, hard disk, CD-ROM, Zip Disk, etc.) is
mounted.
What the worm does
Currently, this worm only infects machines that meet (or met) the following
criteria at the time of infection:
* Power Macintosh systems
* MacOS 7 and higher
* QuickTime 2.0 or above installed
* QuickTime's CD-ROM AutoPlay option enabled (this is the default).
How the worm attacks
The worm is a "faceless background application" that takes advantage of the
AutoPlay feature in QuickTime 2.0 and higher to install itself. Whenever a
volume is mounted, QuickTime (with AutoPlay turned on) will run the worm, thus
infecting the system and all other mounted volumes.
In addition to replicating itself, all current mutations of the worm have been
reported to overwrite parts of certain files with garbage data. While these
files are not infected, they cannot be repaired and must be restored from a
backup. Reported behavior includes:
* overwriting with garbage data parts of files
1) whose names have endings "data", "cod", and "csa"
2) whose names end with "dat" if the entire file is
larger than about 2
Mbytes
The original worm's replicator lives in the "Desktop Print Spooler" file in
the Extensions folder of your active System Folder. However, this is not
always the case with the mutations. The original worm lives in an invisible
file called "DB" on the root of all infected volumes. Again, this file has a
different name for different mutations.
WormFood usage
To achieve the best results, reboot your machine with extensions OFF (hold
down the SHIFT key at startup until the Finder loads and you can see the
desktop with your hard disk and trash can). This keeps the worm from loading
into RAM.
Locate the WormFood application and double click on this application to launch
the program and perform a check of the machine.
WormFood will report its progress and what it finds in the log window. If you
examine the log file, you may see lines of the form:
Making sure <FileName> is not invisible
This is a normal part of WormFood's operation. It looks for any file that
could be one of the worm files and makes sure that file is visible so you
know that it is there. If a KNOWN strain of the AutoStart worm is found, it
will be automatically deleted and WormFood will enter into the log file:
?REMOVED KNOWN WORM --> <FilePath>
If any other files match the profile currently known worm files, you will see
POTENTIALLY DANGEROUS, ADDING TO LIST --> <FilePath>
And the file will be added to the potential worm list. If there are any files
on this list at the end of the scan, WormFood will alert you and ask you if
you want to see a list of possible worm files. NOTE: Just because a file
appears on the list DOES NOT mean that it is infected. You may pick a file
from the list and click "OK" to delete that file. When you are finished, click
"Cancel" and WormFood will finish. You will then be asked if you want to Quit
or View the Log file. If you choose to view the log file, you must choose
"Quit" from the "File" menu or press Command-Q to quit WormFood.
Dealing with removable volumes
Since the worm infects your system whenever a disk is inserted and it restarts
the computer right after infecting it, it is rather difficult to remove it
from all removable disks at once. If you believe a removable disk to be
infected, restart with extensions off and insert the disks one by one running
WormFood with each disk in the drive to check and clean them.
Version History
07/06/98 - v 1.3
* fixed a bug that appeared when trying to open HUGE files
* automatically deletes known worms, then asks if user wants to list POSSIBLE
worm files
* changed my addresses (physical AND email)
* Made sure WormFood handles the new AutoStart-D and AutoStart-E variants
05/28/98 - v 1.2.2
* updated documentation to accurately describe new scan functionality
* updated code to display the 'all clear' dialog and enter into the log
* minor bugs squashed
05/22/98 - v 1.2.1
* fixed a bug in the file list routine
* re-added SetVisible XCMD to make all possible worm files visible
* corrected misinformation regarding AutoStart 9805 worm in documentation
* revised worm location routines to better isolate potential worm files
05/21/98 - v 1.2
* removed SetVisible XCMD
* abstracted the search to handle potential mutations without a new release
* removed option to create protection files
* now presents user with a list of potentially dangerous files with option to
delete
05/19/98 - v 1.1
* added LocatePath XFCN to locate Extensions folder (international
compatibility)
* added SetVisible XCMD to make protection files invisible and reduce clutter
* added checks for AUTOSTART 9805 B mutation
* added protection for AUTOSTART 9805 B mutation
05/13/98 - v1.0
* initial release
Copyrights
This software is provided as freeware to the community as a service. You may
distribute it freely as long as this documentation is included and no
modifications are made.
WormFood was written in MacPerl 5.2.0r4 (17April98) by Matthias Neeracher.
Standard Disclaimer
This software is provided as freeware. Doug Baer does not warrant any of its
functionality nor does he bear any liabilities whatsoever of its use. You are
totally responsible for using this software.
Special thanks to
Gerard van den Elzen
Jean-Pierre Kuypers
Eric Fan
Randy Thornburg
-->
